Last week, only noticed by the kinds of people that read the company’s Keyword blog posts for fun, Google revealed something pretty incredible.
Since last year, the company has been automatically enrolling people into its two-step verification (2SV) program, where users have to back up their correct use of password with an SMS code, a number from the Google Authenticator app or by tapping a notification on their smartphone.
That was met by some resistance at the time, but Google has been vindicated. After forcing 150 million people and 2 million YouTube creators to enable 2SV, the company reported that there was a 50% decrease in accounts being compromised by hackers.
“This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information,” wrote Guemmy Kim, director of account security and safety at Google.
“Turn on 2SV (or we will!), as it makes all the difference in the event your password is compromised,” she continued, while urging Google users to undertake an official security checkup and enrol in the company’s Password Manager.
Tedious but necessary
Believe me, I know that the only thing more tedious than having to secure your accounts is writing about online security (and sorry if that’s obvious, dear reader), but this is a big deal. Despite the pushback Google got at the time (“I just don’t want to deal with 2FA in any way” wrote one Reddit user when pushed into adoption), this is, unfortunately, simply necessary in the modern internet age.
Don’t believe me? Visit http://haveibeenpwned.com and put in your email address to see how many times your passwords and other personal data have been leaked. In the interests of full transparency, for me it’s 11 — but I’m not too worried any more thanks to an incredibly boring evening some years ago when I sorted out my internet security once and for all.
I remember the trigger: I’d just applied for a job and, days later, found out the Yahoo email address I’d applied from had started sending out spam emails after somebody had compromised it. To my horror, I found out one of the recipients was the professional address of the person I’d sent my CV to. I didn’t get an interview.
To add insult to injury, I discovered that Yahoo had tracked my account history which read something like:
- 8:55 – London, UK
- 9:00 – London, UK
- 9:05 – London, UK
- 9:10 – Warsaw, Poland
- 9:15 – London, UK
One of these is not like the others, which you think Yahoo might have considered strange enough to block given the shortage of five-minute flights from England to Poland, but I digress. I had to deal with my security problem.
That night I enabled 2SV on every account where it was possible and installed a password manager. I did use LastPass before the company got incredibly stingy with free accounts, so instead I recommend BitWarden nowadays.
I’m not going to sugarcoat it: the whole thing took about four hours all in, as I tried to remember every site on the internet where I’d ever made an account and then changed what seemed like a million similar sounding passwords. But it’s worth it: I now don’t worry whenever I hear news of the latest big data breach.
Less invasive alternatives
I get that not everyone has four hours to fix decade’s worth of password mistakes, and relying on a password manager — even one as neat as BitWarden — can still be fiddly on a smartphone where it feels a bit flakey (especially when clicking on links within apps).
So, for those that worry about their security but can’t face the hassle of moving to a password manager I have what is, hopefully, a less invasive solution. Certainly safer than using the same password on everything, anyway.
My advice is this: stick with a familiar password, but make twists based on where you’re using it. That way you don’t have to remember something unique everywhere, but it’s significantly safer than repeating the password.
For example, if your password was “donkeyhat52” and you were logging into Gmail, you could make the password “donkeyhat52gma”. The “gma” is at the end because it’s specifically for Gmail, just as it would be “eba” for Ebay or “ama” for Amazon.
You might think this would be easy for any hacker to quickly figure out this not-so-subtle code, but the reality is that most account breaches aren’t looked at logically via human eyes. A list of passwords and email addresses are leaked, and then bots try the combinations in a bunch of sites until one works. And bots don’t see what’s pretty obvious to human eyes.
To be clear, this isn’t the advice I’d give to a high-profile internet user who will have hackers specifically targeting them because of who they are. But if you’re basically an internet nobody (I don’t say that pejoratively — I consider myself to be in that club too) then it should be more than enough given the sheer number of people who use passwords like “password1” and “123456” ahead of you in the hacking target queue.
The trick with internet security, I’ve always thought, is to be a bit more secure than the next person along. Enacting this change will certainly do that for you, as will enabling 2SV before Google forces you to do it.
It may feel like a drag, but Google forcing tighter security on its users is absolutely the right thing to do. Don’t fight it: embrace it.