By: Dan Bremner
A few weeks ago, Mark Zuckerberg made headlines in an embarrassing way: his LinkedIn password, which was likely stolen as part of a widespread LinkedIn password breach, was used to "hack" into his Twitter and Pinterest accounts. (Change your LinkedIn password now if you haven't already done so.) If the widespread reports are accurate, Mr. Zuckerberg violated several principles of good password management: (1) don't reuse the same password on multiple sites; and (2) use complex passwords with upper/lower case letters, numbers, and symbols. (Reportedly his password was "dadada".)
The harsh reality is that despite spending thousands of dollars on security appliances, software, and firewalls to keep your company's information secure, your defenses are only as good as the weakest link, the easiest one to break. For many companies, the easiest way in is to guess a password and swing the door to your corporate fortress wide open.
The Zuckerberg story is newsworthy only because he's the CEO of Facebook; otherwise it's not too surprising to learn that an executive used the same insecure password for multiple sites. It happens far more often than IT directors and security professionals would like to hear, and it underscores a major problem for modern computer security:
Passwords are hard
Let's put that a different way. Passwords as most people think of them, aren't very secure. Before the computer age, when passwords were spoken to another person, sure, they worked okay. But modern technology requires complex and unique passwords in order to be truly secure. And that makes them hard to remember. Which makes it less likely we'll do it right.
It turns out that we humans are really bad at dealing with all our passwords, and a lot of us not only repeat our own passwords across different sites, but many of us use the same passwords that other people do. A recent study of over 11 million passwords found that the 20 most popular passwords account for 10.3% of all logins. In fact, on average, if you just tried "1234", "12345", and "123456", you could log into about 5.5% of the accounts in the study. Add the word "password" as a password, and you've now covered 6.8% of all passwords in use. Ironically, the more complex the password, the harder it is for us to remember, and the more likely we are to reuse it. But reusing passwords means that a password breach at a single site could result in hackers getting access to many of your accounts.
Sometime last year, I realized that my ever-growing list of personal online accounts was getting too hard to manage. There were far too many for me to remember unique passwords for each one, much less unique and complex passwords for each. I was concerned that if someone got my password to one site, I might have my account hacked across many sites since I was reusing passwords, much like what just happened to Mark Zuckerberg. Not a good situation.
One Solution - Only Remember A Single Password
I decided to start using a password manager. There are many out there, but the two I've had experience with are LastPass and 1Password. Each has its pros and cons, but both work pretty well, at least for my purposes. I install a browser plugin, and as I go around and log into sites, or create new accounts on sites, the password manager offers to remember my logins. Next time I go to the site, the password manager can automatically log me in using the saved credentials. Both also have mobile apps that work with your phone's browser, and with some apps, and keep passwords in sync across your devices.
Now I use the built-in password generator to create long and random complex passwords like "-^wiUMHIge4m7P0!" that I don't have to remember. In fact, I don't know my password for the majority of the 200+ logins I have stored. That's good - as long as I remember my password for 1Password or LastPass. That last bit is important, because forgetting your "master" password makes your other passwords unrecoverable. And keeping your "master" password secure is critical to keeping your entire online identity out of the wrong hands.
Something you know, Something you have, Something you are
Password managers are a great solution to today's mess of passwords and online logins. But as the industry progresses, advances in authentication may make them less important. The field of Identity and Access Management (IAM - of course you knew it had to have a 3-letter acronym!) is a growing one, concerned with figuring out who you are and what you should have access to.
Two-factor or multi-factor authentication are becoming increasingly popular, as password breaches become more common. The idea is that you need to provide multiple "factors" to prove who you are, where factors are grouped into three categories:
1. Knowledge Factor: Something you know (password, security question, PIN, etc.)
2. Possession Factor: Something you have (key, dongle, token generator, cell phone)
3. Inherence Factor: Something you are (fingerprint reader, retina scanner, voice or facial recognition)
Many sites now offer multi-factor authentication that you (or your administrators) can optionally turn on. Many times this comes in the form of entering a password, then receiving a text message to your phone, and entering the code that was texted to you. By combining something you know (password) with something you have (mobile phone), the site can be more assured you are really you, and at the same time, if your password is found out, it's still impossible for a hacker to impersonate you unless they can also receive the text message to your phone.
Additionally, technologies like TouchID on Apple devices and Windows Hello on Windows devices, are making use of biometric factors. Windows Hello is a technology framework built into Windows 10 that can incorporate fingerprint or facial recognition to grant access to your computer/device. It's a pretty amazing experience to sit down at your desk, look at your screen and have your computer unlock automatically because it recognizes your face.
Don't be the weakest link
While I fully expect biometric and multi-factor authentication to become more common, the basic password authentication mechanism isn't going away anytime soon. Until they do, I highly recommend getting - and using - a good password manager like 1Password or LastPass to store your logins. And then go replace those simple passwords with randomly generated ones. By doing so, you'll close the largest gap in online security.
If you have comments, security questions, or would like to discuss your company's security, drop me a line at [email protected].
You must be logged in to post a comment.