Categories: Cyber Security Privacy & Security

Don’t Get Pwned: A Guide to Safer Logins

178 responses

More and more of the sensitive, valuable things in our life are guarded through password-protected online accounts — love letters, medical records, bank accounts and more. Web sites use login procedures to protect those valuable things. As long as someone can’t log into your account, they can’t read your email or transfer money out of your bank account. As we live our lives online, how should we protect our logins?

tl;dr:

  • Use random passwords, and use a different password for every site
  • Use a password manager to make creating and remembering passwords easier
  • Make your answers to security questions just as strong as your passwords
  • Use “two-factor authentication” wherever you can
  • Pay attention to the browser’s security signals, and be suspicious

It’s hard out there for a password

Most logins today are protected by a password. If an attacker can get your password, he can access your account and do anything you could do with that account. So when you ask how secure your account is, you’re really asking how safe your password is. And that means you have to think about all the different ways that an attacker could access your account’s password:

  • Seeing you use it with an unencrypted website
  • Guessing it
  • Stealing a file that has your password in it
  • Using password recovery to reset it
  • Tricking you into giving it to them

To keep your login safe, you need to prevent as many of these as possible. Each risk has a different corresponding mitigation.

Look for the lock

It’s easy to prevent attackers from stealing your password when you log into an unencrypted website: Never type your password unless you see a lock icon in the URL bar, like this:

Look for the lock in your browser URL bar to ensure you're on an encrypted website.The lock means that the website you’re using is encrypted, so that even if someone is watching your browsing on the network (like another person on a public WiFi hotspot), they won’t be able to see your password. Browsers are starting to roll out features that warn you when you’re about to enter your password on an unencrypted site.

Look out for phishing websites.Your browser also helps keep you informed about how trustworthy sites are, to help keep you safe from phishing. On the one hand, when you try to visit a website that is known to be a phishing site, any major browser will display a full-screen warning — pay attention and don’t use that site!

Beware of deceptives sites.

On the other hand, when you’re talking to a site that has provided proof of its legal identity, the browser will show you that identity. So for example, when you go to download Firefox, you can know that you’re getting it from Mozilla.

Look for proof of legal identities on websites.

In general, the best defense against phishing is to be suspicious of what you receive, whether it shows up in email, a text message or on the phone. Instead of taking action on what someone sent you, visit the site directly. If an email says you need to reset your Paypal password, don’t click the link. Type in paypal.com yourself. If the bank calls, call them back.

Strength in diversity

The secret to preventing guessing, theft or password reset is a whole lot of randomness. When attackers try to guess passwords, they usually do two things: 1) Use “dictionaries” — lists of common passwords that people use all the time, and 2) make some random guesses. The longer and more random your password is, the less likely that either of these guessing techniques will find it.

When an attacker steals the password database for a site that you use (like LinkedIn or Yahoo), there’s nothing you can do but change your password for that site. That’s bad, but the damage can be much worse if you’ve re-used that password with other websites — then the attacker can access your accounts on those sites as well. To keep the damage contained, always use different passwords for different websites. There are also sites like have i been pwned where you can subscribe to be notified if your account is in one of the password databases that has been stolen.

My mother’s maiden name is “Ff926AKa9j6Q”

Finally, most websites have a password recovery system that lets you recover your password if you’ve forgotten it. Usually these systems make you answer some “security questions” before you can reset your password. The answers to these questions need to be just as secret as your password. Otherwise, an attacker can guess the answers and set your password to something he knows.

Randomness can be a problem, since the security questions that sites often use are also things people tend to know about you, like your birthplace, your birthday, or your relatives’ names, or that can be gleaned from sources such as social media. The good news is that the website doesn’t care whether the answer is real or not — you can lie! But lie productively: Give answers to the security questions that are long and random, like your passwords.

Get help from a password manager

Now, all of this sounds pretty intimidating. The human mind isn’t good at coming up with long sequences of random letters, let alone remembering them. You can use a password manager like 1Password, LastPass, or Dashlane to help improve your password hygiene. They will generate strong passwords for you, remember them for you, and fill them into websites so you don’t have type them in.

You do take on some risk by using one of these password managers, since they create a database that has all your passwords in it. However, all reputable password managers encrypt their databases with a “master password.” The master password is safer from theft than normal passwords: Because it never gets sent to a server (just used on your computer to encrypt the database), an attacker has to break into your computer in particular, rather than a server where he can harvest millions of accounts. And because you only have to remember one master password, you can make it extra strong. So in general, it’s much more likely that you’ll have an account breached due to not using a password manager (e.g., a weak or re-used password) than that someone will both steal the your password manager’s database and guess the master password.

Even if you can’t figure out how to use a password manager, sometimes the simplest, least glamorous technology is also pretty secure:

Password Book 1 005

Going old school.

Just keep your written passwords in a safe place!

More factors, fewer problems

The other major step you can take to protect your account is to add a “second factor” to the login process. In most cases, the second factor is tied to your phone, which means that even if an attacker has your password, they can’t log in to your account unless they also have your phone. (And vice versa — if your phone gets stolen, they can’t log in unless they get your password.)

In order to enable two-factor authentication (or “2FA”), you’ll need to associate your phone with your account on the website. Each website will provide instructions, but it usually involves either entering your phone number or scanning a barcode with a special app. Then, when you go to log in, the website will ask you for a code from your phone. If an attacker doesn’t have your phone, he can’t get the code, so he can’t log in.

better-passwords-image01

Set up a two factor authentication app.

better-passwords-image04

Step 1. Generate authentication codes when you want to login.

better-passwords-image00

Step 2. Enter the verification code to proceed with login.

2FA provides much better security than passwords alone, but not every website supports it. You can find a list of websites that support 2FA at https://twofactorauth.org, as well as a list of sites that don’t support 2FA and ways you can ask them to add support.

Strong, diverse, and multi-factor

For better or worse, we’re going to be using passwords to protect our online accounts for the foreseeable future. Use passwords that are strong and different for each site, and use a password manager to help. Set long, random answers for security questions (even if they’re not the truth). And use two-factor authentication on any site that supports it.

Following these steps takes some discipline and will make it harder to log in sometimes. But in today’s Internet, where thousands of passwords are stolen every day and accounts are traded on the black market, it’s worth some inconvenience to keep your online life safe.

