Over the past 24 hours, someone has been attempting to gain control of my accounts. I’ve received over 50 different emails for password resets and various services alerting me that someone is attempting to gain access to my account. This very blog a few months ago was averaging roughly 5 login attempts per second. Over the course of a day, I was seeing nearly 450k failed login attempts. I’ve implemented a series of features that would slow down and potentially block people from gaining access through brute force. At the end of the day, it seems someone clearly wants to gain access to my accounts.
I’ve been living in comfort all this time without two-factor authentication, assuming my strong passwords, unique for each service would suffice. I still think these passwords are strong. But what if someone figures it one password through brute force? As far as I know, none of the attempts have been successful. But it leaves me paranoid that they will keep trying until they eventually become successful.
I’ve been avoiding two-factor authentication because It was an obstacle to my own user experience. While that is still the case, the experience is heavily improved and there appears to be good apps and standards in place. The older process that sworn me off two-factor authentication required writing down a code sent to you by SMS. For some odd reason, I often did not receive the SMS. The process today uses open source tools, like Google Authenticator. The app is one you install on your phone. The app generates a new login code every 30 minutes. This is the code you also input along with your password to gain entry to the website, app or service. Less fumbling and waiting, immediate access and heavily improved flow.
I installed the authenticator app for Windows Phone 8 after Microsoft suggested I do so to improve my security. Seems like most of the major players support it. Take a picture of a QR code on the screen in the app. The app will give you a code for your to input on the website. Neat and pretty simple. Next time I need to sign into those websites from a different computer, I just open the app and type in the auto generated code into the website.
I’ve been implementing two-factor authentication onto all my main accounts. Especially those that may link to any type of financial or personal information. The ones that don’t support two step authentication, I’ve increased the password security to 32 characters. What I found is that some services limited me to less than 32 characters which I found very odd. I am taking precautionary measures that I know will put me at less of a risk, but like anything else in this wild world of the web, there is still risk. My new risk is now not having my phone on me and being unable to log into a service.
No one has gained access to my accounts as I said. Yes, I am paranoid. Paranoia is partially due to the media reportings and high profile people having their accounts and I am paranoid. But at this point, I would rather not risk reliability over vulnerability. My accounts, this website, and every part of my online identity is my life.