Recently, Jeff Atwood showed how to make your Google account (and therefore gmail, youtube etc.) more secure by enabling their 2-Factor authentication system.
(2 Factor Authentication is the same kind of thing some banks use, where you get a keyfob thing and type in a number as well as your username and password, so even if you have the password you also need to have stolen the physical object).
Paypal have had a similar system for years, and every time I mention that I use it people say “I didn’t know you could do that!”, so, some instructions:
Paypal uses SMS messages for the second factor. This is better than an app-based solution because it continues to work even if you’ve had to wipe or replace your phone.
- Go to Paypal.com and log in
- Hover over “Profile” (Far right of “Overview” in the gray secondary tab bar)
- Click on “My Account Settings”
- Click “Update” next to Security key
- Click “Get Security Key”
- “Register your Mobile Phone”
- Follow the instructions.
And there. Now every time you log into your paypal account you’ll get an SMS message with a six digit code that you need to plug into the site. You can bypass this a few times if you don’t get the message, or don’t have your phone.
It’s not perfect, but it’s better than username/password.
(I know paypal are occasionally incompetent to the point of actual evil, but if you do use them, there’s no reason not to try to keep your account secure.)
Interestingly, I had that already enabled when I saw the Coding Horrors post… It’s a lot less of a nuisance than 2-factor email authentication could be, as you only need to log in relatively rarely.
The email one isn’t too bad, as the 2 factor only applies to the web login, and only requires the second factor every 30 days on trusted machines.
For things like POP and IMAP you create one-time passwords for each application that you can revoke at will.