178 comments on “Don’t Get Pwned: A Guide to Safer Logins”

  1. SP Kelly wrote on

    Thanks Mozila I’ve just learned a lot more about security.

    1. willemm wrote on

      I agree with most of the recommendations but I have had telephone conversations (genuine) when, to satisfy my id I’ve been asked to answer personal questions. Having to use a randomly configured response to these, of mixed characters/symbols etc would have been very difficult to speak, or be understood, one by one, over the ‘phone. Where a personal question allows something truly unique (my first car – for me, a make and a model that only I know the exact answer to, and it needn’t be the first car) is the sort to go for. There’s usually a whole range of personal questions to choose from so go for those that allow this level of uniqueness.

      1. matt wrote on

        What made it easier for me was to realize is that the all of the questions are really just “What is your password?”, “…and the second?”, “…third?”.

        So the response to “what was your first car?” could be “%mazda$lemon73”. Not completely random, but still memorable and moderately pronounceable.

        1. Bill wrote on

          Excellent tip, Matt!

        2. Karen wrote on

          Really valuable ideas! Thx.

      2. jonathan wrote on

        me too

      3. Hef wrote on

        You can still LIE on the answers to the security questions. So if you put the true answers on Social Media they are NOT the same as your security answers. Example when ask for a PET name. You could put make and model of your car or your GirlFriend or the Title of your Favorite movie or Book. Start thinking in PASSPHRASES instead of PASSWORDS. MAKEYOUR Phrase as long as possible try to substitude a symbol instead of a letter Example $ in stead of S, MiX tHe CaSe UP RUNTHEwORD$TOGEther, Also when you do these comment posts use a throw away email that use use just for this purpose.

    2. Ian wrote on

      I’m one of the old guys that didn’t grow up with a computer.. so thanks

  2. Johann ‘Myrkraverk’ Oskarsson wrote on

    Unfortunately, many websites downgrade their 2FA to 1FA when they allow password resets. Twitter is one of them. That means stealing someone’s phone (or phone number through social engineering) can compromise all the social media accounts and possibly even bank accounts.

    That means enabling 2FA on sites like Twitter and Gmail compromises your account further, instead of making it more secure. High profile people are particularly susceptible to become targets; and may end up victims of successful blackmails if not outright theft of assets.

    1. Matt wrote on

      I think you are a little mistaken, with Gmail at least. I use 2FA with Gmail and even if someone did steal my phone, they still couldn’t reset my password. If you look in the Gmail settings, they allow you to set either a password recovery email or password recovery phone number…so unless you intentionally use the same phone number you use to get the 2FA code, simply having the phone isn’t going to help. I don’t use Twitter, so I can’t speak for how they do it.

    2. Toni Pejić wrote on

      That’s what one time passwords are for. They are good 2FA solution. Example is Steam mobile authenticator.

      1. Rick wrote on

        So how is steam mobile authenticater any different than than google vault?
        The theft trick is that during a password reset the service provider temporarily disables 2fa so no amount of crap you put on your phone is going to help.
        The phone may still be the link for a reset, but the sneaky theives call up your phone provider and either have calls and SMS forwarded first or Steal your phone or have your number changed / ported to a new one. So if your service provider allows a password reset via SMS code your goose is cooked. The proper defense is to use some other form of password reset that does not rely on your phone! Steaming pile of crap apps are not good enough! Also secure your phone login and have a pin number access put on your account with your phone service provider.
        But if the thief says pretty please the phone service provider may still give them what they want. I have already had to ask for my pin because I forgot it and it was no big deal. They did no real verification.
        .

        1. kjjensd gkhl3f;wnrg2wejehr1ohiblbio1 wrote on

          Or get a a free sim card and pay with cash and don’t have the sim connected with your name in anyway whatsoever and don’t tell anyone about it

          1. Smok Szwecji wrote on

            Burner phones are a good thing.

        2. The guy who schooled Rick wrote on

          Obviously, someone doesn’t know how the steam mobile authenticator works. It doesn’t send the code by SMS or by a phone call. You have to go through a lot of hoops to set up the authenticator to start. If anything happens to the phone, the account gets locked down until the person contacts Steampowered and has to jump through even more hoops to reclaim it. As another security measure, all payment methods are removed to prevent a would-be theft from ever taking place.

          On that note, if you’ve given out practically every little detail of your life to the point where a would-be identity thief can call up your Service Provider and change things on the account without verifying in person, then something is seriously wrong with you.

    3. Ron Tavalaro wrote on

      Thanks for the update !

  3. T wrote on

    Thanks lots for the nudge into action.

  4. DEJEN wrote on

    NICE…

  5. Dana Troy wrote on

    Good info. I especially appreciated info on the use of a password manager — which I use, but didn’t know why it was supposed to be secure.

  6. Rahimpasha wrote on

    Thanks for the mozilla… Giving me important information thanks…

  7. Fabricio C Zuardi wrote on

    I would expect at least one free software recomendation for password manager, since this is Mozilla…

    1. TJH wrote on

      For example, Password Safe. Written by Bruce Schneier.

      1. Henry wrote on

        Or http://keepass.info/

    2. ZyrtisK wrote on

      Errr… they recommend -3-… :/

      1. Paul Smith wrote on

        Just because an app is free doesn’t mean it’s Free Software. It must be open source. You must be able to run the entire application on your computer without connecting to another company’s server. All 3 companies listed have access to your information. All 3 companies can be hacked.

        1. A. wrote on

          Mozilla added the fact that all 3 companies use encryption though. So beyond being able to hack them which probably isn’t that much of an easy task as they should have sufficient cyber resilience in place. Even if someone gets beyond, they still need to decrypt everything.
          Trust me, I was rather paranoid to start using password managers but got persuaded to use Dashlane (Premium) and I’m more then happy with it.
          Try logging on to something with your phone when you’re on the road without having access to your computer client and your paper-based password sheet…
          Yep…

    3. ragearainbow wrote on

      Dashlane is free to use if you don’t intend to use the sync feature and even then you can export the data base and import on any computer.

