Web security isn’t something we tend to think of on a day-to-day basis. Usually, we only become aware of the security concerns of our accounts once something goes wrong. Recently, I’ve seen several friends fall victim to attacks on their accounts and identity, which has motivated me to take steps towards thinking about my own web security practices. We know that we should have high-security passwords and not reuse them across networks, and yet most of us don’t follow those rules.
Here are a few places on the web that you might only be protecting with a password which are worth the 15 minutes to take to a next security level with two-factor authentication, which supplements your password with a code sent to your phone at the time of log-in on a new system:
- Google. Securing your email account may be the most important thing you can do: often, other passwords and accounts will return to your email as a log-in and the source of password resets, so once someone has access to your email it’s all downhill from there. Google’s security tab offers extensive options, including reviewing recent activity and setting up phone alerts for suspicious log-ins. You can also enable 2-step verification, which will require you to set up one-time password alternatives on apps like your phone email service, but otherwise is easy to use.
- Twitter. Twitter has several systems for enabling two-factor authentication. One of the easiest to implement is based on having the Twitter app on your phone: when you try to log-on from a new computer, a message will pop up asking you to verify a notification sent to your Twitter app. If you don’t use the (admittedly clunky) official Twitter app, you can also opt for straight text messages. There’s a ZDNet tutorial to setting things up here.
- iCloud. Apple users are already aware of the notorious security flaws in iCloud, and Apple’s updates to security are unlikely to deter hackers for long. Many of the thefts were blamed on poor passwords in addition to exploits, but one step you can take to at least up your iOS device security is setting up two-step verification so that your iPhone or iPad acts as a controller for your account access. You can manage your settings by opting in through your Apple ID management system.
- Facebook. Managing your Facebook settings requires navigating a number of options both in privacy and security. Two factor authentication is a great option, but it can be annoying to set-up. Once you put in place a cell phone number and notification system, make sure you don’t undermine that security: keep an eye on Facebook apps and your privacy settings, which can be revealing more information than you realize.
- Dropbox. If you’re like many of us at ProfHacker, your Dropbox account holds everything. It’s an absolute must for two-factor authentication, and it’s very easy to set-up: just log on, click on your name in the corner, and go to the security tab. Dropbox lets you enter a primary and a back-up mobile number, so you can use a family member’s phone to make sure you don’t ever lose access to your data.
- Wordpress. If your website is run on WordPress, you’ve probably already run into the many security problems inherent in the blog model. There’s no inherent two-factor authentication solution in WordPress, but there are plug-ins such as Duo. These can require a lot of work to set up and interfere on sites with a lot of users (and won’t work well at all for class blogs with students logging in), but they might be worth it for your main homepage.
You’ll notice that many of these systems hinge on your smartphone. If you haven’t already set up a passcode and other security options on your phone, it’s definitely an important step in using it for two-factor authentication.
Are any of these systems perfect? No. Someone who is really dedicated to getting to your data or identity is likely to succeed, as many high-profile people have found out in recent cases of data theft. However, taking some of these simple steps is just like investing in good door locks or a home security system. It’s not enough to stop a professional, but it does act as a deterrent.
What web security steps do you recommend? Share your advice in the comments!
[CC BY 2.0 Photo by Flickr User Nick Carter]
