Data breaches are scary. And if you’ve never looked into them before, you may not know how to protect yourself from having your data compromised online.
These breaches aren’t entirely uncommon, either. In fact, you may have heard of the “Collection #1” data breach that was publicized by security expert Troy Hunt (more on him in a minute).
So now you might be wondering, What tools can I use to protect my own online data?
Let’s explore some widely agreed-upon security best practices for securing your online accounts. We’ll also cover how to put those best practices into action to keep your HubSpot user account safe.
Use Two-Factor Authentication (2FA) Whenever Possible
Two-factor authentication (2FA) is one of the most widely available security precautions you can take with your accounts today. Passwords alone have always been limited in the protection they offered, and the data breaches from the past several years have further weakened them. 2FA provides a stronger, second layer of login protection to ensure that it’s really you logging in.
How does 2FA work?
In most cases for online tools, 2FA works something like this:
- You enter your username and password into the login page for an account.
- The system validates your username and password are correct and then sends you to another page where you’re asked to complete a two-factor challenge delivered to another device — this challenge can be as simple as clicking a push notification or entering a one-time password delivered to an authenticator app on your mobile device.
Sounds easy enough, right? Well, before using 2FA, just remember that not all 2FA is created equal.
When choosing a 2FA method, you should stick to authenticator applications if they’re available — such as Google Authenticator or Authy — rather than using SMS text message 2FA. SMS is flexible and works with a variety of phones but is more vulnerable to being compromised, as shown in this Positive Technologies video first reported by Forbes. You can also consider a physical security key, such as the YubiKey by Yubico.
How can I use 2FA in HubSpot?
Considering 2FA for your HubSpot account? That’s a great idea.
With 2FA active, a potential attacker will need to know more than just your username and password to get access to your account, which helps you stay safe even if a password somehow sneaks out into the world.
HubSpot offers 2FA for your user account at all subscription levels. You can also generate a set of backup codes in case you lose access to your mobile device.
And setting up 2FA in HubSpot is easy. Just head over to your Profile and Preferences and click Security. You’ll then see Two-step verification option, where you can click Set up primary method to get the process started. Check out step-by-step instructions here.
Here at HubSpot, we’re also working to offer more options to secure your accounts with 2FA in the future. So stay tuned!
Use a Password Manager
If you’re like me, you have more passwords for more websites than you could remember. With so many accounts, many people are tempted to reuse the same passwords so that it’s easy to remember them. DO NOT do this.
Reusing passwords is a very bad idea and comes along with substantial risk: If that password becomes compromised (for instance, by a leak like Collection #1), and an attacker attempts to use it on other popular tools, they may be able to access multiple accounts of yours and wreak some serious havoc — especially if you share passwords between highly sensitive services, like those that hold banking or credit card information.
But how can you keep track of all these different passwords? You use a password manager.
Password managers can help you keep track of multiple passwords so that you don’t compromise the security of your online accounts — and you don’t have to have all these passwords memorized, either.
Here are some benefits of password managers:
- First, they can generate secure, complex passwords for you when you go to set up an account with a new service. This way, you don’t have to spend time thinking up a new password every time.
- Second, they can automatically store those passwords for you, tied to the website you were on when you entered them. So when you visit a site that the password manager recognizes, it can automatically fill in your saved credentials for you. Thus, you get the convenience of an automatically pre-filled password, with the security of a complex password that you aren’t tempted to reuse.
- And lastly, a password manager can be secured with a master password and two-factor authentication to ensure that it will remain difficult to breach. The end result? You have to remember a single password, but you’re given the security benefits of multiple, complex passwords.
Sign Up For Alerts from HaveIBeenPwned (HIBP)
Remember when I said we’d talk more about Troy Hunt? The time has come.
In 2013, Troy Hunt started a project called HaveIBeenPwned.com. This site aggregates and tracks data breaches in which sensitive information on users —such as their email addresses, passwords, or telephone numbers — is leaked to hackers. You can sign up for email notifications from HIBP, which will alert you if your email address is found in any breaches that the site uncovers.
If you discover that your email address or password has been leaked, it’s best to change your password immediately for that account and for any accounts that may share a password with it (another reason to use a password manager to generate unique passwords). If you’ve never entered your email address into the HIBP search, it’s worth doing right away to check if your email has turned up in any particularly nasty breaches, such as Collection #1.
If your email has been compromised, don’t panic! Just go through and change your affected passwords, making sure that you also change the passwords for any accounts that share credentials with the account that was compromised.
For HubSpot Admins: Consider Using Single Sign-On
The tips above are very helpful for individuals who want to improve their own personal account security. Ideally, that’d be each and every one of us. However, everybody has at least one carefree co-worker or friend who doesn’t like to prepare for the worst and might get blindsided if it ever happened to them. The last thing you want is for that person’s account to be an easy window into your HubSpot data.
If your company uses a single sign-on provider — such as Okta, OneLogin, or Microsoft Azure Active Directory — those providers can offer high-impact security measures that can, by extension, help you secure your HubSpot data.
An SSO provider can provide a unified identity platform where your team’s administrators can manage multiple facets of a user’s access to the tools and data they use every day. Single sign-on providers can offer the ability to restrict logging into a user account by IP range, support additional two-factor authentication providers, additional password complexity requirements, and more.
And since you can require single sign-on for your HubSpot account login, you can use your SSO provider’s login requirements to put an extra layer of protection on your HubSpot data, above and beyond whatever security measures an individual user may choose for themselves. Single sign-on support is available in all HubSpot Enterprise accounts. Learn more here.
You’re Off to a Good Start — But There’s Still More
There are more ways to keep your sensitive data and your identity safe online, but you’re off to a good start.
The tips in this article are meant to help you secure your online accounts, including data stored in HubSpot, but you should also check out this open-source checklist. It provides some excellent advice and resources for things outside of what we just covered, like encrypting your hard drives, identifying phishing attempts, and freezing your credit. Given the importance of account security in 2019, it’s worth considering many of these steps to keep your identity and your information safe.
Want to connect with others on HubSpot tips, tricks, and updates? Head over to the HubSpot Community to join a conversation or start one of your own.
Originally published Feb 26, 2019 9:00:00 AM, updated April 11 2019