Strong passwords, 2FA, and GNOME Authenticator.

About a year ago, I noticed that I kept getting emails that some of my accounts had been taken over.

Nothing very important. An old Disney rewards account I signed up for to get free DVDs forever ago, an unused Spotify account from I don’t know when.

But it got me thinking about security.

Up until that point, I had dodged bullets. I hated passwords, I used bad practices without even considering it (like reusing weak passwords over and over again), and I decided to clean house.

I went over every site where I had anything important and I had my web browser generate strong random passwords, unique to each site.

(All major browsers suggest them. As well as various websites and applications. Here’s a list from a couple years ago by It’s FOSS.)

I cleared out my “app passwords” from sites with 2FA and set them up to use an Authenticator app, or my phone number, or OAuth on GNOME (for email).

A while back, I decided that relying on my phone to get me into my accounts was not good. Phones can break. SIM cards can be cloned, you might lose your phone number somehow. Plus, having to go find out where your phone is in the house is a hassle.

So I started using GNOME Authenticator in addition to Google Authenticator, and only using my phone number when and if something forces me to do it, or as a backup to an Authenticator.

As you would expect, Google Authenticator only supports exporting your 2FA entries to another Google Authenticator. So I had to go back to the sites and get another QR code for GNOME Authenticator.

I wish more sites would support Authenticator apps, since the texting codes business is sketchy and really leans on people to get a cell phone just to get security codes. But, I can only do what I can do.

GNOME Authenticator is pretty easy to set up, but the version in Debian is broken. The one on Flathub works, however.

It will bring up the GNOME Screenshot utility and you just take a screenshot while the QR code is displayed. It will trash the screenshot when it’s done with it, and you should have a new entry for that site automatically added to your app.

As the application pertains to security, obviously, I’m not going to take a picture of _mine_, but one is available on Flathub.

You need to get your security situation sorted out before they take over your bank account or something, and I feel really stupid for taking so many years of risk, but it’s all sorted now. Hooray!

While I was setting up our bank account, I made sure to fix up my spouse’s login too. Far from some anonymous cracker on the “dark web”, our problem with threat actors is now a little closer to home. His sister is always trying to figure out some attempt at swindling us (like a fraudulent life insurance policy she tried to take out last year, which we shut down), and she has a way of sending out agents (his other family members) to back him into a corner at work and exfiltrate information.

Since only our web browser at home even remembers our password, no threat there.