When it comes to hacking our accounts, the bots are still pretty dumb.

Luckily for us, almost all automated bots and phishing attacks take a shotgun approach to attacking our accounts. They probe for easily guessed passwords or use massive lists from third party password breaches. Unless you’re one of the select few (Google estimates one in a million) who is being specifically targeted, basic account hygiene can keep you safe from almost all hacking attempts.

A recent study published on the Google Security Blog backs up these findings:

We teamed up with researchers from New York University and the University of California, San Diego to find out just how effective basic account hygiene is at preventing hijacking. The year-long study, on wide-scale attacks and targeted attacks, was presented on Wednesday at a gathering of experts, policy makers, and users called The Web Conference.

Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.

I know you don’t want to share your phone number with companies like Google but when you do, they can verify questionable login attempts using text messaging. This simple check proved 100% effective against automated bots trying to access accounts. This is known as a device-based challenge, because without access to the device (your phone), the attacker is missing a required login step.

An even more secure device based challenge can be achieved by using an authenticator app on your phone. Using these apps, many sites can send a one time code to your phone to use in addition to your username and password. These sites will usually remember the device you’re using for 30 days, before requiring a new code. Google Authenticator is the most widely used and available for Android and iOS. In Google’s testing, these on-device prompts were also 100% effective against automated bots, as well as 99% of bulk phishing attacks and 90% of targeted attacks.

High risk users

If you’re a journalist, activist, business leader, member of a political campaign or just extremely paranoid, you might want to explore options such as Google’s Advanced Protection Program. These systems use digital encryption keys stored on a USB device to provide authentication. No one in Google’s testing fell prey to bots or phishing attacks while using these devices. For most people, however, the inconvenience of using these devices will not be worth the added security on the limited number of sites that support them.

The bottom line: For the most security bang for your buck, add an authenticator app and enable 2-step authentication on all of the most important sites that you access. Failing that, at least allow sites to use your phone to verify suspicious or unrecognized login attempts on your various accounts.

Until next week.