    4. evilalpaca wrote on

      KeePass (FLOSS)

    5. Malanos Cypher wrote on

      Mozilla no longer fully adheres to Free software guidelines, the FSF has definitely made their stance known on this issue. KeePass 2.x or KeePassX are always an option for most platforms. Mozilla now sits in the camp of Open Source, certainly, but that does not guarantee ‘free as in freedom’.

    6. Jeff wrote on

      Lastpass has a free fully functional version. The premium version allows sharing and a few other feature, but as a general password manager the free version is fine. The paid version is $12 a year, so not a huge cost. Both versions offer add-ins for firefox, chrome, and explorer. Additionally you can use the password management on your mobile devices. I’ve been using the Enterprise version for a few years now and it a good product. They were purchased by Logmein about a year ago.

    7. Barbara Stanley wrote on

      You probably already know this, but if you use Firefox, go to the menu bar, hit tools, options, the lock icon (on the left), and under logins, select “use a master password”
      Good luck! 🙂

      1. Sidney Pires wrote on

        Great! thanks,

      2. Walt D wrote on

        I have been using this for several years. Another neat feature is if you enter a different password it will prompt you to ask if you want to save the NEW password.

    8. Sondra Kinsey wrote on

      Agreed that it is astonishing that Mozilla lists several closed-source solutions, but not FLOSS KeePass (of which I am a regular user). I think if Mozilla believes password managers are the future of authentication, they should make supporting KeeFox a priority (although it works fine already).

      1. Ale wrote on

        Can’t agree more. I was a bit upset with Mozilla when I’ve read that they suggest closed source, proprietary and commercial solutions, while not even mentioning KeyPass, which is open source, and works very well. I use it every day with Firefox using the KeeFox extension (also open source).

    9. Longwabo wrote on

      Dashlane is free.

  8. Ujarat Khan wrote on

    Very very good

  9. José Manuel Alarcón wrote on

    Nice article to raise awareness.

    What about systems like this one instead of password managers?: http://www.jasoft.org/nullpass/

    They don’t store your passwords anywhere and no traffic is exchanged either, working always offline…

    1. Phil M wrote on

      Awful, awful awful idea. I’ve seen several versions of this and they’re all terrible. The one you linked doesn’t even use HTTPS !!!

      1. Gpod wrote on

        Just wonder if the the Phil M that went to GMA

      2. Casey Crockett wrote on

        It’s not as awful as you make it sound if you think about how it works. If the code is embedded in the page, there is nothing to transfer to the cloud, thus no https required. It would be as safe as the browser process running that tab, or as safe as the clipboard on your computer. And, I think thanks to Mr. Alarcon, it can be used offline.
        As for the generated password itself, it is as difficult to guess as the master password used if you know the site being used. It is as difficult to crack as any encrypted password of the same length.
        I prefer Password Safe myself, for the management features like storing other information encrypted along with the password. I realize I am putting all my password eggs in one encrypted basket, and I accept that risk.

        1. Tim S wrote on

          The fact that it’s unencrypted is pretty awful, when you consider that a man in the middle could insert some extra JS to transmit everything you enter, and you wouldn’t know unless you were looking very closely. If it used https, an attacker would have to breach the server hosting it to insert such a script.

  10. diah prama wrote on

    THANKS mozila

  11. Adi Sucipto wrote on

    Semua tipsnya sudah lama saya terapkan. Tapi terima kasih sudah mengingatkan banyak orang mengenai keamanan berselancar di dunia online

  12. Brenda C wrote on

    Naive. Thought you had to use genuine relation’s names.
    Never did trust Password Managers.
    Thanks Mozilla!

    1. jim wrote on

      I like that 🙂 you’re on the mark.

  13. Gina wrote on

    I just want to say Thank You for every thing you do and the information. I have been a Mozilla user for years. You are very informative and keep users up to date. Showing how much you appreciate and are always fighting for our privacy. I couldn’t be happier and proud to use Mozilla.

    1. snohomishc wrote on

      YES INDEED!!! THANK YOU!!!

  14. cameleon wrote on

    why don’t you mention Firefox’s password manager?

    1. Ken wrote on

      Storing passwords on your Browser (Firefox, Chrome etc.) is a bad idea. Use a password incription program like ‘lastpass’. Passwords on browsers are easily hacked.

      1. April King wrote on

        Storing your password in your browser is completely fine, and save if you use a master password or use something like Firefox Sync. Password managers are nice because they can help coordinate the storage of your password between websites and things like phone apps.

      2. Rob wrote on

        And… why the article doesn’t speak about this?
        And… why Mozilla offers that feature inside their Firefox if it’s not a good idea using it?
        And…
        I like this article, but actually I was hoping much more from Mozilla.

  15. Niranjan Shanmuganathan wrote on

    With today’s technology, you can store your whole life on your hard drive. /Without password protection, nothing is safe. Protecting our self with passwords is essential. Most cases of stolen information occur by the hacker guessing the victim’s password. Moral of the story: SIMPLE PASSWORDS STINK.

  16. CactusJack wrote on

    Mozilla, I really learned some obvious things about security that I should have known before but did not. Than you….

  17. peter wrote on

    Thank you very much Mozilla.

  18. taseer wrote on

    nice mozilla

  19. Patrick Smith wrote on

    Excellent! You people are the best! Now please advise a non tech person like me, how best to use the new external hard drive I just got to secure my data! I’m sure there are others like me who don’t wish to loose all our data and need to understand the benefits of having a back up. Thank you

    1. PN wrote on

      Mozilla is here to promote a safe internet, not general “computer 101” advice. There are plenty of articles available via Google and elsewhere to find out how to backup your data to an external hard drive.

    2. Buddhika wrote on

      1. Format your external disk with NTFS file system
      2. encrypt your External disk with Bitlocker (microsoft free tool)

  20. Phil Cohn wrote on

    When I type in a password Mozilla Firefox asks if I want it to remember the password. is it safe to say yes?

    1. PN wrote on

      Depends. If you have Firefox Sync enabled, and you have included passwords among the things it saves/syncs for you, then there is definitely more risk because those passwords are being transmitted to the sync server and then to any other devices where you use Firefox. If the sync server gets hacked, your passwords could be intercepted there… and that’s not just one password on one site (like Yahoo or LinkedIn) but rather EVERY password you’ve ever used and saved on Firefox.

