Turn On Gmail's '2-Step Verification.' Now.

By James Fallows

Yesterday's Wired account, by Mat Honan, of an "epic hacking" attack is fascinating, frightening, and instructive. You should read it. Here are some other things you should do, in ascending order of urgency:

  • You should read the story of what happened to my wife when six years' worth of email -- and associated photos, research notes, book drafts, calendar info, contacts, attached-file data, memorabilia, etc -- were all zeroed out by a hacker, who was using the "Mugged in Madrid" scam and was probably operating from West Africa.

  • You should look into the wide variety of ways to make local, non-cloud copies of your important online information. I won't get into all the details now, but for instance: you can use Thunderbird, Eudora, Outlook, Sparrow, or some other system for periodic backups of your email and associated online files. (And then of course have some other way to back up what's on your local hard drive.)

  • You should make sure that each of your important online accounts -- bank, credit card, email, anything that could cause you grief if someone else got control of it -- has (a) its own password, which (b) you have never used anywhere else. I rely on some mnemonic tricks, plus LastPass, to make this feasible  -- more on that another time.

  • And if you use Gmail, please, before you get up from this session at the computer, turn on the "2-step verification" that Google has offered, free, since early last year. OK, you are allowed to get up if you don't have your cell phone/smartphone at hand, because you'll need that for the 2-step setup. You can read official instructions here and will find lots of associated advice around the Internet. Here is one installment I offered after my wife's hacking episode last year.

In case there's any doubt about the priority order I am suggesting, my advice is:

    - FIRST, if you use Gmail, set up the 2-step system; then
    - Fix any "recycled" password you're using for accounts you care about protecting; then
    - Think about the offline backups etc.

And if you need any extra motivation, read just the first two paragraphs of the Wired piece:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened... 

Using the 2-step system is slightly less convenient than doing without it. For instance, every 30 days you will need to enter a special code into your desktop or laptop computers. And you'll have the one-time chore of generating "application specific passwords" for your iPad, your smart phone, and some mail-handling programs. Similarly, it is less convenient to carry keys around and have to lock and unlock your front door, compared with just leaving it open. But believe me, the "inconvenience" resulting from leaving the door open can be worse, in the digital as in the physical realm.
___
UPDATE: Here is some nice extra info on 2-step from Matt Cutts.

This article available online at:

http://www.theatlantic.com/technology/archive/2012/08/turn-on-gmails-2-step-verification-now/260822/