As a security professional, I often think about the question: Why do we need security? We have talked about “why” security is a basic need before at FLAWD. Without feeling safe and secure we can’t live our best lives. So how can I feel safe and secure online? And why should I be concerned about security online? Do you already know that your passwords are not safe? Do you just want to know how to enable 2-factor authentication? Scroll down to the end of the article and read how to enable 2-factor security.
Your password is not secure anymore
If you have followed the news in the last years, I am sure that you have come across some of the following expressions:
identity thefts, passwords stolen, loss of sensitive data, spear-phising, software vulnerability
and much more. Some of you may also have heard “new world of cyber warfare” and “stuxnet, duqu, flame and gauss”. However we are not talking about cyber warfare here, but rather how a weak password can affect you, and your personal security. I am sure that you have noticed “FaceRape“, a phenomenon when a “friend” gains access to your Facebook account and makes “funny” status messages. This is a very simple and mostly harmless way of demonstrating that password protection is not enough anymore. Security (as all parts of IT) is evolving quickly to meet the demands of more aggressive and more sophisticated attacks.
Why are passwords compromised?
1. Password databases are not protected enough
Well.. Since there have been so many password databases cracked, and software CPU power has improved, hackers are now knowing what you use. Remember the LinkedIn database last year? (or any other more recent article about a password databases being stolen? Like this one). Thanks to all database breaches hackers has a really good idea of what passwords we use, since password cracking is all about probability. Check out the most common passwords 2013
2. We are human and we are NOT random
The article above mentions that for optimal security you should use at least 9 characters and they should be ABSOLUTE random. Since you are human, you are not random! We are all creatures of habit and we follow patterns that can be figured out. For example: You usually start your password with a capital letter, and since password cracking is all about using probability, there is a 13% probability that it is the letter E, since it is the most common letter in the English language. Want to know more about Cryptography? Check out Stanford professor Dan Bonehs free coursera course: Cryptography
3. Strong passwords are bypassed by “password reset”
Even if you use a 45 character strong RANDOM password (which by the way is not supported by most services, usually 30characters are max for passwords). The way of resetting a password is usually weak! Think about how easy it is for you to click “forgot password” link and receive an email and just enter a new password. Super-easy! But what about if your email has been compromised?.
Conclusion; only using your password (one factor) to authenticate yourself is not enough. What is the next step?
Solution: a layered security approach
Defense in Depth
In physical security we use something that is called: DiD (Defence in Depth) made popular by Mary Lynn Garcia in her book: PPS – Design and evaluation of Physical Protection Systems DiD is the theory that you can never have 100% secure systems (if humans are involved) and therefore you want to make it as hard and as much resource and time consuming for an adversary to break the system, since different techniques most be used. To achieve this we use “DiD” sometimes called: layered approach (or onion approach in physical security. Other techniques can be target hardening, these techniques can also be applied to IT security.
What is Two-Factor authentication?
In a digital world, we want to be sure that a user is who they say they are. This is called: authentication. To authenticate a user we use “factors”. The factors that we use are
- Something the user knows – example: a password factor
- Something the user has – example: smartcard
- Something the user is – example: a fingerprint
Single factor authentication is to only use one of the above, This is not optimal since passwords as are so easily compromised. Two-factor authentication (aka multi-factor authentication, or TFA, T-FA, or 2FA) is a way to verify your authenticity by providing two (or more) factors. Example of a TFA is to provide my username + password + a One-time Password (OTP) that I have received as an SMS.
How can I enhance the protection of my personal information?
First of I recommend that you implement a password manager system, to get “Random” passwords. Check out how Secure your “standard” password is at: https://howsecureismypassword.net/. I recommend LastPass, for several reasons: it is free (however cheap 12USD/year). It is easy, its in the cloud, it supports 2-factor authentication with Google Authenticator or Ubicode USB key if needed. There are other alternatives: KeePass (local database storage), 1Password and Dashlane, to mention a few. Using a password manager is ofcourse risky in the way that if you loose your MasterPassword, a hacker then has access to ALL your systems. Therefore make sure that you use a strong password and has 2-factor authentication enabled for your password management system. LifeHacker has a guide on how to make LastPass hackproof.
Two-factor your life by activating it on all services
Here is a short YouTube video about TFA in Google/Gmail
LinkedIn has also enabled TFA. How-to guide for setting up TFA in LinkedIn
We have written about how to use facebook to your advantage before, make sure that no one else uses your Facebook to their advantage. Facebook call it “login approvals”. Here is how to enable it. If you are into FaceBook, make sure you follow their own security page.
DropBox is another FLAWD-favourite service that you should protect. How to enable TFA for DropBox
If you are a twitter user, and like this article,send me a tweet:
Evernote: Evernote is one of my personal favourite apps of all times. Heres how to enable TFA in Evernote:
WordPress: Whilst writing this article I realized that WordPress also has the possibility for TFA, this specific plugin uses Google Authenticator.
HootSuite: One of our favourite apps is HootSuite. They recently added (edit 2013-11-26) TFA. Also using the increasingly popular Google Authenticator.
Bit.ly: Our favorite link-shortening service: Bitly has added TFA as well
What is Google Authenticator?
To receive OTP:s or one time passwords they can be delivered as SMS which is most common, but they can also be delivered with an app, the most popular is Google Authenticator
Wikipedia: Google Authenticator is a software based two-step authentication token developed by Google. The Authenticator provides a six digit number users must provide in addition to their username and password to log into Google services.
Think differently about passwords
According to the XKCD strip above, the way we have thought about passwords in the past makes it hard for humans to remember and easy for computers to guess. Try out their password generator for easy to remember password, but according to XKCD – hard for computers to brute force.
2 factor your life NOW!
Enable this NOW! Security is one of those things that you have do NOW! You can’t just wait around until your account is compromised!
Disclaimer: to be 100% secure in a digital world – do not digitalize your information.
Lastly, some quotes about security
Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.
If you want total security, go to prison. There you’re fed, clothed, given medical care and so on. The only thing lacking… is freedom.
Dwight D. Eisenhower
The only real security that a man can have in this world is a reserve of knowledge, experience and ability.
There is no security, the only security you have in life is to to a job uncommonly well
Have you 2-factored your life yet?