      I use Firefox Sync, but I have turned-off the passwords option. While I enjoy the convenience of having my bookmarks and tabs synced across devices, I’d prefer security over convenience when it comes to passwords.

      If you do NOT use Firefox Sync — or if you do, but you’ve disabled passwords like I have — then it’s much more secure to save the passwords in the browser, since your passwords are only stored locally on that device. But if anyone else uses your computer, they could use this feature to login to various websites under your name.

      And it should go without saying, anytime you’re on a public computer (hotels, libraries, etc.) you should never have the browser save your password. In fact, I’d recommend avoiding public computers in general, since you have little or no way of knowing if someone else might have a keystroke logger or other “surveillance” software installed on the machine.

    2. April King wrote on

      Yes, it’s perfectly safe to store your password inside Firefox, especially if you use a Master Password to secure it.

    3. Bob T wrote on

      NO!! Definitely not! If you answer “Yes” your non encrypted password(s) will be stored on your hard drive as a file that usually has “PWD” (not case sensitive) in it somewhere which makes it quite easy to find by a hacker using a “wild card” search. Take it from one who did that when I first noticed this feature running Windows XP on another PC. My pwd file was hacked and important passwords were changed without my knowledge. Fortunately I had a clean database back-up that my PC guy was using to load the new Windows 7 machine he was building for me. That file was “erased” from my new PC before it ever connected to the Internet.

  21. morteza wrote on

    ok

  22. ma. leona a. molon wrote on

    thank you mozilla for the very informative awareness message.

  23. MikeOH wrote on

    The vast majority of the time that people are “pwned” is the result of a data breach by a website managed by some corporation, e.g. yahoo, target, home deport, banks, etc. and, of course, government. (Hundreds of millions or accounts compromised, including yours.) The reason we are asked to create complex passwords is to slow the process of cracking AFTER it gets stolen from your bank or store website. (The passwords will be cracked eventually.) I would suggest that the first step in keeping your information safe is expecting data loss caused by these sites. That includes, not giving them your financial information, mothers true maiden name, etc. The second greatest cause is getting scammed (just like John Podesta) by a fake e-mail saying “click here to reset” password of credit card info. Weak passwords are rarely guessed; encryption is rarely broken, snooping unencrypted traffic is a thing of the past 99% of the time. The worst thing you can do is use the same password (no matter how sophisticated) on multiple sites. These websites mostly stopped allowing you to choose a username and insist on making you log in with your e-mail address, so thieves no longer need to guess your login name at all the other store websites and banks, hence loss of one password compromises many sites. We are lulled into a false sense of security by complex password rules and claims of fancy encryption. To do otherwise might be bad for business. We must adopt behaviors to protect ourselves and Mozilla ought to be talking about their own wonderful password manager.

  24. widayat moko wrote on

    i just want to say tanks for every thing and very informative

  25. Peter Preston wrote on

    I discovered a few weeks ago that Firefox stores its passwords in options/security/saved logins… and that you can just click on ‘show passwords’ to reveal all passwords and the sites on which they are used. This means that anyone who knows this can, when opportunity presents itself, discover all your passwords and their site – everyone has a high resolution smart phone these days, so it would take only a few seconds to navigate to the information and take a picture. I realize that someone has to have access to your computer, but nevertheless it is a security weakness in Firefox to make it so easy to check your passwords in this manner.

    1. April King wrote on

      This is true of pretty much any password storage mechanism, including password managers or storing them on paper. If you are concerned about the physical security of your passwords, consider using a Master Password inside Firefox and keep Firefox and/or your machine closed and password locked with a when away from your machine, and use full disk encryption systems.

    2. Bob T wrote on

      Peter, There is one incorrect assumption in your comment: “everyone has a high resolution smart phone these days”. That is not true, I am the proud user of a simple easy to use $25 per month flat fee “flip-phone”. While Verizon is offering me all sorts of enticements to trade it for a smart phone I have no intention of doing so! It is a portable phone for emergencies when I’m away from home and that’s all I will ever need it to be. After 38 years working in the telephone industry I prefer to remain wired to the world where Uncle Sam cannot legally monitor nor capture what I’m saying or doing as they freely can and do do to cellular/wireless phones. Federal and State anti WIRE taping laws only protect the consumer using phones that are still wired to the phone company’s switching office!! (That’s what wire taping means!)

      1. Sally G wrote on

        I have been much the same, finally may be dropping the copper wire for budget reasons, but no smart phone—I carry my laptop most often, so if I truly need Internet. . . . and I have a Garmin GPS in my car—I don’t need a record of everywhere I go on my phone, either. Still have access to FiOS at relatives’ house nearby.

  26. Jim R in Miami wrote on

    A good way to create and manage password is use your birthday, date, or birthplace… but spell it backwards use use “pig latin” remember that from your childhood? And Of Yes!… I created (and my students created the “Drain the Swamp” and “Cave Man creating the wheel”…quite a few years ago (1969) while teaching my computer students basic DOS at a commercial school in Chicago…..however I never renewed my Trademark or Copyright.

    1. April King wrote on

      Although this seems safe, many password guessing programs use permutations like this during their attempts. Random passwords are a far safer alternative; alternatively, random passphrases (“summarize journey calculator disco teleport”, for example) offer memorability along with security.

    2. Guessit wrote on

      “Drain the Swamp” Is that from: “It’s hard to drain the swamp when you’re up to your assets in alligators? 😉 Just wondering – I haven’t heard that in decades is why.

      From the beginning of the internet being available to me, I’ve used a different password for every site as well as a different user name. I’m not liking that many sites now insist on using your email address for a user name. So, now I give most of those sites one of two email addresses that, more or less, are dedicated to that one use and keep the one with most important [at least to me] stuff for myself and my family [family includes Mozilla’s Firefox ‘cuz I luv them too.]. That also really cuts down the clutter from “shopping” sites that I would have to wade through to get to the important stuff. I have a notebook where I keep track of user names, passwords, and security questions with answers, both actual and otherwise, and, for several sites, one would have to go through several pages before finding everything that applies to a particular site. But after reading to this point, I realized if my computer was taken, it’s likely the notebook kept in its vicinity would also be taken, and though my son [now in 60’s] swears he can make nothing out of my cryptic entries, that doesn’t mean a thief/hacker would be stumped. So, once again, thank you for the heads up! You guys are the best. Decided to move the notebook to a much less obvious place. Sometimes, I just have to give myself a “Duh” Why didn’t that occur to me! I want to thank everyone for their comments. I believe in being a “lifetime learner” and appreciate the information y’all share. Blessings on you all!

