At dotmailer we try our best to keep the bad guys out, but if they already have your password, there is very little we can do to detect, and stop them logging in as you…unless, of course, you have already turned on two-factor authentication (2FA). Two-factor in most cases is something you know (your username/password), and something you have (a single use access code or authentication link).
But how do can they get my password in the first place?
There are various ways an attacker may have access to your login details, but some of the possible methods include:
- Compromised computer
If the computer you use to log in to your online accounts is infected with malware, it is possible that your keystrokes and even screen captures are being logged and sent back to the bad guys…..yep, including your passwords, and other authentication details.
- Snooping on the network
If an attacker has access to the network from which you are logging on to an online service (e.g. public Wi-Fi hotspot), in some cases it may be possible to capture the data as it passes to the server…..yep, including your password, and other authentication details. This is where looking for HTTPS in your browser address bar becomes very important. At dotmailer, all authentication data passes over a secure channel, thus protecting you from this sort of attack.
- Credential reuse
It’s really important not to use the same password across different services. We’ve seen an awful lot of very big data breaches in the news recently, and the attackers have been using the stolen authentication details from these breaches to try and log on to other online services…with what seems to be a great deal of success! This sadly means that many people are still using the same password everywhere they go online. This is one of the reasons why your dotmailer password is set to expire, and you are asked for a new one every 90 days; and why you should be choosing something completely different every time. Simply incrementing that number at the end of your password is not cool!
- Social Engineering
As we get better at using good passwords, and preventing malware infections; sometime, the bad guys just find it easier to ask us for our passwords. At dotmailer, our support team will never contact you asking for your password.
If one of the above unfortunate events were to happen, 2FA adds another layer of defense, as the attacker would also need access to the authentication link or SMS code. In reality that would mean having access to your mailbox, or mobile phone. We’ve already seen that it’s possible that an attacker has obtained your password due to a compromised computer, or network; which is why we would always recommend using an “out-of-band” communication such as SMS as the means to deliver the 2FA authentication token where possible. dotmailer offers SMS 2FA to all customers. It’s simple to setup, and its free!
Without access to the authentication token, the attacker could of course try and brute force the code, but that is where our other controls such as failed login account lockouts kick in.
How to turn on 2FA in dotmailer
Log in to your account, and click the user icon in the top right, and select Account:
In the resulting window click on the “Account Settings” tab, and scroll down to the “Security” section. Simply tick the Two-factor authentication box, and enter your mobile phone number, and hit save settings at the bottom of the page.
Done! Congratulations, you have just gone one step further in protecting your valuable data.
Now you have protected your dotmailer account, check out TurnOn 2FA and see which of your other online services offer a similar feature, and SWITCH IT ON!
Check out my last post on protecting your online account from unauthorized access. See also our previous support article on securing your account with two-factor authentication, and for more general information on what dotmailer do to protect you and your data, please visit our Trust Centre.
Note: If you are a managed user, you will need to ask your account administrator to do this for you. For obvious security reasons, you will not be able to disable this feature without the help from our support team.