Beyond Passwords

Passwords are a modern ‘pain in the neck’. We have passwords for this, passwords for that, and IT experts quoting confusing, and increasingly often, contradictory guidance on how to pick good passwords.

How many different services do you use on the Internet? Each one very likely needs you to create an account and by extension, pick a password. Many of us have thrown the towel in on password management – it’s become simply too difficult a task for most of us to manage successfully. Tools like LastPass and 1Password have become invaluable to ensure we’re using unique and complex passwords for all our services.

But even with a password manager to help us, passwords are still imperfect. They’re imperfect because once someone knows your password, they’re effectively ‘you’ for whatever service they are using. Many services have security breaches, and passwords (or poorly protected encoded versions of passwords) leak. The service ‘Have I Been Pwned?’ (https://haveibeenpwned.com/) allows you to check if passwords associated with your email address have been leaked from various major breaches. At the time of writing, 5,555,329,164 passwords are tracked by Have I Been Pwned.

So what should we do to protect ourselves further?

The answer comes in the form of so-called multi-factor authentication, or two-step verification. These are subtly different techniques, but each adds another piece to the equation. No longer is a username and a password enough, you need something else.

One of the most popular implementations is to register your mobile phone number with a service. When attempting to login, you’ll have to enter your username, password and a code that the service provider will ‘text’ to your phone. That code is valid only once, and is randomly chosen. In this way, even if a hacker has your username and password, the assumption is that they don’t have your phone and therefore can’t get the code.

That’s great, until it isn’t. See, another security guy making life complicated again!

Unfortunately hackers can sometimes redirect text messages to them, meaning that they do receive the code, and hence can still get into your account if they have your username and password. One step better is to use an ‘authenticator app’. There are many free ones to choose from (Google Authenticator, Authy, etc.).

The app is a small tool you install on your smartphone. It can be synchronized with the service provider usually by scanning a 2D barcode that the service gives you. This then ‘seeds’ the app so that it will produce the same series of constantly changing codes as the service provider is expecting. Logging in then involves username, password and whatever code the app is displaying when you attempt to login. These codes typically change every 30 seconds or so making it impractical for an attacker to use.

Unfortunately not all services support the use of an authenticator app, so if it’s not available for the services you want to use, then by all means rely on the SMS-based ‘text’ code option. It’s much better than a plain password on it’s own.

Comments

Dave, kudos for another very well-written article!  I would like to add that even when we are using a secondary factor, we must not allow ourselves to get lazy in terms of password management.  The old rules still apply:  choosing a complex password is still important as important as ever.  And we still must always ensure that we don't reuse the same password on different sites.   And, of course, never tell anyone else our password, no matter who they claim to be.

--"Another security guy making life complicated"  =:^p