If there are three things which you need to do in order to start dramatically decreasing your chances of having your online identity compromised, they are:
- Use a password manager
- Make sure your email account password is not in, your password manager.
- Use 2-factor authentication for your email, and for your password manager.
The above list is not in any particular order, but let me just mention upfront: So much potential pain can be avoided by using 2-factor authentication, especially for your email account.
Password managers are excellent. They are a great tool which allows you to no longer need to remember countless passwords. This is important, as a common way your accounts might get compromised is if your password gets leaked in a data breach and then you also use that same password elsewhere. Unfortunately, using the same password elsewhere is exactly what people do without a password manager.
If someone unscrupulous obtains your email address and password for one site, it’s pretty obvious they will try that same combination with other sites. Makes sense right?
Therefore it is clearly better to use a different password for each website, it’s asking too much to remember a different password for everything. This is where the password manager comes in.
You use the password manager to store all of your (preferably randomly generated) passwords for every site in.
However, you may then think: “What happens if someone gets into my password manager, do they then have access to everything?”
YES. They do. And you need to be aware of that.
It’s all well and good using a password manager for all your passwords, but if you lose access to that, you are in trouble. It is however still better than reusing passwords across multiple websites.
If this does happen, whilst it is bad news for you, it’s not a complete disaster. The complete disaster can come if you have also saved your email address password in there aswell.
Think about it. You use the email address ‘firstname.lastname@example.org’ and you have a nice secure password or even better, a passphrase protecting it. You then store this password/phrase in your password manager and then your password manager password gets compromised.
Let me explain to you how much of a bad situation this is:
The attacker changes your email password, and prior to this, they remove any “recovery accounts” you may have. They then log in to your password manager via the web and reset your password. They confirm the change via your email address, which they now have access to. You are completely locked out.
From here on in, it only gets worse. Access to all your photos stored online, access to your social media accounts, access to your mobile phones ‘phone finder’ service and remote wipe feature. And no you can’t get back in help yourself in any way because you no longer control your own email address. THIS IS NOT A SITUATION YOU WANT TO FIND YOURSELF IN.
If you don’t store your email address and password in your password manager, you can at least save yourself if your password manager gets compromised. You can change your password manager password and regain control. You can reset the password for any social media or other websites and regain control, as these reset requests will come back to your email address. You can fight back. But if you lose control of both, email and password manager – it’s game over for you.
The saviour that is Two Factor Authentication (2FA)
As I mentioned up top, let’s not forget about 2-factor authentication. This potential catastrophe is pretty unlikely to happen if you had that on your email account, or even better – on both. So do your self a favour, and implement each of those three steps!