Skip to main content

The Ultimate Guide to Protecting Your Accounts From Hackers

Alessio has reported security vulnerabilities to Google and Apple. He also has a past as a web developer and web server administrator.

the-ultimate-guide-to-protecting-your-accounts-against-hackers-even-without-multi-factor-authentication

People’s online lives are regulated by accounts. Every online service, from email to online banking, is based on a username, a password and the private area shown after having logged in.

There may be more sensitive and important accounts like those connected with money management and savings and other less important ones, like online gaming accounts, but the most correct way to approach online life is to consider all online profiles with the same relevance, especially when it comes to protecting them from hackers.

Every Online Account Matters

Facing security violations against a banking account has different consequences when compared to those connected with a violation of a gaming or online movie streaming account. Still, the best way to stay safe when using the internet is to start dealing with accounts as if they are all critical and worthy of the same level of security.

Facing a hacker attack against a personal account may have practical consequences that become more critical when money is involved, as well as psychological ones. At the end, an online account is like a digital home where people tend to keep all the things that may have some importance to them. It may be their money, emails or photos; yet, there is a common element to all the violations committed against accounts, independently from how important they are to someone’s life: they are an intrusion into something people own.

If one wants to relate this to something outside the internet, a violation against a banking account is like having a thief entering someone’s house and emptying the vault hidden inside it, while the same violation against a gaming account may be compared to the thief managing to access the cellar and stealing some goods that have not much relevant monetary value. Still, it is a violation of private property and, more specifically, an intrusion into someone’s private life.

If the general internet user used to adopt the same way of thinking when it comes also to their digital life—without ending in a banal categorization of accounts in which banking needs military level security while cloud archive containing photos of the cats can be easily protected with just ‘1234’ as the password—maybe there would be a far better culture of online safety.

Finally, there are universal rules when it comes to protecting an account from hackers, so applying all of them to every online identity without making categorizations is surely the best way to behave responsibly when it comes to managing online accounts.

Multi-Factor Authentication Is Safe but Not Yet So Common

Multi-factor authentication ensures the best safety because it adds a third layer of validation not based on already known credentials but on something generated at the moment. It can be a temporary OTP code sent via SMS or generated through an authentication app or an authorization provided through a physical token or an app installed on a device.

The following table shows how multi-factor authentication can play a crucial role in online safety.

Seeing the common risks associated to account safety, one can conclude that multi-factor authentication enables the account owner to stay safe also in the event their credentials get stolen by somebody, as long as they do not authorize access.

Online Account Without Multi-Factor AuthenticationOnline Account With Multi-Factor Authentication

Layers of safety

Username

Username

Password

Password

A third authorization provided via an app, a token or a OTP code sent to a phone or generated through an app.

Protection type

Without knowing credentials, nobody can access the account

Even if someone manages to get credentials, without being able to complete the third authentication step they will not be able to gain access to the account.

Most common risks to account safety

If someone manages to get credentials, they can gain access to the account.

Hacker attacks against the website may also expose the account owner to security risks.

Hacker attacks against the website may also expose the account owner to security risks.

The main issue with multi-factor authentication is that, despite its relevance for online safety, it is still not an option enabled by all online service providers. When one thinks about this third authentication passage, the first websites that come to mind are those of the most influential online companies like Google, Facebook, Twitter, Microsoft and Apple.

Also, online banking services enable the user to add a third authentication factor, most of the time by enforcing it as a default choice. The user should think about how important this additional layer of safety is for every online identity without relegating it only to bank accounts. The biggest issue with multi-factor authentication is still the lack of popularity it has among online service providers. While a Google or Facebook account can be easily protected with multi-factor authentication, small online stores, online games platforms and other services managed by small and medium companies do not always offer this third layer of safety.

Scroll to Continue

That’s why one should enable it whenever available, but never consider it as if it is the only safety measure to take, as not every online service supports it. Using strong and unique passwords on different websites is the most basic security advice almost everyone gets when instructed on how to strengthen their accounts from hackers. Still, there is much more to ensure your online safety, with or without multi-factor authentication.

1. How to Manage Passwords

Using strong and unique passwords for each account is the first step to improving online safety but, sometimes, one doesn’t think about the basic need for this strategy to work: ensuring also safe storage of the different credentials we are going to manage.

Storing them in an encrypted password manager is a good idea but also the password manager of a browser synced with a Google, Microsoft, Apple or Firefox account may be a good alternative, even if this solution is less safe than having a specific software with encryption included. It all depends on the devices one sync their passwords with, how often are they kept updated, how many users have access to, how much is ensured the safety of the account used for syncing passwords with.

Of course, syncing passwords with a Google or Microsoft Account protected with multi-factor authentication and only on mobile devices without jailbreak and hardened with a strong PIN code has surely different security impacts compared to doing the same thing with an account not protected with multi-factor authentication and by syncing with a PC running an old operating system and may be used also by other people. Even a paper stored in a vault (or even in a bank security box) can achieve it: it is up to the user to decide how to manage their passwords and how to balance ease of access to their credentials with improved security.

A password manager is like a vault where to store login credentials safely.

A password manager is like a vault where to store login credentials safely.

2. Using Custom Email Addresses

Custom email addresses bound to a registered domain name are often associated with an added value to the online identity of companies. Having a personal domain name may work also for individuals establishing their online identity, even if they don't have a website (a domain name can be easily associated even with a social network profile). At a small yearly price, a domain name can be of great value. Still, not many people may imagine it can also play a great role in protecting accounts from hackers.

To better understand, let’s imagine a user who runs most of their online life around the Google ecosystem. He has a Gmail account and stores documents on Google Drive and photos on Google Photos. He may decide to register a domain name through the Google Domains service, which is already tied to their Google Account. Then, he can create email aliases that can connect to their main Gmail account, so that every email sent to the aliases is forwarded to it.

Having the ability to create aliases with a personal domain name means having a great power tool that definitely strengthens the security of online accounts: unique email addresses in addition to passwords. This means that the same email address can be used as if it is a secondary password, by generating long and random aliases that end with the domain name.

The following table can be an example of how the password manager list of someone using this security technique may look.

An example of how a password manager database can look if someone applies the security technique of generating email aliases associated to a custom domain for every different account they have.

Facebook Account

facebook1838173hsw83519217@domainname.ext

Wdhkehekduchem37363+’esodhej_

Twitter Account

twitter2692351ahw632936@domainname.ext

833(kEh’eeu:¥_93]Ieirldmd

Online Shop Account

shop2618361gei368beeu63@domainname.ext

Iieknekddhey93[3:€/{3{]¥~>]]{

Hubpages Account

hubpages7392dhwo273eh@domainname.ext

€bjdh’ehedocuwmJdhdkcoe(

Online Gaming Account

game37dwj373djfe832718@domainname.ext

Ed);3€)’djhh82;Emdyeoendslsh

PayPal Account

paypal8279dhew9372owudn@domainname.ext

‘Jeddecel92(3’Lwueueem,339¥7[w,dbdil

3. Stay Safe While Surfing the Internet

This last piece of advice ends in the banal recommendations almost everyone knows. Still, there is no point in setting unique email addresses and passwords if one falls into the first phishing email they receive, doesn't update their antivirus software and surfs suspicious websites.

Considering that social engineering and phishing attacks still work well despite the various ‘it will never happen to me’ ideas many people may have, one should also think of the first basic safety rules before applying the most advanced ones, like generating email aliases for each account and applying multi-factor authentication whenever available.

Only with the combination of basic and advanced security rules can one achieve something that may be considered the highest level of security they can aspire to reach.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Alessio Ganci

Related Articles