  27. Jim R in Miami wrote on

    Hey..maybe I should have sold it!! OR one of my students did!

  28. citizen wrote on

    Please provide more information about using two factor authentication without a phone.

    1. Giorgio wrote on

      Yes, yes, yes!!!
      That’s a good idea…
      Phone as a second step authentication is a good system but not always a practical one.
      (not always and not for everybody by the way)
      Now the key point is to collect suggestions/ideas about what a second factor could be the best compromise from a security ans practical point of view…

    2. Rick wrote on

      The 2FA is really a feature implemented by each site and the one you log into may have their own quirky version so check the site out and their are other devices like a usb smart card or smart usb key that can be used. Check out Nitrokey https://www.nitrokey.com/. Kinda kludgey but you can use an old cellphone that you have laying around and setup Google vault up on it and use the free version of lastpass. you are less likely to use a phone you do not carry around all the time. This way only trusted computers you designate can get auto access to the Laspass password storage. So how to do this with out the old phone? setup a portable browser on an encrypted usb key and designate it as a trusted browser. If you lose the usb key, no sweat, it’s encrypted! its a little slow but it works.

  29. siddaling ambasa wrote on

    nice

  30. adam wrote on

    so what about firefox saved logins (which save passwords). are they secure ?

    1. Dean wrote on

      No. As an earlier reply mentioned, Firefox stores its passwords in options/security/saved logins… and you can just click on ‘show passwords’ to reveal all passwords and the sites on which they are used.

    2. SyED wrote on

      it might be but keep in mind , keyloggers/Remote Admin Tools/ can recover logins from Firefox/chrome and other apps that save passwords, your best bet is use a password manager and set master password.(1password / lastpass password manager)

    3. Rick wrote on

      well, they are fairly secure unless someone else has access to your computer. A cryptophreak with a big rainbow table might be able to get into them.

    4. Rick wrote on

      One more thing, you do have a master password set right?

  31. Sbbb3 wrote on

    Thank you Mozilla working crew. You explain this topic simply for older less computer savvy persons to understand, particularly helpful with the pictures. I stick with the old fashioned way of storing passwords…tedious..but once there is routine…not bad at all. I have a 2FA system in place which works and fortunately I am not a “high profile” person. I learned to pay closer attention to security question answers and mix them up even more.

  32. Linda wrote on

    Thank you for the information, it’s good to know

  33. DAVID PINNOCK wrote on

    This discourse was very instructional.

  34. Emmett wrote on

    I know it’s imperative that we implement strong presences against the efforts of thieves no doubt! However, I must also make it perfectly clear that Mozilla has been, and continues to be a priceless product as it has from the beginning; and you make my confidence and comfort an oasis!

  35. Dr Kurian P J wrote on

    Good Learning. Thanks Mozilla

  36. RC Rountree Jr wrote on

    Very good information. I ,what you suggested andi have all kind of problems with Passwords. I used a different PW for each account. I go back tp DOS,W95,W98,w2000,w7,w8.1,w10. i find a my age it is impossible to keep it straight.consider my mind in good working order at 86. I have two pages of passwords.impossible to keep up with new formats. thank you

  37. jonathan bucao wrote on

    thank u for everything mozilla

  38. Jesus wrote on

    hahaha….you want your password safe ..well DON’T BELIEVE ANY SO CALL WEBSITE SECURITY.. if it’s in /on/ or kept my any site.. it can and will be crack .. it just takes time… dont believe me i really dont care if you do or dont..

    1. Rick wrote on

      We all do the best we can but to authenticate, you have to have something to authenticate against and that has to be stored somewhere. some are harder to crack than others. The advice on the page and the comments are pretty good.

  39. Somebody wrote on

    Unfortunately a Password Manager then gives a hacker a database On a Client instead of a Server and anyone who hacks anything knows a Client is dramatically easier to break into then a Server

    1. Rick wrote on

      The trick is not to give them much. An encrypted database is a lot tougher. Permissions can be applied to an encrypted home directory on a live linux usb stick.

  40. nader wrote on

    very good

  41. Riley Smelley wrote on

    Great Information
    I use LastPass and have update my security tenfold since i have
    i recommend it to anyone who wants to store their passwords safely
    LastPass doesn’t even know your passwords they are unhackable!

    1. Rick wrote on

      Un-hackable? nothing is un-hackable. The NSA wouldn’t allow it. What about the latest Phishing attack that Last pass exposes you to?
      https://forums.lastpass.com/viewtopic.php?f=12&t=240115#p804145
      Their solution is to turn off Autofill / auto complete. An email about this from them would have been nice. I would also set Lastpass 2FA up it helps. If you still want to use their free app I use an old android cellphone and set 2fa google vault up on it you can get frre cellphone from straight talk. they have a model built by samsung called the centura I think. you half to buy a service card with it but my wife uses them so I gave it to her.

    2. Rich wrote on

      Nothing is “unhackable”. No matter how good your security is, there is ALWAYS a hacker out there who is better.

  42. Scruffy wrote on

    Mozilla is Fantastic and I have used it for many, many years . Around 20 or 30 if I remember correctly. It is absolutely the best there is! I recommend it to all my friends, and you should donate to them when you can since it it is totally FREE!

    1. Guessit wrote on

      Right on!!!

  43. Fritz Balke wrote on

    Microsoft always wants to take over as my main browser, when I download mozilla firefox.
    After this down load I am being asked my choice of main browser, mozilla firefox is not among them, but google, microsoft edge and many others unknown by me.
    Is there anything I could do to keep mozilla firefox?

