Your email password is far less secure than you may think. Sure it may be complex (at least we hope so) but who else may know your password? Onsite Helper shares what you need to know about password protection and how to setup two-factor authentication.
How Many Passwords do you Keep?
Many people sign up for subscriptions on the internet which can include:
- Joining a newsletter membership
- Downloading a free application that first requires an account set up with a password
- Purchasing items online
- Creating new email accounts
We normally have a small set of passwords that we use or recycle when we are asked to create new passwords. This is understandable as it is too darn hard to remember a new password for every new account we sign up for. As a result, some of us write these passwords in a book or in a password management application.
Personally, I have around 58 personal passwords in my database for different sites as well as services to which I have subscribed. I have another 30+ passwords for my business, which are shared with staff.
There are countless ways that your password can get into the wrong hands. One of the most common ways is from hackers accessing it through vulnerabilities in websites. I recently wrote an article about this and recommend you change your passwords often. Have a read of it here.
The Risk of Recycling Passwords
The two items Hackers will target are Credit card details and email accounts.
Last year we had a customer come to us with a potential disaster problem. They had received a call from their financial planner following up on emails apparently received from the client over the last few weeks. The most recent email authorised the financial planner to request a transfer of $150,000 into an investment opportunity.
The client up to this point had no idea that this type of fraud was being committed. The financial planner tried to email the client but the client did not receive them. The hacker had obtained login information in the client’s Hotmail account and was screening the emails.
The client was very lucky the financial planner took measures to confirm the transaction.
However, it is a good example of how potentially disastrous unauthorised access to your account login details can be.
Solution - Two-Factor Authentication
As a precautionary measure, we are now recommending all users increase their email security by implementing two-step authentication. The two-step authentication procedure changes the way you sign in to your email account. The first step is normal where you enter your regular password but then you are prompted with an additional verification code which is sent to your phone; similar to the process implemented by some of the major banks. Our prefered email supplier and two-factor authentication are through Google Apps.
Here are the ways you can have the additional code:
- Get codes via text message. Google can send verification codes to your cell phone via text message. However, your carrier’s standard messaging rates may apply.
- Backup phone numbers. Add backup phone numbers so Google has another way to send you verification codes in case your main phone is unavailable.
- Want a phone call instead? Google can call your cell as well as your landline phone with your verification code.
- Backup codes. You can print or download one-time use backup codes for times when your phones are unavailable, such as when you travel.
- No connection, no problem. The Google Authenticator app for Android, iPhone, or BlackBerry can generate verification codes. It even works when your device has no phone or data connectivity.
- Register your computers. During sign-in, you can tell us not to ask for a code again on your computer. We’ll still ask for codes on other computers.
If you don’t use Gmail to access your emails and instead you use an email application such as Microsoft Outlook, Apple Mail or even have emails on your mobile phone, then it is recommended you use the two-Step authentication to generate a one-time application-specific password. This will protect you in the event hackers extract your main password from your email application, which is pretty easy to do with tools such as mailpv.
How to Setup Two-Factor Authentication
To set up two-factor authentication in Google App, you first need to enable it for your Google Apps domain. Enable two-step verification for your domain
1. Sign in to the Google Admin console.
2. In the new Admin console, click Security > Basic settings.
3. Under 2-step verification, check Allow users to turn on 2-factor authentication.
This makes 2-step verification available for your users but does not automatically enrol them. To enrol, users need to configure their verification settings individually.
Next, you need to have the users enable this individually on each of their Gmail accounts.
1. Sign in to your Gmail account
2. Go to your Google Account settings page by clicking on your name or picture in the upper right corner of the screen and then clicking
3. In the Password box, click Setup next to “2-Step verification.” This will bring you to the 2-step verification settings page.
4. You will then see a step-by-step guide that will help you through the setup process.
5. Once you’re done, you’ll be taken to the 2-step verification settings page again. Be sure to review your settings and add backup phone numbers.
6. You’re done! Next time you sign in, you’ll receive an SMS with a verification code. Easy setup for Android users
Google Authenticator - Two-factor Authentication App
Users who only access their Google Account from Android devices can use a short walkthrough to set up the Google Authenticator application on their phones. With Google Authenticator, you can generate verification codes on your phone even if your phone isn’t connected to a network.
- Follow steps 1-2 in the instructions above to access your 2-step verification settings and then click Settings.
- Android users (4.0 or older) will see a screen providing an option to install the Google Authenticator app. If you prefer to receive codes via SMS instead of using the Google Authenticator app, click on the link at the bottom of the screen that says “You can receive codes by text message (SMS) or voice instead” and follow the instructions to complete the setup.
- If you would like to use Google Authenticator, click “Send me the app” to install the app on your phone. Then, follow the instructions on your screen to complete the setup process.
- Verify that the time on your Android device is correct.
- You’re done! Next time you sign in, you’ll be prompted to enter a code that you’ll get from the Authenticator app.
Email Application Setup
If you use an email application such as Outlook, Apple mail or iPhone/iPad then you need to generate a one-time authentication password to set up these devices so you’re covered as discussed earlier.
Here is a video on how to set this up on your device.