연애편지, 병원 진료 기록, 은행 계좌 정보 같은 더더욱 많은 민감하고 중요한 정보들이 우리의 온라인 계정에 저장되어 비밀번호로 보호받고 있습니다. 일반적으로 누군가가 당신의 계정에 로그인 할 수 없는 한 당신의 이메일을 훔쳐보거나 계좌에서 돈을 빼갈 수는 없습니다. 온라인에서의 삶, 어떻게 우리의 로그인 정보를 지킬 수 있을까요?
- 무작위 암호를 사용하고 모든 사이트에 다른 암호를 사용하세요.
- 브라우저의 보안 신호에 주의를 기울이세요. 그리고 의심하세요.
- 보안 질문에 대한 답변을 당신의 비밀번호만큼 강력하게 만드십시오.
- 암호 관리자를 사용하여 손쉽게 비밀번호를 만들고 저장하세요.
- 가능하다면 "이중 인증"을 사용하세요.
비밀번호를 지키기란 쉬운 일이 아닙니다.
오늘날 대부분의 로그인은 비밀번호로 보호받고 있습니다. 만일 공격자가 당신의 비밀번호를 취득할 수 있다면 당신의 계정에 접속하여 그 계정으로 할 수 있는 모든 작업을 수행할 수 있습니다. 따라서 당신의 비밀번호가 정말로 안전한지 생각해보려면 외부로부터의 공격에 얼마나 취약한지를 고민해봐야 합니다. 즉, 공격자가 당신의 비밀번호를 알아낼 수 있는 가능한 모든 방법을 고려해봐야 한다는 것입니다.
- Seeing you use it with an unencrypted website
- Guessing it
- Stealing a file that has your password in it
- Using password recovery to reset it
- Tricking you into giving it to them
To keep your login safe, you need to prevent as many of these as possible. Each risk has a different corresponding mitigation.
Look for the lock in your browser
It’s easy to prevent attackers from stealing your password when you log into an unencrypted website: Think twice before you type your password if you don’t see a lock icon in the URL bar, like this:
The lock means that the website you’re using is encrypted, so that even if someone is watching your browsing on the network (like another person on a public WiFi hotspot), they won’t be able to see your password. Firefox will try to warn you when you’re about to enter your password on an unencrypted site.
Your browser also helps keep you informed about how trustworthy sites are, to help keep you safe from phishing. On the one hand, when you try to visit a website that is known to be a phishing site, Firefox (and any major browser) will display a full-screen warning — pay attention and think twice about using that site!
In general, the best defense against phishing is to be suspicious of what you receive, whether it shows up in email, a text message or on the phone. Instead of taking action on what someone sent you, visit the site directly. For example, if an email says you need to reset your PayPal password, don’t click the link. Type in paypal.com yourself. If the bank calls, call them back.
Strength in diversity
The secret to preventing guessing, theft or password reset is a whole lot of randomness. When attackers try to guess passwords, they usually do two things: 1) Use “dictionaries” — lists of common passwords that people use all the time, and 2) make some random guesses. The longer and more random your password is, the less likely that either of these guessing techniques will find it.
When an attacker steals the password database for a site that you use (like LinkedIn or Yahoo), there’s nothing you can do but change your password for that site. That’s bad, but the damage can be much worse if you’ve re-used that password with other websites — then the attacker can access your accounts on those sites as well. To keep the damage contained, always use different passwords for different websites.
Use Firefox Monitor to keep an eye on email addresses associated with your accounts. If your email address appears in a known corporate data breach, you’ll be alerted and provided steps to follow to protect the affected account.
Security Questions: My mother’s maiden name is “Ff926AKa9j6Q”
Finally, most websites let you recover your password if you’ve forgotten it. Usually these systems make you answer some “security questions” before you can reset your password. The answers to these questions need to be just as secret as your password. Otherwise, an attacker can guess the answers and set your password to something they know.
Randomness can be a problem, since the security questions that sites often use are also things people tend to know about you, like your birthplace, your birthday, or your relatives’ names, or that can be gleaned from sources such as social media. The good news is that the website doesn’t care whether the answer is real or not — you can lie! But lie productively: Give answers to the security questions that are long and random, like your passwords.
Get help from a password manager
Now, all of this sounds pretty intimidating. The human mind isn’t good at coming up with long sequences of random letters, let alone remembering them. That’s where a password manager comes in. Built right into the browser, Firefox will ask if you want to generate a unique, complex password, then securely save your login information, which you can access anytime in about:logins.
When you’re logged into Firefox with your Firefox account, you can sync across all your devices and access your passwords from a Firefox mobile browser. Learn more about how to use the built-in password manager to the fullest here.
Two-Factor Authentication (2FA)
2FA is a great way to level-up your security. When setting up a new account, some sites will give you the option to add a “second factor” to the login process. Often, this means linking your phone number to your account, so after you enter your password, you will be prompted to enter a secure code texted directly to you. This way, if a hacker has managed to get your password, they still won’t be able to get into your account, since they don’t have your phone.
Your Firefox account, for instance, can be protected with 2FA, which you can learn more about here.
2FA provides much better security than passwords alone, but not every website supports it. You can find a list of websites that support 2FA at https://2fa.directory, as well as a list of sites that don’t support 2FA and ways you can ask them to add support.
Strong, diverse, and multi-factor
For better or worse, we’re going to be using passwords to protect our online accounts for the foreseeable future. Use passwords that are strong and different for each site, and use a password manager to help you remember them safely. Set long, random answers for security questions (even if they’re not the truth). And use two-factor authentication on any site that supports it.
In today’s internet, where thousands of passwords are stolen every day and accounts are traded on the black market, it’s worth the effort to keep your online life safe. When you use Firefox products, some of the effort is taken off your plate, because all our products are built to uphold our privacy promise. And Firefox is always guided by Mozilla’s mission, the not-for-profit we are backed by, to build a better internet.