Geek secrets: How to get better security than passwords alone

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Brainy geekTake a long, hard look at your friends, loved ones and colleagues.

Do some of them not seem to struggle as much with computer security issues as you do? Do you find that *you’re* the one who gets hacked, and they seem to get away scot free?

Well, it may be that they know a geek secret.

Fortunately, you don’t have to be a geek to know a geek secret. But you do have to keep a close eye on how geeks protect their systems, and learn lessons about how you might do the same.

Sign up to our free newsletter.
Security news, advice, and tips.

With that in mind, here is a tip that the geeks know about – but of which, sadly, many computer users are still clueless.

How to get better security for your online accounts than with passwords alone.

Find out below, or watch my latest video to learn more:

Geek secrets: Better security than passwords alone | Graham Cluley

Two factor authentication (2FA), also sometimes referred to as two step verification or login verification, is an extra layer of security that you can enable on a long, long list of websites.

You see, normally you access your online accounts by proving that you know something: your password. That’s all very well, but people get careless with passwords, perhaps because they get phished, or share it with a colleague, re-use it on multiple websites, or simply make it easy to guess or crack.

What 2FA does is take security one step further. Rather than simply asking you to prove what you know (your password), they also want you to prove what you have in your physical possession.

Twitter 2FA

The idea is that although a hacker might be able to steal or crack your password from the other side of the world, chances are that they will find it a heck lot harder to gain physical access to one of your possessions. And, when it comes to protecting against hackers, anything which makes their lives more difficult increases the chance that they will simply move on and look for an easier target.

So, a website account which has 2FA enabled doesn’t just ask you for your password, it also asks you to prove that you have a device in your physical possession by – for instance – entering a randomly generated number that has been sent to your mobile phone, or displayed by a smartphone app. With some sites, such as some banks, you may even have been given a hardware token that will generate the number.

This makes life much trickier for the bad guys trying to break into your account, because even if they have determined your password they won’t know the magic number that changes every 30 seconds or so.

Google authenticator

2FA isn’t entirely foolproof. There are sophisticated attacks that determined attackers can use to try to crack into even the accounts which are protected with two-factor authentication. But it does make it so much more difficult for attackers to successfully compromise your online accounts, that the vast majority simply will not bother.

And that has to be good news.

For a great list of websites that support 2FA in various forms visit 2fa.directory.

Read more about two-step verification:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

5 comments on “Geek secrets: How to get better security than passwords alone”

  1. Bob

    Sorry to point this out but 2FA is not the same as 2SV.

    "The difference between two-factor and two-step authentication."
    https://paul.reviews/the-difference-between-two-factor-and-two-step-authentication/

    1. Graham CluleyGraham Cluley · in reply to Bob

      Thanks Bob. I feel that the difference between 2SV and 2FA gets into a level of geekiness that isn't the province of this article – which was to encourage non-geeks to have an additional level of protection than just a mere password!

      The important thing is – whether it's technically 2SV or 2FA – turn it on!!! As if you do, chances are that your account will be better defended from the bad guys.

      Thanks again.

  2. Tom

    I wish there was an option for those of us who do not have smartphones

    1. Frank · in reply to Tom

      Use WinAuth (https://winauth.com/) for Windows, and OTP Manager (http://www.stickybit.nl/apps/otpmanager.html) for Mac.

      1. Bob · in reply to Frank

        There are also Chrome-based plugins for Linux that allow TOTP.

        Plenty of other ways Tom to increase your security:

        You can use 'dumb' 2SV – e.g. get Google to call your landline/mobile with an authentication code; i.e. automated voice calls you with a OTP.

        Use something like the YubiKey.

        Some websites support printable grid matrices.

        (Other methods are available).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.