In a previous post I applied the 80-20 rule to the realm of cybersecurity. My aim was to motivate you to take action to protect yourself from identity theft and/or financial loss. I proposed that you can achieve a great deal of protection with a minimum of effort.

Specifically, I urged you to freeze your credit reports and learn how to spot and avoid phishing scams. That post generated some excellent reader comments. Some brought to light worthwhile points not explicitly covered in the post.

In today’s second and final post on the topic, I will present two additional, simple steps you can take to get even further protection from the cybersecurity threat environment.

Use Multi-Factor Authentication

After freezing your credit reports and avoiding phishing scams, using multi-factor authentication (MFA) is perhaps the next best step you can take to protect yourself from financial loss.

Background

Let’s start by defining some terms. Authentication means proving you are who you say you are to some third party. For our purposes, let’s assume this third party is an authenticating system.

An authenticating system could be a website or smartphone app for a bank, a brokerage account, an email account (e.g., gmail, icloud), or any online system that requires authentication for access.

A factor is a means by which to prove (or authenticate) your identity to an authenticating system. And multi…well, you know what multi means. Put them all together, and you get MFA.

Factors

Let’s take a closer look at factors. When you log in to an authenticating system with a username and password, those bits of information–collectively known as your credentials–are one factor of authentication. In this case, that factor is something you know.

If your credentials match what the authenticating system has on record, that system will trust that you are who you say you are, and grant you access to the system.

Your driver’s license is another factor of authentication. In this case, the factor is something you have. When you present your driver’s license to the traffic cop who just pulled you over for speeding, the cop compares the picture of your face to the one sitting behind the steering wheel. If they match, the cop knows (or is at least reasonably sure) you are who the license says you are, thereby authenticating your identity.

And when your fancy new iPhone uses facial recognition to unlock your device, this is yet a third factor of authentication. In this case, the factor is something you are.

Adding just a second factor of authentication to a single-factor protocol makes it considerably more difficult for a cybercriminal to impersonate you.

Action Items

As with adding a credit freeze, setting up 2-factor authentication (2FA) is easy. Nearly all reputable financial institutions with an online presence offer convenient 2FA setup. If they don’t, then they don’t take security seriously.

Log in to your institution’s website or app, navigate to your profile and select security settings. This process will differ, but likely only slightly, from company to company. Then follow the instructions to set up 2FA.

Once 2FA is active, every time you submit your username and password to the website or app, it will prompt you for one additional bit of information before granting you access. This additional bit of information–typically a random six- to eight-digit number the website generates each time you submit your credentials–is called a token.

The website sends this token to your smartphone via text message. In this model, your smartphone is the 2nd factor of authentication; i.e., the something you have.

What does this look like from the perspective of the cybercriminal? Well, even if he gets hold of your credentials, he won’t be able to log in to your account without also having your smartphone. And the likelihood of his acquiring your credentials and your smartphone is far less than that of acquiring one or the other individually.

Hence the power of 2FA to protect your accounts from unauthorized access.

Caveats

Many institutions are beginning to offer 2FA via an authenticator app, which replaces the text message-based model described above. In this model, the token comes from an app installed on your smartphone, not a text message sent to it by the authenticating system.

The advantage of using an authenticator app is that the token is bound to your device, not your phone number. The distinction is subtle, and many will argue it is important enough to favor authenticator apps, but I disagree.

Here again, the 80-20 rule is instructive. In this case, it means activating 2FA with text messaging will buy you 80% protection over plain old single-factor authentication. I’d go further and say 90% to 95%.

In my opinion, the marginal improvement afforded by app-based 2FA is not worth the effort. It may even be counterproductive; say if you have to install a different app for each authenticating system you use. The additional complexity is not only inconvenient, it may lead to less security.

Moreover, the chief downside of message-based 2FA cited by proponents of app-based 2FA can be mitigated by locking down your phone number with your service provider (e.g., T-Mobile, Verizon, etc.). This is something you should consider doing anyway.

If the authenticating system doesn’t offer the message-based variant, and instead requires you to use an authenticator app, then I would say it is better to use app-based 2FA than none at all.

