(Credit: Screenshots: Tom McNamara/Download.com)

Your passwords are terrible, and we're trying to help. One very good option is a password manager like Bitwarden (Android, iOS) or LastPass (Android, iOS). These can generate passwords that are difficult for a hacker to guess or brute-force, and all you need to remember is the password for the manager itself.

SEE: How to beef up your Chrome and Firefox security in 2018

However, even good passwords can be compromised if entire password databases get hacked, which has been known to happen from time to time. When this happens, you can still benefit from a system called two-factor authentication (2FA). With 2FA, you enter your user name and password, and then you use a temporary code to confirm your identity.

There are two ways to generate a 2FA code, and one of them -- contained in an SMS text message -- isn't very good. That's because text messages can be intercepted by the bad guys, or simply fail to arrive due to network issues. With app-based 2FA, however, an app on your device produces a code, which you enter into the app that's asking for it. Google itself provides an app (Android, iOS) that manages all of your app-based 2FA codes, as does LastPass.

Until now, Instagram (Android, iOS) has only used SMS for its codes. It's been testing app-based 2FA for several months, and today it's finally begun rolling it out to everyone. If you've gotten this update, the setup is fairly straightforward. Just log into the Instagram app on your phone or tablet, tap the hamburger menu button in the upper right, tap Settings at the bottom, scroll down to and on Two-Factor Authentication, then tap the slider next to Authentication App.

FOLLOW Download.com on Twitter for all the latest app news.

On the following screen, tap Next at the bottom. If you have already installed your 2FA code generating app, it will open automatically at this point and ask you to confirm that you want to save Instagram's code generation key. Press OK, and you should have a new entry in this app for your Instagram codes.

Long-press the code that the app is generating to copy it to your clipboard. Then go back to the Instagram app and paste this code. If you do it correctly, Instagram will say "Authentication App Confirmed," and you just press the Done button at the bottom of the screen to finish.

At this point, you can disable SMS-based 2FA by tapping the slider next to Text Message. Be warned, however, that if you lose access to the device that generates your 2FA codes, you will need to use an emergency backup code to get back in.

Alternatively, you can use a service like Authy (Android, iOS) or LastPass Authenticator (Android, iOS) that stores your codes in the cloud, and that makes them accessible to any device that can log into its service.

As you might imagine, though, this is a double-edged sword -- anyone who can guess your Authy password or trick you into giving it to them now has access to these codes as well. With an app like Google Authenticator, those codes only exist on your phone or tablet.

The takeaways

  • Instagram has begun rolling out app-based two-factor authentication, after a lengthy testing phase.
  • App-based 2FA is better than SMS-based 2FA, because texts can be intercepted or just fail to arrive. With app-based 2FA, the codes are generated on your device instead.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.