August 4, 2021

Why all these security things matter

Why all these security things matter

I recently went through a (very minor) situation that reminded me why we go through the trouble of setting up all of these "security things" - things like a password manager, unique passwords for every account, and two-factor authentication.

Here's one of several identical emails I received last month (with personal contact info redacted):

I received four emails like this over the course of a month. When I received the first one, I thought it might be a phishing email, but after closer inspection I determined that it was legitimate. This is the email that you will receive if you're having trouble getting into your Instagram account.

However, there was a problem: I wasn't having trouble getting into my Instagram account. Instagram was working just fine for me, and I even signed out and back in again to verify this. Someone else was trying to break into to my Instagram account.

I reset my password just for good measure, but I still received more emails like this over the course of a month. Despite that, I really wasn't that worried. Here's why:

Reset password

In the unlikely event that I had fallen victim to a recent phishing attempt, my Instagram password was now reset and therefore the old one would not work anymore.

Instagram security controls

The password to my Instagram account is very long, randomly generated, and stored in my password manager. There is no way someone is going to guess this password.

I also have 2FA set up on my account - not just the text message kind, but the kind that requires you to open an app on your phone and use a six-digit code that changes every 30 seconds. Wondering why this is better than a text message? Check out: How Secure is Your "2FA"?

This means that even if someone figured out my password, they would also need that six digit code (which changes every 30 seconds).

Password manager security controls

It's possible that someone could break into my password manager and steal my Instagram password from there. However, my master password is not used anywhere else and I also have 2FA. An attacker would need to somehow obtain my master password AND the 2FA code (which, again changes every 30 seconds). Even if they stole the password from my password manager, they would still have to deal with the 2FA on my Instagram account.

Email security controls

It's also possible that someone could break into my email account and then try to reset various bits of my Instagram security controls to gain access to it. For example, when you initiate a password reset, typically a reset link that is sent to your email address. If an attacker has control of that email account, they could initiate the password reset themselves.

The email account that is tied to my Instagram account also has a randomly generated password, which is stored in my password manager, and 2FA.

Phishing

Those security controls protect against most of the common techniques an attacker is going to use except for one: phishing. I can still get hacked if I fall for a sufficiently complex phishing attack - see this article: Phishing - Why We Need Training (And Why 2FA Isn't Enough)

However, I could not recall receiving any Instagram-related communications prior to these emails, and I also reset my password as a matter of caution.

In summary: it is very unlikely that someone is going to break into my Instagram account. Good security requires a holistic approach. This is why all of the individual things - things like good password management, 2FA, and training against phishing attacks - matter.