Last Word

2FA is a simple and effective way to add an extra layer of security to your high-value online accounts.

Think carefully which of your accounts qualifies as such. These might include not just bank and brokerage accounts; but also email, insurance, social security…pretty much any account or system that contains information you want to keep out of the hands of bad actors.

Use Strong Passwords

The fourth and final to-do on my cybersecurity checklist concerns passwords.

Passwords are unquestionably the weakest link in the chain of online, digital security, and you are only as strong as the weakest link in the chain.

A big reason for this is the laxity with which many of us treat our passwords. It is no wonder why this is the case. It seems we are constantly being asked to set up some new online account, forcing us to commit yet another password to our overburdened memory cells.

As a result, we invent easy-to-remember passwords; or worse, we write them down on Post-It notes and affix them to our computer screens.

Here again, however, making just a small investment of effort will net you a whole lot of protection.

Background

To understand why it is such a bad idea to use weak passwords, it helps to understand how cybercriminals exploit them to steal our assets and identities.

Cybercriminals use wordlists that contain commonly-used passwords–hundreds of millions of them. Commonly-used means not just words in the dictionary, or popular word-number combinations (Password1), or even clever variations thereof (P@ssw0rd!). The wordlists also contain hundreds of millions of passwords that have previously been exposed in data breaches.

In 2016, for example, 164 million email address/password pairs were stolen from LinkedIn. Mine was one of them. This means that the email address and password I used to log in to LinkedIn until 2016 is, and will forever be, in hackers’ wordlists.

I have since changed my LinkedIn password. Moreover, I have not reused this password for any other account since (nor will I ever use it again).

The LinkedIn breach is but one of thousands of data breaches in which passwords have been leaked, and thus found their way into ever exploding wordlists.

Unless you’ve been living in a cave for the duration of the internet era, at least some of the passwords you’ve used in the past (or are currently using) are in those wordlists. And just like your social security number, your leaked (or otherwise terrible) passwords are just waiting to be exploited by a cybercriminal.

Action Items

As with 2FA, start by identifying your high-value accounts. These are the ones you want to protect with good, strong passwords.

Create one strong password for each such account (i.e., don’t reuse the same password across multiple accounts). Then log in to each account and change your existing password to the new strong one.

You want to use a single password for each account because, if the password is compromised, the damage will be confined to just that account. Credential stuffing is a technique hackers use to exploit password reuse. Avoid this by using just one password for each account.

What constitutes a strong password? Two factors make the biggest difference here: predictability and length. That is, the less predictable and longer the password, the better.

Predictability

Let’s briefly examine these two properties, starting with predictability. Predictable words (Password), phrases (MySuperSecretPassword), word-number (Password1) and even word-number-symbol (P@ssw0rd1!) combinations are bad password choices. They are easily guessable, have likely been used before (and therefore leaked), and are thus present in the wordlists.

Instead, you want your passwords to be random, because randomness is the enemy of predictability. Unfortunately, random passwords are hard to remember (that is why we choose predictable, and thus weak, passwords in the first place).

But a random password need not be difficult to remember. Random multi-word combinations (CorrectHorseBatteryStaple) are not so hard to remember (follow the link for further explanation). Due to the randomness of the word selection, however, they make excellent passwords.

Such passwords balance nicely the contradictory requirements of randomness and memorableness. By the way, do not use CorrectHorseBatteryStaple as a password.

Length

The other ingredient to a good, strong password is length. You may think that complexity trumps length when it comes to password strength, where complexity is the number of different character types used in the password (e.g., letters, numbers, symbols).

But it is a mathematical fact that passwords consisting of three to five randomly-selected words are harder to guess than shorter ones riddled with myriad symbols.

Craft a multi-word combination in such a way that you will remember it, but that will look nonsensical to anyone else. If you are forced by a system’s password complexity requirements to use numbers, symbols and the like, add a string of such characters to the end of each multi-word password you create; e.g., CorrectHorseBatteryStaple1@! (then reuse the 1@! suffix for each account password, making the symbol combination easier to remember).

