Guide to stronger passwords, Part 1 (two-factor authentication)

A mobile device with a password.

This is Part 1 of our stronger password series. For the other parts, click below:

Part 2 (Password Managers)
Part 3 (Diceware)

ExpressVPN has written a three-part series in which we will highlight three easy ways to make your passwords more secure, and why secure passwords are important.

The first part (this one) is all about two-factor authentication (2FA). Two-factor authentication is a great way to make your accounts and services more difficult to break into by creating a secondary password that is only valid for a short amount of time.

Part 2 focuses on password managers. We will present three password managers that will store your passwords and credentials securely, without you having to remember them!

In Part 3, we’ll take a look at diceware and explain how to create high-quality and unique passwords that are easy to remember. You can use diceware to generate a master password for your password manager, for your Bitcoin brainwallets, or for any other account you wish to make secure.

Computers are terrible at authenticating passwords

Passwords have been around a lot longer than computers. Over the centuries, they have been used to identify messengers and soldiers, or to gain access to assemblies and fortresses.

The fundamental difference between a password policy enforced by humans and one enforced by computers is that computers have a hard time taking other relevant factors into account.

For example, a computer can often not distinguish between a person or a program entering a password. Humans will judge a face, clothing, and movements before authenticating a person, but a computer cannot. And while it would surely be suspicious if a person were to randomly yell words at a guard in an attempt to guess a password, this behavior might not seem strange at all to a computer.

Computers are getting better at authenticating people, though. New systems are able to take into account the rate and rhythm at which you type your password and use additional biometric authentication, such as your fingerprint or face.

But such innovations are often only implemented for convenience and add little security. In many cases they can be bypassed or, worse, serve as a replacement for strong and secure passwords.

Why extra password protection is important

Though most services limit the number of guesses a user can make for a password, it is possible for an attacker to guess and check every possible password for your account. This technique of password hacking is called brute forcing.

Brute force could crack a single password under 15 numerical digits within a day. And anything under 18 characters could still be guessed within a year. If your password contains letters and numbers, it needs to be at least ten characters to prevent it being potentially cracked within a day.

Check out ExpressVPN’s Random Password Generator for a quick demonstration of what makes a good password. The generator creates (or assesses) passwords directly on your device, without ever sending them over the internet. (An offline version of the tool can be downloaded if you don’t take our word for it.)

As you’ll see, password length is incredibly important, even more so than complexity. Luckily, securing yourself is not difficult. To comprehensively protect your accounts, files, and devices, you can use one of the following three easy tools, which we are presenting to you in our three-part password series.

How to set up two-factor authentication

Two-factor authentication means that in addition to your regular password, you need to submit a second code to log in to your account. There are plenty of ways to obtain this second code. You can use a combination of any of the following, or just pick the one that best suits your needs.

Secondary passwords by SMS

A few services will ask you for a second code every single time you log in, especially if you have never logged in from that device before. Services such as Facebook, Twitter, Google, and Dropbox will send you a text message containing this code. This code must then be entered into the website in order for you to log in to your account.

However, for this to work, your phone needs to have reception, which is not always possible. If you are traveling in a country where your phone does not work, or you simply run out of battery, you could end up locked out of your account just because you don’t have a working phone.

And if you lose your phone, this system could potentially lock you out of your account for good. Now, it is not too difficult to get a new SIM card with the same number. But this means that attackers could also trick your mobile phone provider into issuing a duplicate SIM. Or perhaps find a way to reroute your text messages directly to them.

Snooping governments could be reading your text messages silently, or prevent the SMS from even reaching you (or both!). This would allow them to effectively render your SMS codes useless. At the very least your phone would give away your location while it is receiving the text message, which is something you might wish to avoid.

Generating 2FA codes via an app

Google Authenticator (here is a list of services that work with Google Authenticator) and Authy are two great examples of apps that generate codes on your phone, instead of sending them to you via text message. Generating the codes on your phone means they are never in transit, which makes them impossible to intercept.

This process does make you more dependent on your device, though. And if it is out of battery, broken, or missing, you might get locked out of your account. If you are unable to get the device running again, or you lose it, it can be a huge hassle to regain access to your Google Authenticator-protected accounts.

Some authentication services will allow you to create emergency codes in such a case, which you have to store securely elsewhere (such as in an encrypted file on your computer). Other services might ask you for a secondary phone number, where they can reach you in case your primary number is lost and your 2FA needs to be disabled.

However, such a phone number might then be used against you, as explained above.

Generate an authentication code with a USB stick

Instead of getting the secondary codes from your phone or a remote server, you could generate them on a dedicated USB device, such as a Fido U2F key. U2F keys are small USB sticks (sometimes as small as a fingernail!) that plug into the USB slot of your computer. The key has a clickable button on its side. Pressing this button will generate a random and secure key, which can be used as a secondary password.

U2F is very easy to set up, and many popular services, such as Facebook and Google, allow the system on their websites. The U2F authentication system will create a prompt to your browser, after you will be able to plug your U2F key into the USB slot and press its button. A key will be generated and automatically submitted to the website as your secondary password.

U2F makes it impossible to log in without using the USB stick, and a new key is generated each time you click the button on it. As the key changes with each login, it is very hard to hack. It also protects from phishing attacks, as it verifies the integrity of the connection between you and the server you are visiting.

Such a hardware key cannot be copied or forged, but it does come at a cost of about 10 USD.

Protect your privacy with secure passwords

We strongly encourage you to use two-factor authentication with the services that you use the most (such as email, social media, or banking).

Nothing else will improve your online security as much, for such little effort.

Not sure which 2FA method is best for you? This guide will help you decide.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.