Journalists, Government Hacks, and two factor authentication

I noticed yesterday multiple journalists I am following asking every other journalist to enable two factor authentication on their accounts in fear of a government hack.

I think it is less secure to have two factor authentication on your account than not having it. Let me tell you why.

When you have a strong password, for the government to hack you they have to have a malware installed on your computer/mobile, while you can’t avoid that unless you are too careful, they can’t try every combination of passwords on Gmail or any other service until they know your password.

When you enable two factor auth, your mobile number also acts as a recovery mechanism to change your password. The problem with this is that the government can write your email, say they forgot the password so you get an SMS, they intercept the non-encrypted/plain text SMS from the mobile operator network, and Bingo! They got access to your account.

There have been reports that the Egyptian government is doing this. I also have a personal friend of mine who got an email from Facebook that someone tried to reset his password, upon tracing the IP Facebook sent him, it turned to be the Egyptian national security HQ in Alexandria.


It has been on my list for long but I finally decided to audit all my accounts, & passwords. The longer we are on the internet, the more we start not paying attention to security, and the more vulnerable we become.

The key triggers that drove me to pay attention to this were a security session I attended at work where the speaker told us about how a hacker hacked a wired editor’s apple account, remotely wiped his phone, ipad, and macbook, then deleted his Gmail with all backed up photos and emails, all of this to steal his 3 letters twitter account! While this wasn’t a normal hack, it was engineered by exploiting the friendliness of customer support agents at Apple and Amazon. You should read the story.

The second trigger was these two videos I watched on Computerphile where they explained how computers got really fast that they can now crack 8 characters passwords very easily & what you should do to protect your accounts.



Here are the things you should do to make sure your passwords are secure:

  • Never recycle passwords. It takes hackers hacking one website to get access to your accounts on all other websites. You don’t want this to happen so make sure you have a different password for every website.
  • It is very hard to memorize a password for every website, so use a password manager to store all these passwords, and have it generate a random password for each website. This way you can have a single strong password that you need to memorize while offloading the rest of the work to the password manager.
    • Password managers simply encrypt all the passwords you store on their website where they can’t decrypt it unless you enter the master password. This way even if a password manager got hacked the hackers won’t be able to know the passwords you stored without knowing your master password (Not exactly like this but let’s not get into the technicalities).
  • Make a list of all the accounts you have, and go change the password for each of them with a new randomly generated password. Store the new passwords in the password manager and if you store passwords in your browser (Chrome/Firefox) make sure to delete them or not store the new password there.
  • NEVER exchange passwords electronically, NEVER give your master password to anyone or store it anywhere except your head.
  • One might say, who cares about me? I am no one to hack. This is true, but you will be surprised at how many websites you have your credit cards, Photos, and Personal info into. Should I only secure those? NO, because hackers collect different pieces of information from different websites to hack other websites. If one account gets hacked, they can use the info there to hack other websites.

Nothing will make you a 100% secure. And I am sure I forgot some accounts that I didn’t secure. Yet before you let go remember that security is like unsafe sex, it takes one mistake to regret for the rest of your life.