Sunday, March 19, 2017

About passwords and 2FA

If you are like most users, you have a dozen or more userids and passwords on various services such as Google, Facebook, Yahoo, etc.  It gets pretty complicated remembering all of these. So what is the security-savvy user to do?

What you DO NOT want to do is use the same set of userid/password credentials for multiple systems!  The reason for this is simple, if your credentials are stolen from one system the hackers will try them on other systems, such as social network sites or bank sites.

According to a recent article in The Hacker News, over 1 million sets of Yahoo and Google credentials are available on the dark Web. Information gleaned from these sites can then be used in various ways, such as creating spear phishing attacks.

One of the best methods for protection is 2FA, or Two-Factor Authentication. This requires a second method of authentication, such as a code sent by SMS to a cell phone. Some services, such as Google, provide for 2FA as an option.

Another popular approach is to use a password manager program.  These programs are like an encrypted database.  Here is a link to an article about the best password managers of 2017.

Yet another simple approach is to write them into a notebook and carry that with you. Or create a text file with the various credentials, print one or two copies to keep in safe places, then encrypt the file using Zip or some other method and store it on the cloud..  If you lose the paper copies or want to make a change you can retrieve the encrypted file from the cloud and edit or print it. