Most people see the word “security,” on the internet, yawn, and move on. But what if I told you you could change your password to “password$1” and be exponentially more secure and safe on Google than someone with “1x$^37_2vt3*&^” or a similarly obtuse password?
Since this article is long, I’m going to tell you upfront you can set up 2-step verification faster than you can read my article. You might want to read it for some potential pitfalls that could lock you out of your account, or you might want to just throw an empty can of soda out the window, flip me the bird, and screech off in your Malibu yelling “tl;dr old man!” It’s up to you.
Do you ever worry when using a public computer or untrusted WiFi that your Google credentials might be compromised? Worried after finding out that you’re on the list of 5,000,000 hacked Gmail accounts? Want to do something a lot more secure and simple than changing your password? Two-step verification has what you need, and Google Authenticator can assist if you want to use it.
With Google storing our email, financial information, documents, music, pictures, and more of our lives every minute, this is probably the one place you need to be completely secure.
With 2-Step Verification in place, you can tell the whole world what your password is and there’s not a lot anyone can do with that information without access to your cell phone or a trusted computer of yours to get the second half of the equation.
The way 2-Step Verification works is this: You log into a Google service like you normally would, that service then asks for a code you receive from either Google Authenticator (generated by a time-based algorithm) or a text message that was sent to your phone (generated by weasels and spiders fighting over pieces of candy). Without that six-digit code, there’s not a lot anyone can do. The codes probably have a shelf life, but I haven’t tested.
The use of multiple streams for authentication pretty much guarantees that if one of them is compromised, the best a hacker is going to do is be able to see your password and what you do until you log out on that computer. When you’re done with a computer, log out of your account, nobody will be able to log back in without access to your authentication credentials later.
Some things to consider, though – with 2-Step Verification in place, without the Authenticator app or access to your cell phone you might be completely out of luck unless you define some backup methods of authentication (backup phone numbers). A trusted computer should never have to re-authenticate, so you can go to one of those (work, home) and turn off two-step authentication.
In a scenario where you’ve lost your phone, work, and home computer (e.g. after a natural disaster), you could be at the mercy of the account recovery form from Google, which could delay you getting back into your services for days.
So, when starting out it’s pretty important to plan ahead and print one of your printable backup codes which will be offered after you sign up for 2-Step Verification. You can print those out, make a pdf of them, download a text file, email them to grandma, stuff them in a wallet, etc.
I’ve password protected mine and put them on a non-Google service so in the event that I’m unable to access the app, the phone, the backup phones, the text messages, work and home computers, etc as long as I have internet (which presumably I do in this situation of needing to access my account on the internet), I can at least grab 10 one-use backup codes in the event of an emergency.
You don’t require Google Authenticator to use 2-Step Verification, however since I use Google Voice and there’s a recommendation against using that due to the possibility of being logged out on the device, it’s something I’m ok with. You can also have Google just call you up and speak the code, however since I’m on Sprint in South Nashville my chances of getting a phone call are not particularly great.
So what happens when hackers guess my password?
In the event you’re using Google Authenticator, chances are nothing happens. They’ll be prompted with a request for the authentication code, and unless they enter it there’s not going to be a lot they can accomplish.
If they’re annoying hackers, by choosing that they’re having problems logging in, perhaps ringing your phone or sending a text message with an authentication code to it at 3am, in which case you know to go and change your password or risk more annoying messages.
However that’s as far as they get.
What other neat things can we do with 2-Step Verification and Google?
Application-specific passwords. Ever have a work device you want to access your personal email? Find out that it’s been stolen in a weekend raid on the office? Disable that device’s access to your data by shutting down its password.
So how do I enable 2-Step Verification?
Go to accounts.google.com/security on a computer (really, do it on a computer, I’m phone gung-ho and I say computer it,) enable 2-Step Verification, set up/jump through hoops as requested, make sure to define some backup phone numbers (EG work, grandparents, etc.) Remember you do not have to verify the phone numbers, so if you’re setting this up at 3am you can enter your parent’s number.
Print out, save, or download the 10 backup codes. These are one-use codes that can get you into the account in the event of an emergency. Keep in mind if you generate new codes, these will all be invalid for future use.
What about Google Authenticator?
After your two-step verification is set up, you can set up authenticator. All it does is generate an authentication code that’s based on the time. You can see a countdown clock to when the next code is generated.
My guess is this could be messed with by a cell tower with an incorrect time zone or a phone that has no idea of the time since there’s no internet access involved after initial setup.
This is probably only something to be worried about if your cell provider can’t get their act together and you have to turn off the default of getting the time and date information from the cell provider, which I’ve had to do due to tower misconfiguration.
There now, look at what you’ve protected
Adwords, Google Apps for Work, YouTube, Books, google Play, Picasa, location history, Google Plus, Gmail, Drive, Docs, Sheets, Slides, Forms, Drawing, Sites, Calendar, Voice, Google Wallet, blogger, Groups, Hangouts, and many more.
You’re well on your way to being one of those people who doesn’t worry even if a billion passwords and Gmail addresses were hacked. There’s nothing that without a highly targeted attack on your account specifically anyone could do.
Wait, I’ve heard this before…
Yeah, as with anything if someone can intercept your text messages or break Google’s second step authentication algorithm there’s a chance that you could be caught up in the next wave of hacks. But that would take significantly more sophisticated types of hacks than we have seen to date.
This last round of Google leaks evidently were from other sites where someone used the same password for a site they visited as they did on Google.
Still, have a unique password for Google, a unique password for your credit cards, and a unique password for banks, and you should be in a pretty safe setup. I wouldn’t advise using “password$1” for your password on Google, but whatever floats your now two-step verification boat.