Password security: The one simple step pros use to lock down their accounts
Passwords alone are now worthless as a security system.
We protect our computers and online accounts for the same reason we lock the doors to our homes. We want to keep the crooks out and our assets safe and secure. For years, we secured our systems with a key/value pair consisting of a user name and a password. While the user name might be generally guessed, the password was supposed to be a string of characters only you (and the system you were accessing) knew.
As time went on, it became clear that there were problems with this approach. The biggest is that people have a hard time remembering complex passwords, so they resorted to the obvious: password, 123abc, letmein, and so on. For those with simplistic passwords, it was very easy for crooks to try a few possibilities and gain access to what should have been hidden account data.
Over the last few years, however, things got a lot worse. Even those with excellent password hygiene were subject to password-based breaches. After a few hundred (now thousands) of large companies were breached and became host of long-lived advanced persistent threats, massive databases of live user names and passwords have been compiled by organized criminals. Those databases are sold for chump change on the dark web.
Effectively, this has rendered passwords worthless as a security system. It's just as bad as leaving your front door closed, but unlocked while you're gone all day. Passwords as complex as SzATMn#vBd^zPTvp@*8KMo were now as insecure as qwerty because hackers no longer needed to brute force guess. They could just look up your user name and try the passwords they had for you in their database.
Even in light of this harsh reality, most small businesses rely simply on the name and password for security. This is pretty much as bad as using no security whatsoever. Passwords, secret pass phrases, something secret only you know... were no longer secret. Just relying on what you know will no longer keep you safe.
So how do we lock down our accounts?
The answer is adding additional factors of security. The single most effective and nearly universal mechanism is the use of a password authentication device, usually via an app on your smartphone or texts sent to your phone number.
This additional factor relies not only on something you know (your password), but something you have (your phone). Without both, you (and the hackers) can't get access to your account. Even if someone in Belarus or Beijing knows your password, without being able to generate the one-time unlock code, they can't get into most of your accounts.
As it turns out, adding a second factor of authentication can save you from the majority of threats. A study by Verizon (who puts out the excellent Verizon Data Breach Reports) stated, "If we could collectively accept a suitable replacement (for passwords), it would've forced about 80% of these attacks to adapt or die."
Presenting the 20 dumbest Ashley Madison passwords, in no particular order
In other words, 80 percent of the attacks against companies and accounts could have been stopped merely by having protections beyond passwords. Or, another way of putting it is that if you add one additional factor of authentication, you immediately increase your level of protection four-fold.
Most online services now offer second factor authentication. I wrote about how to set up multifactor authentication for Facebook and Twitter, and these are good tutorials to start with.
The bottom line is simple: if you want to keep your digital doors locked, you need to start using a second factor of authentication. Not doing so is merely inviting trouble to walk right in through an open door.
See also:
- Hackers don't just want your credit cards, now they want the pattern of your life
- Sony trots out 2-factor authentication 5 years after breach
- Why changing your password regularly is a very bad idea
- Hackers going corporate with new attack attitudes, research shows
By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.