Don’t Get Pwned: A Guide to Safer Logins

Richard Barnes, Firefox Security Lead

More and more of the sensitive, valuable things in our life are guarded through password-protected online accounts — love letters, medical records, bank accounts and more. Web sites use login procedures to protect those valuable things. As long as someone can’t log into your account, they can’t read your email or transfer money out of your bank account. As we live our lives online, how should we protect our logins?

tl;dr:

  • Use random passwords, and use a different password for every site
  • Use a password manager to make creating and remembering passwords easier
  • Make your answers to security questions just as strong as your passwords
  • Use “two-factor authentication” wherever you can
  • Pay attention to the browser’s security signals, and be suspicious

It’s hard out there for a password

Most logins today are protected by a password. If an attacker can get your password, he can access your account and do anything you could do with that account. So when you ask how secure your account is, you’re really asking how safe your password is. And that means you have to think about all the different ways that an attacker could access your account’s password:

  • Seeing you use it with an unencrypted website
  • Guessing it
  • Stealing a file that has your password in it
  • Using password recovery to reset it
  • Tricking you into giving it to them

To keep your login safe, you need to prevent as many of these as possible. Each risk has a different corresponding mitigation.

Look for the lock

It’s easy to prevent attackers from stealing your password when you log into an unencrypted website: Never type your password unless you see a lock icon in the URL bar, like this:

The lock means that the website you’re using is encrypted, so that even if someone is watching your browsing on the network (like another person on a public WiFi hotspot), they won’t be able to see your password. Browsers are starting to roll out features that warn you when you’re about to enter your password on an unencrypted site.

Your browser also helps keep you informed about how trustworthy sites are, to help keep you safe from phishing. On the one hand, when you try to visit a website that is known to be a phishing site, any major browser will display a full-screen warning — pay attention and don’t use that site!

On the other hand, when you’re talking to a site that has provided proof of its legal identity, the browser will show you that identity. So for example, when you go to download Firefox, you can know that you’re getting it from Mozilla.

In general, the best defense against phishing is to be suspicious of what you receive, whether it shows up in email, a text message or on the phone. Instead of taking action on what someone sent you, visit the site directly. If an email says you need to reset your Paypal password, don’t click the link. Type in paypal.com yourself. If the bank calls, call them back.

Strength in diversity

The secret to preventing guessing, theft or password reset is a whole lot of randomness. When attackers try to guess passwords, they usually do two things: 1) Use “dictionaries” — lists of common passwords that people use all the time, and 2) make some random guesses. The longer and more random your password is, the less likely that either of these guessing techniques will find it.

When an attacker steals the password database for a site that you use (like LinkedIn or Yahoo), there’s nothing you can do but change your password for that site. That’s bad, but the damage can be much worse if you’ve re-used that password with other websites — then the attacker can access your accounts on those sites as well. To keep the damage contained, always use different passwords for different websites. There are also sites like have i been pwned where you can subscribe to be notified if your account is in one of the password databases that has been stolen.

My mother’s maiden name is “Ff926AKa9j6Q”

Finally, most websites have a password recovery system that lets you recover your password if you’ve forgotten it. Usually these systems make you answer some “security questions” before you can reset your password. The answers to these questions need to be just as secret as your password. Otherwise, an attacker can guess the answers and set your password to something he knows.

Randomness can be a problem, since the security questions that sites often use are also things people tend to know about you, like your birthplace, your birthday, or your relatives’ names, or that can be gleaned from sources such as social media. The good news is that the website doesn’t care whether the answer is real or not — you can lie! But lie productively: Give answers to the security questions that are long and random, like your passwords.

Get help from a password manager

Now, all of this sounds pretty intimidating. The human mind isn’t good at coming up with long sequences of random letters, let alone remembering them. You can use a password manager like 1Password, LastPass, or Dashlane to help improve your password hygiene. They will generate strong passwords for you, remember them for you, and fill them into websites so you don’t have type them in.

You do take on some risk by using one of these password managers, since they create a database that has all your passwords in it. However, all reputable password managers encrypt their databases with a “master password.” The master password is safer from theft than normal passwords: Because it never gets sent to a server (just used on your computer to encrypt the database), an attacker has to break into your computer in particular, rather than a server where he can harvest millions of accounts. And because you only have to remember one master password, you can make it extra strong. So in general, it’s much more likely that you’ll have an account breached due to not using a password manager (e.g., a weak or re-used password) than that someone will both steal the your password manager’s database and guess the master password.

Even if you can’t figure out how to use a password manager, sometimes the simplest, least glamorous technology is also pretty secure:

Going old school.

Just keep your written passwords in a safe place!

More factors, fewer problems

The other major step you can take to protect your account is to add a “second factor” to the login process. In most cases, the second factor is tied to your phone, which means that even if an attacker has your password, they can’t log in to your account unless they also have your phone. (And vice versa — if your phone gets stolen, they can’t log in unless they get your password.)

In order to enable two-factor authentication (or “2FA”), you’ll need to associate your phone with your account on the website. Each website will provide instructions, but it usually involves either entering your phone number or scanning a barcode with a special app. Then, when you go to log in, the website will ask you for a code from your phone. If an attacker doesn’t have your phone, he can’t get the code, so he can’t log in.

Set up a two factor authentication app to generate authentication codes when you want to login. You’ll need to enter the verification code to proceed with login.

2FA provides much better security than passwords alone, but not every website supports it. You can find a list of websites that support 2FA at https://twofactorauth.org, as well as a list of sites that don’t support 2FA and ways you can ask them to add support.

Strong, diverse, and multi-factor

For better or worse, we’re going to be using passwords to protect our online accounts for the foreseeable future. Use passwords that are strong and different for each site, and use a password manager to help. Set long, random answers for security questions (even if they’re not the truth). And use two-factor authentication on any site that supports it.

Following these steps takes some discipline and will make it harder to log in sometimes. But in today’s Internet, where thousands of passwords are stolen every day and accounts are traded on the black market, it’s worth some inconvenience to keep your online life safe.


Originally published at blog.mozilla.org on January 25, 2017.