Portsmouth IT SecurityBy Evan Fagan

What’s Wrong with Passwords?

Passwords are considered a basic and vital security feature that have been around for decades. As hackers have gotten more cunning and computing power has increased, recommended password length has gone 7 characters (a decade ago) to 10, 12, and even 14 characters today. However, in addition to raw length, password complexity just as important as is the storage and the underlying security of the website and servers in which passwords are safeguarded. As password complexity has increased, hackers are increasingly turning away from brute force attacks, where they attempt to gain access through billions of intelligent systematic guesses, to instead attacking the systems storing the passwords. Recent headlines have shown enormous password breaches, often in the hundreds of millions, such as a 2012 LinkedIn breach that has haunted many users who mistakenly re-use the same username and password across multiple websites and accounts. No matter how strong a password is, if the systems it’s stored on is compromised, then alternate authentication methods become an absolute necessity; especially for high-value personal accounts (banking and email) and critical work systems (corporate VPN’s and email).

The Gold Standard: Multi-Factor Authentication (MFA)

Portsmouth Computer SecurityMFA is the practice of using more than one medium of identification to grant access to systems, software, and websites.  It is often also called 2FA, or 2-Factor Authentication, because at its essence, two of three potential unique factors are used to identify an individual. Those three basic factor are:

  1. Something you know – username/password
  2. Something you have – numerical code from an SMS message, app, or smart-token (see right)
  3. Something you are – a fingerprint, retina, voiceprint, typing recognition

How This Helps:

If, and most likely when a breach occurs on a password storage system like Linked-In or a dozen other examples, this second factor will keep your account secure. With a dynamically created temporary code from an app on a smart-phone, only the person with that short lived code can complete the sign in process because the hacker with the stolen password will not have this one-time code (aka: the 2nd factor). Many popular websites and business applications support MFA/2FA. Microsoft, Google, Facebook, and most banking website accounts can have MFA/2FA enabled along with numerous other applications and websites.

Now is the time, to implement the gold standard of authentication (MFA/2FA) on all your critical email, banking, and remote access accounts.  Passwords are simply not enough anymore.