Password Storage

If you have a poor memory (like me), you’ll want to store your passwords somewhere besides your brain.

To do this safely, here is the procedure I use, which I refer to as the poor man’s password manager:

I store my high-value passwords in an Excel spreadsheet. Then I protect the spreadsheet itself with a strong password. That is, the spreadsheet cannot be opened without this master password.

Note that the single, master password with which I protect my spreadsheet must be committed to memory (because if I store it in the spreadsheet, and then forget it, I’ve got a chicken-and-egg problem). Now, instead of a bunch of passwords, I have only one to remember.

Any time I change an account password, I update the spreadsheet and attach it to an email that I send to myself. Because I use gmail, the spreadsheet-bearing email is saved in perpetuity in the google cloud. This effectively serves as a backup if my computer’s hard drive gives up the ghost. Call this the poor man’s backup strategy.

Even if my gmail account gets hacked, the spreadsheet is useless to anyone who doesn’t also have the master password.

Finally, I change the passwords on all my high-value accounts at least once a year, just for good measure.

Caveats

The savvy reader might be puzzled as to why I did not suggest the use of a password manager to manage the credentials of your high-value accounts.

To me, password managers suffer from some of the same drawbacks as authenticator apps (which I described in the section on Multi-Factor Authentication). Specifically, they add needless complexity to an otherwise simple process.

For example, using a password manager requires you to trust a third party–i.e., the password-manager vendor–not just to do the right thing, but to do it correctly. There is at least one case of such a vendor being hacked, so the concern is not theoretical.

That said, if you already use a password manager, congratulations. You are already way ahead of the curve when it comes to practicing good password hygiene. If you don’t use a password manager, but would rather use one instead of the poor-man’s approach I described above, I wouldn’t blame you in the least.

Last Word

The savvy reader might also have noticed that multi-factor authentication already protects us from poor passwords. So why bother using strong ones? The idea being that even if a hacker guesses your password, he’ll still need your smartphone to do any damage.

I would agree that using MFA makes using weak passwords less of a concern. But I prefer to stack the odds in my favor. In my opinion, the extra effort required to create and use strong passwords is minimal compared to the extra security it buys me.

Wrapping Up

In this and the previous post, I outlined four actions you can take to protect yourself from identity theft and financial loss.

To recap, these are:

• Freeze your credit reports
• Don’t open unverified attachments or links
• Use multi-factor authentication (MFA)
• Use strong passwords

None of these actions costs any money. Each confers a massive benefit relative to the small effort required to implement it.

I hope you found this two-part series on cybersecurity useful. Above all, I hope it prompted you to take one or more of these actions to protect yourself from the ever-growing universe of cybersecurity threats.

* * *

* * *

[I’m David Champion. I retired from a career in software development in March 2019, just shy of my 53rd birthday. To position myself for 40+ years of worry-free retirement, I consumed all manner of early-retirement resources. Notable among these was CanIRetireYet, whose newsletters I have received in my inbox every Monday morning for the last ten years. CanIRetireYet is one of exactly two personal finance newsletters I subscribe to. Why? Because of the practical, no-nonsense advice I find here. I attribute my financial success in no small part to what I have learned from Darrow and Chris. In sharing some of my own observations on the early-retirement journey, I aim to maintain the high standard of value readers of CanIRetireYet have come to expect.]

* * *

Disclosure: Can I Retire Yet? has partnered with CardRatings for our coverage of credit card products. Can I Retire Yet? and CardRatings may receive a commission from card issuers. Some or all of the card offers that appear on the website are from advertisers. Compensation may impact on how and where card products appear on the site. The site does not include all card companies or all available card offers. Other links on this site, like the Amazon, NewRetirement, Pralana, and Personal Capital links are also affiliate links. As an affiliate we earn from qualifying purchases. If you click on one of these links and buy from the affiliated company, then we receive some compensation. The income helps to keep this blog going. Affiliate links do not increase your cost, and we only use them for products or services that we're familiar with and that we feel may deliver value to you. By contrast, we have limited control over most of the display ads on this site. Though we do attempt to block objectionable content. Buyer beware.