Geek secrets: How to get better security than passwords alone

Graham Cluley

Brainy geekTake a long, hard look at your friends, loved ones and colleagues.

Do some of them not seem to struggle as much with computer security issues as you do? Do you find that *you’re* the one who gets hacked, and they seem to get away scot free?

Well, it may be that they know a geek secret.

Fortunately, you don’t have to be a geek to know a geek secret. But you do have to keep a close eye on how geeks protect their systems, and learn lessons about how you might do the same.

EmailSign up to our newsletter
Security news, advice, and tips.

With that in mind, here is a tip that the geeks know about – but of which, sadly, many computer users are still clueless.

How to get better security for your online accounts than with passwords alone.

Find out below, or watch my latest video to learn more:

Geek secrets: Better security than passwords alone | Graham Cluley

Two factor authentication (2FA), also sometimes referred to as two step verification or login verification, is an extra layer of security that you can enable on a long, long list of websites.

You see, normally you access your online accounts by proving that you know something: your password. That’s all very well, but people get careless with passwords, perhaps because they get phished, or share it with a colleague, re-use it on multiple websites, or simply make it easy to guess or crack.

What 2FA does is take security one step further. Rather than simply asking you to prove what you know (your password), they also want you to prove what you have in your physical possession.

Twitter 2FA

The idea is that although a hacker might be able to steal or crack your password from the other side of the world, chances are that they will find it a heck lot harder to gain physical access to one of your possessions. And, when it comes to protecting against hackers, anything which makes their lives more difficult increases the chance that they will simply move on and look for an easier target.

So, a website account which has 2FA enabled doesn’t just ask you for your password, it also asks you to prove that you have a device in your physical possession by – for instance – entering a randomly generated number that has been sent to your mobile phone, or displayed by a smartphone app. With some sites, such as some banks, you may even have been given a hardware token that will generate the number.

This makes life much trickier for the bad guys trying to break into your account, because even if they have determined your password they won’t know the magic number that changes every 30 seconds or so.

Google authenticator

2FA isn’t entirely foolproof. There are sophisticated attacks that determined attackers can use to try to crack into even the accounts which are protected with two-factor authentication. But it does make it so much more difficult for attackers to successfully compromise your online accounts, that the vast majority simply will not bother.

And that has to be good news.

For a great list of websites that support 2FA in various forms visit

Read more about two-step verification:

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

5 comments on “Geek secrets: How to get better security than passwords alone”

  1. Bob

    Sorry to point this out but 2FA is not the same as 2SV.

    "The difference between two-factor and two-step authentication."

    1. Graham Cluley · in reply to Bob

      Thanks Bob. I feel that the difference between 2SV and 2FA gets into a level of geekiness that isn't the province of this article – which was to encourage non-geeks to have an additional level of protection than just a mere password!

      The important thing is – whether it's technically 2SV or 2FA – turn it on!!! As if you do, chances are that your account will be better defended from the bad guys.

      Thanks again.

  2. Tom

    I wish there was an option for those of us who do not have smartphones

    1. Frank · in reply to Tom

      Use WinAuth ( for Windows, and OTP Manager ( for Mac.

      1. Bob · in reply to Frank

        There are also Chrome-based plugins for Linux that allow TOTP.

        Plenty of other ways Tom to increase your security:

        You can use 'dumb' 2SV – e.g. get Google to call your landline/mobile with an authentication code; i.e. automated voice calls you with a OTP.

        Use something like the YubiKey.

        Some websites support printable grid matrices.

        (Other methods are available).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.