Authentication

Use a Password Manager

Using a weak password is a good way to ensure that your account will eventually be compromised, in part because dictionary attacks can be run offline against encrypted password files to find passwords that match common patterns. Using a clever password scheme, such as the name of the site plus a word only you know, does not increase security by much: whatever scheme you have thought of, attackers have seen before. And since people are often identified on multiple sites by the same email address, as soon as one site where you've used that scheme is compromised, attackers can guess the scheme and use it elsewhere.

Reusing passwords ensures that damage spreads, so using a different password for each site helps limit harm if any are compromised. However, strong passwords are hard to remember and to type, so always use a password manager that generates strong passwords and saves them all under a master passphrase. Your passphrase should be several words long and something you are unlikely to forget. It does create a single point of attack, but is still safer than choosing passwords yourself, since password managers aren't fooled by similar-seeming sites like paypaI.com.

Writing passwords down and keeping them in your wallet is not necessarily a bad practice---it depends on who is doing it. For example, an elderly person who finds tech confusing might well choose simple, easy-to-guess passwords for their accounts if they have to be remembered. On the other hand, they have a lifetime of practice keeping track of bits of paper, and will probably notice if their purse or wallet is stolen.

Use Two-Factor Authentication

Authentication relies on something you know (like a password), something you have (like a security key), or something you are (like your fingerprints). Two-factor authentication requires two of these together to establish your identity, e.g., a password (which can be stolen electronically) plus a random code generated by an app on your phone (which means attackers need access to you).

2FA is as important to security as using a password manager, but where possible, you should rely on an app for 2FA instead of using text messages. What you should never do is share a confirmation code, since a common attack is to trigger a password reset and then call the victim pretending to be from the IT department and ask them to read the code back to "verify" your account. As soon as you do this, the attacker can change your password and get into your account.

Many security experts now recommend using a physical 2FA key such as a YubiKey, which fits on a keychain and plugs into a standard USB port. Sites like Tech Solidarity have easy-to-follow instructions explaining how to set them up for a range of popular social networking sites.