The truth hurts…your password isn’t safe.
Strong passwords make us feel safe. 15 characters, mixed case, numbers, special characters. How can any figure out that “StaRW@Rs1977!@#$“? It’s unbreakable, right? Maybe, maybe not. There are methods to crack passwords and do you really have a unique password for every service that you use? (Hackerbait)
Passwords are Single Factor Authentication (SFA) methods. Meaning SFAs validate a trust between you and whatever service you are logging into. SFA does not validate that the person typing is the authorized user. Anyone with access to the password can login from any location pretending to be you! Email, Banking, Photos, Calendars, Nanny-cams, et. al., The documented horror stories abound of celebrity photo leaks, political email hacks, and bank account pilferage. Once a hacker has access to your computer or actual password it’s game over for that account (or several accounts if you use the same one over and over).
What about those security questions that some sites ask when you login? It’s just to make you feel better about the security of the site. A good social engineering hacker already knows where you got married and where you went to High School.
Why is Two Factor Authentication better?
Two Factor Authentication (2FA) adds a layer of cybersecurity and takes the concept of trust between a user and service a step farther. 2FA takes the SFA method of something you know (a password) and adds something that you have (a token or inherence) to validate that the connection is valid. The token can take many forms: a physical card with an encryption certificate (Smart Card), key-fob or app with a pseudo-random number generator, fingerprint, a one-time code sent via text, and even old-fashioned challenge-answer matrices. Nefarious hackers would also need access to your token to break into your online service…something much harder to do.
You have an example of a token in your wallet right now. The chip embedded in your credit card is a token to establish trust between you, the vendor, and the credit card provider.
2FA is implemented a few ways. Higher security services (ie banking) will ask for the token each time that you log into the service. Others will use 2FA to validate the device you are using and establish a Shared-Key between the device and server allowing you to keep a persistent connection (ie social media).
Where should you use 2FA?
- online banking – a must in today’s world
- email – nearly all services offer 2FA. Protecting your email keeps hackers from being able to reset passwords. (Google, Yahoo, Hotmail)
- social media – (LinkedIn, Facebook, Twitter, et. al.)
- cloud storage – (iCloud/AppleID, Dropbox, et. al.)
Great! How do I use it?
There is no single method to implement 2FA. How to use it depends greatly on the service provider’s implementation of it. Some providers may offer several 2FA methods to choose from. The links above will take you directly to the help page to get you setup. For other you need to search the web-site and follow the directions there.
Download a 2FA application for your mobile phone. Many times you are able to scan a barcode and establish a link between your service and a the app that generators the pseudo-random codes used for 2FA:
Once you have signed up for the 2FA service you will not notice much a difference in your use of the service. When you log in from a new device, though, be prepared to have the token ready to login.
Awesome! I am now 100% protected!
Hold on a second, Ranger. I didn’t say 2FA is 100% hacker proof. 2FA is definitely more secure and harder to circumvent; but, advanced techniques exist that can compromise your 2FA security. You could lose your token (or have it stolen). Your one time use text message can be intercepted. A “man-in-the-middle” attack can intercept your web browser traffic. Just know that you have to stay cyber-vigilant…2FA has made you stronger!
In closing I want to remind you to use strong and unique passwords when you set up your 2FA. The basics of security are immutable and passwords shouldn’t be the weakest link.
- don’t use words found in the dictionary
- passwords should at least 12 characters long with mixed case, numbers, and symbols
- don’t use sequential keys: ie “1234”, “QWERTY”, “ABCD”, etc.
- never use names, birth dates, or anniversary dates
- always change the default password
- don’t recycle it with other accounts
- use a Password generator (Safari for Mac, LastPass)
A long post, yes. But if it saves you from horrible cyber-incident then it was worth it! What recommendation do you have to improve our basic login security? Share it in the comments below. Stay Cyber-Vigiliant!