I had a security breach. Learn from it.

A couple of weeks back, at least one of my passwords was hacked. Luckily, I was saved by 2FA.

What does that mean?

Ok, let me back up.

For some time now, I’ve used long, nonsense passwords for my accounts on websites. I’ve recently way upped my game in this respect by starting to use a password manager called BitWarden. It not only saves my account information for all websites I log in to use, but it can also generate very long, randomized passwords or passphrases that I can use for new logins (or when I need to change out an existing password).

But sometimes even unique, long passwords get hacked. Not too long ago, that breach in itself would have allowed hackers access into my account for that website (or those websites), which would — and still does — not only allow them to do and control everything I would normally do (from posting on social media to managing my government and bank accounts) but it would also give them access to my list, or various lists, of contacts. And they can then use that trove of contact information to try to hack into other sites with those email addresses.

That’s where 2FA — the truncation of “two-factor authentication” — comes in.

2FA is a second checkpoint, after a successful password has been used, that a user needs to get through before actually getting into a website account. It comes in various forms, from sending you a text or email to verify if you want to let that login attempt get access, to third-party services that sync between your computer or phone and also syncs with those websites, and constantly, frequently changes six-digit codes (so that you, and only you, are able to punch in the proper code at any given time to allow access to the attempted login that has gotten past your password).

2FA is a safety net, so that a password isn’t the only thing bad actors need to access your important website accounts. It gives you a unique, private method to validate if any login attempt is authentic.

That gets me back to to top of this post: A couple of weeks ago, I was getting text messages out of the blue from Authy — my 2FA service of choice — which was sending me verification codes. This was a huge red flag because I wasn’t on a phone or computer to log into any websites at the time, let alone any that I use Authy for.

I contacted Authy support and particularly because they couldn’t verify which of my saved website accounts had been hacked, they suggested — as it had been from other sources — that I change all the passwords to all of the sites I use with Authy.

In other words, it looked to them like someone had breached a password for at least one of these websites (potentially more) and were then trying to get me to validate the login attempt(s), which I of course didn’t do.

Having 2FA in place, and that alone, prevented someone somewhere from logging into my account(s) and doing who knows what damage to me and anyone else I’m connected to on those sites.

I changed all of the primary passwords I use for all of the sites I use Authy with as well, and the random verification texts I had been getting stopped immediately.

Problem solved, it would seem.

But it was an eye-opener about how susceptible accounts are, even when they have pretty solid passwords protecting them.

Your key takeaways from all this: 1) Always use strong passwords for all of your sites, particularly the sensitive ones (banking, medical, social media, etc.)
2) Use a password manager. Don’t try to remember your passwords, because if it’s short and sweet so that you can easily remember it, there’s a good chance a computer could easily crack it. Never use the same password for multiple websites (a password manager helps with this as well). And really, really don’t use the password storage options on your browser. They’re mediocre security compared to what a good password manager uses.
3) Turn on 2FA everywhere you can. Your bank apps probably (or damn well should) have this option built into them. For any other service or website or app you use that allows it, use a 2FA service (like Authy) as backup security for if/when your password gets hacked. Because there’s a very good chance that some day, on some site, your password will be cracked by bad actors trying to get your sensitive info.

Doing all of the above that can cause some growing pains if you haven’t started doing them yet, but your digital privacy and security is worth it.