    1. M.J. Kelly wrote on

      Hi Fritz, give this a try: https://support.mozilla.org/kb/make-firefox-your-default-browser

  44. jim wrote on

    So good advice 🙂 I’m sure most of us who use Mozilla use it for the enhanced safety and security it allows us when on line. Kudos to all at Mozilla I appreciate your professional service.
    Regards,
    Jim

  45. Fritz Balke wrote on

    To make it clearer, after I download Mozilla Firefox, I lose it after my first shut-down of my computer and new start-up , I lose my browser to microsoft again.
    Is there anything I could do to prevent this happen in the future.

    1. legitimate man wrote on

      M$ wants you to use Edge/IE

    2. ArcAngel wrote on

      In the Firefox Menu Bar click on “Tools” and chose Options. Click on the empty box beside “Always check if Firefox is your default browser” to place a check in it. Next click on “Make Default” and if need be set the rest up as you like. This should solve your Microsoft problem.

  46. legitimate man wrote on

    Why not digital certificates for ourselves? That would have been much better; we know by whom and for whom the certificate has been created, and we would then know whether it’s you or not. Much safer than the ROT (Rest Of Things), but somehow they are often so costly that most people won’t take it, and furthermore it was never advertised…

    1. April King wrote on

      Digital certificates, especially when combined with a password and/or 2FA device are a fantastic way to authenticate yourself. Unfortunately, digital certificates continue to suffer from usability issues that hinder their real-world option, although systems that abstract it away (such as smart cards) are doing very well.

    2. Rick wrote on

      Certs usually have an authenticator to authenticate them too. Free ones are available. http://www.infoworld.com/article/2623829/authentication/weaknesses-in-ssl-certification-exposed-by-comodo-security-breach.html

  47. Marge wrote on

    Read through this entire page. Wondering when someone will reply to all these questions? Sure would like to see some answers so i could decide what I need to do to be safe.

  48. Hugo Ay wrote on

    Very simple, and good, thank you for your information. 🙂

  49. Doug wrote on

    The last two laptops I’ve had have had fingerprint scanners. Why can’t websites just set up a way so we can just use fingerprints for passwords. Doesn’t seem like it would be that difficult.

  50. Doll wrote on

    Any have recommendations about True Key? Good – Bad – Great! They are aggressive?

    Thanks

  51. Van Luu wrote on

    why doesn’t firefox comes with a pre password manager? Safari already done that! I would love to use that feature instead of depending on third-party plugins.

  52. AncientMariner wrote on

    What about using passphrases instead of passwords?

    1. April King wrote on

      Random passphrases are equally as secure as random passwords, and most password managers can generate them. As long as you don’t reuse your passphrases, there’s no reason why “reversal-unstrap-sluggard-bivouac-underneath” is any less secure than “sHZjdGHFpftpTkrjsP2UNeFeaoFp”, as long as the passphrase isn’t truncated into something shorter.

  53. Kjuagutt wrote on

    I do not trust any password manager because the programmer have also access to it.I use long password individual ones with all that the site can handle. Curiously the banks of all people can not handle symbols…
    I write them down and have two manila folders full. But if anyone finds my passwords are unable to use them because I have systems on how to read them which varies. At this stage I am the only one who knows how, no tables or written down method. It is back to the basic of using ones brain, mankind have done so since the beginning.

  54. Frank L wrote on

    Try “True Key” ,very easy to use ,free at first for limited access ,but cheap at 19.99 for full subscription.

  55. John wrote on

    Digipass should be offered for the larger sites. It removes the necessity to change passwords as your password changes continuously. One device that cost only a couple dollars, held on your keychain or whatever secure location, would resolve many problems including time wasted by lost passwords and remembering passwords for countless databases. I’m personally surprised this simple but complex utility hasn’t gone mainstream. This could even be integrated into the Firefox browser to automatically connect to subscribed cloud services from remote/public/work computers. The convenience is incredible.

  56. Tech Blogger wrote on

    good advice

  57. Step wrote on

    Sorry, but how can you encourage everyone to use proprietary security software? Very bad advice!

    Use KeepassX or other open source alternatives – you never know whether proprietary software has built-in backdoors or not!

  58. William K. wrote on

    Thank You for a lot of good information.
    But I need help to fix a problem not mentioned in the lot of information given.

  59. Keo Vannak wrote on

    Your password book is not good solution, is like raw key if you get it lost everything bomb!!!!

  60. John wrote on

    Thank you Peter Preston. Thank you Riley.
    This information has made me reluctant to leave any trace back to me. Ouch!
    Thank you Mozilla. – I will post my comment because I have developed strong faith in Mozilla and I see the “padlock” & “https”

  61. Deana wrote on

    Kim Komando wrote about this back in September: http://www.komando.com/columns/371600/new-password-rules-make-them-easy-to-remember-and-more-secure/all and https://howsecureismypassword.net/ has a fun interactive tool that calculates how long it would take for a brute force attack to crack a password and its amazing how much adding just one more character increases its security exponentially. I typed in “justputsomethinghere” as a test and the length alone put it into several billion years. I put in my oooold password from the late 90’s and it would take a fraction of a second if I were actually still using it these days.

  62. diahana wrote on

    I am aware of using mozilla browser and its a thanks to ur support and informative on caring our safety browsing and always given an updates,,mozilla is my trademarks browser,,ty

  63. Ancient Technogeek wrote on

    To keep Firefox your default browser:
    – On the Menu Bar, click Tools and select Options
    – On the left side, click General (if it’s not already selected)
    – On the right side, it should say:
    General
    Startup
    Always check if Firefox is your default browser
    – There will be a checkbox in front of the last one. Be sure there is a check mark in it.
    – There may also be a box to check to make Firefox your default browser. If so, put a check mark in it.
    – Shut down Firefox and launch it again. If it says it’s not the default browser and asks if you want it to be, answer yes.

  64. Rose wrote on

    Thanks Mozilla even though seemingly stating the obvious, that was very helpful. I have recently installed Intel’s True key and this really messed up a lot of my stuff for example email, so that I uninstalled. However, it is still persisting and I can’t quite get rid of it. Point is that sometimes trying to use a site to help with password security can be detrimental, even if they have a reputable background such as Intel.

  65. Mike wrote on

    What about native support U2F in Mozilla products. Nowadays it’s best solution for couple of coins. Should be fine to use U2F token as “master password” access to your build in password manager. Consider to implement this technology.
    There is also nss certificate store, so how to better “protect” private keys, U2F can unlock cert store and password manager at once.

