Passwords are dead
Despite almost weekly reports of major security breeches single passwords still protect the majority of online accounts. At the last count, I had over 150 various online accounts protected by nothing more than a username and password. Is this sufficient? Ask anyone who works in the field of information security and in most cases you will get a resounding NO!
You could be forgiven for thinking this reaction is based on an occupational obsession with security shared by InfoSec professionals; and you would be right. But it is justified, and you should listen. And here’s why.
Passwords are based on something-you-know – otherwise known as a knowledge factor. The problem with a single knowledge factor is that once your password has been exposed, anyone who obtains a copy of it gets access to your account. Even a strong password is no guarantee of safety – not by a long shot. Relying on a single knowledge factor alone is bad for all kinds of reasons, the most prevalent being:
You might think you are smart enough to spot phishing emails asking for your PayPal account details. You might even have thwarted the fraudulent IT Support Department phone calls that did the rounds a couple of years ago. Even if you believe you are completely immune to social engineering then what about the organisation that runs your account (e.g. WalMart). You are only as safe as the weakest link in the security chain. Sadly, it’s been proven with alarming regularity that the weakest link is often the employees of the online services themselves.
Even the longest, most complex passwords offer no protection against malware that is already on your PC. Keyloggers and trojan software routinely send confidential information to criminals from tens of thousands of PCs worldwide.
Brute force cracking
In the last few years, cloud computing and desktop computing platforms have both enjoyed vastly increased CPU power per unit cost. Combined with rainbow tables and lookup tables, passwords protected by a simple hash (the way many passwords are stored on servers) and even more complex encryption routines are now generally considered crackable with a little patience.
Two Factor Authentication – what does it mean?
Two Factor authentication is really just an application of Multifactor Authentication using any two factors. There are three types of authentication factor.
This is something-you-know – like a password, your date of birth, your dogs name, your first school name and so on. The trouble with all of these is that they are fixed data, and they are often shared between systems. How many times have you used the same memorable date, or your mother’s maiden name? Once that information is out, it’s out and no longer secure.
Incidentally this is a very good reason to ALWAYS lie about your special reminder questions. Remembering your lies (and your unique passwords for every website) is easy if you invest in a good password storage application. Take a look at LastPass, 1Password or the free Keepass, or KeepassX.
This is something-you-have – like a banking code dongle, USB key, or smartphone app that generates on-time tokens. Because the device creates a different token each time it is used, then the only way to gain access is to steal the physical device. Furthermore the device cannot easily be duplicated as part of the token code is based on some physical factor.
Inherence (Human or Biometric) factor
This is something-you-are – that is to say, it is something that is unique to your person. Examples include your fingerprint, retina scan, or voice. There’s even reasearch into a breath print (so maybe avoid that last slice of garlic bread).
Another reason for resistance against Inherence factors is non-repudiation and growing mistrust in law enforcement agencies. Unlike a password, or a smart phone, if your fingerprint shows up somewhere it shouldn’t have then it’s much harder to explain – opening the way for intelligence services to frame citizens.
So what should I do?
Check to see if the websites you are using support TFA. Most web services that do offer a second authentication factor do so through a possession factor. This is usually achieved using your mobile phone either by sending a text message to it containing a unique one-time code, or by installing a simple app that produces one-time passcodes.
Google, Facebook, Twitter, Dropbox, your bank, and most other large online networks all provide Two Factor authentication as an option.
If you use a service that does not offer TFA then
- make sure you are using a good password manager application (that doesn’t mean a password protected word document!)
- make sure all of your passwords are strong
- make sure you never use the same password twice
- never give the same answers (or the correct answers!) to account recovery questions like who was your first school teacher
- change your passwords at least once a year to ensure they are of no use if leaked