All Your Accounts Are Belong to Us

Head over to https://accounts.google.com (Figure 2). On the left, you'll see sign in and security options. This page is also where you can configure your privacy settings and recent activity. But for this article, I'm focusing on the sign-in and security page. Figure 3 shows when your password was last changed, whether or not 2FA (Google calls it two-step verification) is turned on, and whether you have any app passwords. You also can set up your account recovery information on this page, providing alternate email, phone number and secret questions.

Figure 2. Follow all these links. The checkups are very useful, and it's better to over-prepare than under-prepare.

Figure 3. Please turn on 2FA. It's painless and so much more secure than a password alone.

When you turn on 2-step verification (Figure 4), you're able to configure multiple 2FA options and set a default. I use the Google Prompt (described previously) as my default method, but I also have my phone number as an option. Plus, Google allows you to configure a number of alternates like a USB hardware key, printable offline codes and an authenticator app that will generate 2FA codes even while your phone is offline. Truly, it's the variety of options that makes me love Google for my 2FA needs.

Figure 4. Google's 2FA is really well done.

Ultimately, I urge you to set up 2FA on as many sites as support it. Most sites still require you to use SMS as the second factor, so be sure your phone number is secure (remember to contact your cell-phone provider). If websites support Google for 2FA instead of SMS, I personally recommend it. It's simpler, and that means you're actually more likely to use it. But whatever method you choose, 2FA is a good thing.

Password Management

I use a password manager. I've used several through the years, but I do find having a secure database of passwords is helpful. If I'm being completely honest, none of the password managers I've tried are perfect. It's often cumbersome to get the password (especially hard-to-type passwords) from the manager to the website where you need it. Plus, going between desktops and mobile devices is always a challenge. I use LastPass, but it's not a perfect solution, and it's not free for mobile devices. There are open-source password management tools like KeePass, Padlock and Passbolt, but I've yet to find the perfect solution. If you have a password management system that works across platforms and devices in a convenient, yet secure way, please let me know. I'd love to write about it.

So, the moral of the story is to make sure your phone is secure, and then make sure your accounts are secure too—preferably with multiple factors of authentication. At the absolute least, please don't use the same password for multiple websites!

______________________

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.