    Mike

    PS: I’m using Firefox and Thunderbird since version 0.5

  66. promytius wrote on

    Password managers – what about HDD crashes? I had a drive suddenly go bad, and the bu was corrupted and I lost everything; even if I rebuilt the system, my master stuff was gone. I now backup my passwords manually to a bootable USB and keep a spreadsheet of all passwords (stored on another drive, not C:) and also create a text copy of that spreadsheet, AND I print that out and lock it up. I still don’t feel safe, but I strongly suggest you do all this and store the usb/list off-site if from work, or in another room if home.

    1. April King wrote on

      Keeping an offsite copy (or two) of your *encrypted* password vault is a great way to ensure that your life continues onward even if your local hard drive crashes.

  67. Lori Morton wrote on

    Thanks Mozilla for all of the Excellent Information. I have Learned Quite a Few Things about
    On Line Security that I didn’t know. Thanks to You I Can Now Make My Internet Life Much More Secure since After Reading Your Article, I Realized just How *NOT SECURE* it Really Was….. Thanks Again.

  68. Theyarewatchingus wrote on

    Two factor authentication (2FA) may sound much better than it actually is as long as the 2nd factor is your phone. Reason is that Google or Yahoo do not ask for your phone no. to make your account more secure. They have been asking the same question for years before anyone introduced 2FA. And why so? Because Google, Yahoo and the likes are trying to track your every move, analyze your behavior, who you might know (geo proximity), who you actually have contact with, where they go, what they do and so on!
    As long as no one comes up with 2FA that is not linked to your phone or a social media account stay the hell away from 2FA!

    1. April King wrote on

      Many 2FA authentication systems don’t rely on SMS, and in fact the are increasingly moving away from SMS in favor of TOTP systems that generate rotating codes over time. These work even when you don’t have access to your phone, and don’t require users to give up information like their phone number.

  69. Khalida Mehmood wrote on

    I believe it is a useful one.

  70. Manuel Hernandez wrote on

    thanks Mozilla.
    I love your dedication

  71. Tyson wrote on

    Just interested: Does anyone use eWallet, made by Ilium Software (http://www.iliumsoft.com/ewallet), as a password manager? I have used it for years, and my dad (who’s worked inn IT for decades) has used it since it was released, but I NEVER hear it get mentioned in these sorts of circumstances. (for the record, it isn’t free)
    It uses 256-bit AES (FIPS 197) encryption, and has a huge range of customisability, as well as integration into web-browsers for what they call “AutoPass” (which is just a fancy way of saying that they open the page and pre-input your username and password for you – helpful for really long/random/complex passwords).

    Am I missing something here? Is there anything wrong with eWallet? Or does it just get outshone by other password managers like KeePassX?

  72. Keith wrote on

    Very useful!
    Now – how do we persuade site designers to allow us to enter a security question, with an answer that only we can work out from the question, instead of the classic request give even more personal information like ‘mother’s maiden name’? The ‘memorable date’ one is particularly pointless as it requires you to remember which one you used where. Alas some sites use some form of format validation so junk is not then accepted. My credit card transactions now have a f***knows on every one because they asked for some unknown detail when I set internet access up 🙂
    I’ll be passing this on as security training… Thanks!

  73. Sandie wrote on

    Well done and concise. I’ll be sharing this with friends and family whose eyes glaze over at the mere thought of internet security.

  74. Markus wrote on

    Great read. I would love to share with many of my relatives, as this topic has come up over and over again. Unfortunately they do not understand English. Any chance this article will be available in other languages?

  75. Wa, MN wrote on

    KeePass permits the use of a password or a key file to open its database. By using both you have two factor authentication. The system can generate a series of long keys which can be stored on a flash drive, removed from the local device and kept secure (or in your pocket). If no other identifying information is kept on the chip the protection is increased, as it will take a physical theft, knowledge of what is on the chip and where it needs to be applied.
    Local client devices can have increased protection by using filesystem level encryption but this presumes no one attempts to break in at the time the key is being transmitted or the filesystem is unlocked for use.
    No system can protect completely against a stolen database of passwords, it will eventually be cracked, no matter how sophisticated. We can make it difficult and so time consuming that the data will be obsolete by the time the attacker has cracked the database. Regular, randomized password changes coupled with complex password managers such as keep pass and physical security of the keys will help. Attackers will be forced to change their method by interception traffic or attacking the login program of the servers themselves, which is where they have had significant success.

  76. Geminate wrote on

    Pfft. Mozilla’s useless password manager built into Firefox can be hacked by Lastpass. When you install Lastpass it gathers all the unsecured passwords on your PC including browser passwords. Lastpass, great tool to get past non-existent browser password security and recover yours or someone else’s passwords.

  77. Chief Adam the Great X wrote on

    Just wanted to say thank you for the very good information. really helps me, to stay on point.

  78. Rahimpasha wrote on

    Am happy to share my information to mozilla thanks…

  79. MeSa Mike wrote on

    I don’t know from where Mozilla Firefox et al. compiled this primer, or how much was actually created by its staff or volunteers, but it is a comprehensive article that is easy to assimilate.

    I have found that a password manager is a vital security tool, yes. I have used one for years from Cosmi (www.cosmi.com). I have the original installation disc in my personal possession; it’s not on-line in the cloud or at the Web site where I may not be able to find it — or remember the password! — when I need it. I keep a secure, up-to-date back-up of my account data in three places. That way, should my computer be stolen or malfunction terminally, I can install the software on my next computer, upload the back-up and nothing is lost.

    The point is, if you don’t maintain a way to reinstall your program, and you don’t keep a current back-up copy of data, you will lose it all and be in computer-hell for months, in addition to other problems that occur in such unfortunate situations.

    1. Leonard Latham wrote on

      Tell me what to do!!!

  80. Chris wrote on

    Just today we had a problem with a password manager. It was saving them in the cloud. So yeah, this is good info.

  81. petar wrote on

    It is useful information. Thanks, friends!

  82. mehdi shahidi wrote on

    THANKS mozila

  83. julie wrote on

    Well done and concise I’ll be sharing this with friends and family whose eyes glaze over at the mere thought of internet security.

  84. Shailendra kumar wrote on

    I Want the full solution ditail that problam is solve it.
    I am so happy full information to mozilla thanks…

  85. Tyson wrote on

    If a password manager is saving a fully encrypted backup in the cloud… Is this really so bad? It’s still completed encrypted. (genuine question)

  86. Phillip Birch wrote on

    Personally, I have used LastPass for several years and found it to be extremely useful. I have a lot of passwords, none of which I have the faintest idea of the content. I also have it on my phone, so it’s of interest when people say stealing the phone could give access to some of my details.
    However, I also have Prey software, which prevents the phone being shut down or switched off using the power button, unless I have unlocked it with my password. This prevents people using recovery mode to bypass security.

  87. Amir wrote on

    Thanks Mozilla

  88. DNA wrote on

    Very timely and useful precautions. Thanks.

  89. Abhiram wrote on

    Using a password manager is great. But what about using it in another PC, i.e you want to login via public PC. Now what are you supposed to do. You cannot remember the obviously difficult to remember passwords??

    1. channing Webster wrote on

      That’s the trade off. Having no idea what your passwords actually are makes things less convenient. People who have much to lose should be more protective of their internet security. But I certainly get the idea people who don’t do a lot online and don’t have thousands in the bank are going to benefit less from password managers in terms of time invested/benefit ratio. It’d be an interesting question for the freakonomics folks.

  90. Jo wrote on

    My biggest security problem was a few years ago when I went overseas. I forgot I had signed up for two-factor authentication on email. So how does that work, for all those who go overseas frequently?

  91. Kay wrote on

    Turning secret answers into passwords is a horrible idea. If for whatever reason you’ve lost your passwords then you’ve lost those too, haven’t you?
    You don’t have to turn them into random shenanigans for them to be useful to you. Do you know more than one language? Great. Provide an answer that simultaneously uses more than one language. Are you clever? Give a clever answer; For example one of my bank’s questions is what my favourite animal is — I sure as heck didn’t answer with the common English word for it, but it *is* a valid answer. You could even enter the name of something fictional, write it backwards, etc., and that would be something easy to remember if dome consistently.
    Sure, someone might eventually guess that sort of thing, but you’d have to be really determined to find it and let’s be honest — if you have that much time on your hands to get to me, you’re probably going to have or find better ways to get in to my account.

  92. PW helper wrote on

    I just use a txt file and atleast, a 15 character randomly generated password that’s better than p4ssw0rd1337
    IE sk2&m4$&Xcl^DNmx
    just make sure to save the file before closing :^)

    DON’T USE A PASSWORD MANAGER keep your passwords safe and secure.

  93. tayler wrote on

    i use bitdefender wallet. it remembers all my passwords and logs me in without doing anything more than clicking enter once it has filled it all out. it also creates passwords for you to use on websites which are far harder than anything i could come up with. wallet is heavily encrypted so good luck trying to extract it from my pc.

  94. Ed Kidder wrote on

    I don’t know what anyone is talking about. I guess I wont use the internet for anything important. I am good at pen an paper, and patient: “All things come to those who wait.”

  95. Rob Cramer wrote on

    Hi. There’s a lot of good info here. However, the advice of ‘be suspicious’ is dead wrong. Here’s why: First of all, being suspicious means you’re on the lookout for problems or injustices. With that mental stance, you’ll find what you seek — sooner or later. Also, is this the way you want to live your life? I don’t.
    Second, slow down a bit. Be deliberate about what you click on etc. Reactive behavior on the internet is almost always rewarded by trouble or just time spent on stuff that doesn’t serve you.
    Third, sure, learn the ways of the ‘mischievious ones’ and stay sharp enuf to hesitate when something feels ‘off’.
    Mozilla people are doing a very good job as are a lot of folks on the web.
    Now things can happen anyway, so it makes no sense to go looking for it also.

  96. umesh prasad yadav wrote on

    thanks

  97. SpongeBob Squarepants wrote on

    retina identification is the future… passwords will be obsolete

  98. PRK wrote on

    Is mozilla firefox’s inbuilt password manager safe??? They have not included it in the list, why so?

  99. Dimitris wrote on

    One tip I use is write phone numbers, but with SHIFT pressed for some of the numbers,
    for example 6972890889 would become 6972*()**(

    That is easy to remember, but hard to type and test.

  100. Akshay Jain wrote on

    Wonderful..Useful..Helpful…

    Really informative article.

    Thanks Mozilla.

  101. LJ4m3s wrote on

    Well these tips are useful but the 2FA. I’d say is not a good idea basically because you don’t know what the website does with your number. It’s a great strategy for getting free data from you and sell it to others.

  102. mstosyn wrote on

    Very useful information, glad i read it thanks mozilla.

  103. Qadar Adeeb wrote on

    Very timely and useful precautions. Thanks.Mozilla

  104. Pepe wrote on

    OK so dear Mozilla and all you “online password managers” users – let’s think about this for a moment. Where exactly are your precious passwords stored again? In a database that’s accessible online through a web interface, right? So who, in your opinion, administers that database? That person (or even a team of people) most likely have full access to that database in order to be able to support it, right? (I happen to administer databases for a living so I dare to think I know a little something about this topic). So in other words, I’m giving all of my privacy to a bunch of people I know nothing about and their service that I know very little about and still feel safe about where my passwords are stored, correct? There’s ALWAYS a weak link in such process, that’s all I’m saying. The password complexity is totally irrelevant as long as there’s this human factor involved and there are people who can access your data. Trust in ANY online service should always be very limited, let alone when we’re talking about passwords. But feel free to prove me wrong.

  105. Dee wrote on

    What happens if someone has their accounts secured and then they die? How would their next of kin be able to recover any info? Seems like that would be a nightmare for someone trying to settle the estate.

  106. j d wrote on

    So what happens if your phone is stolen? Can you not get into any of your 2FAaccounts?

  107. Chris wrote on

    someone has to post this here:
    https://www.xkcd.com/936/

  108. Demon, Speed. wrote on

    I noticed that even with all these securities people put up, there is a loophole. Even in the source code of “Free Gems” websites, they try to pull your info from direct connection to the Gmail/Icloud associated. I’ve also noticed that using a VPN or other types of blocking can be breached.

  109. david wrote on

    thanx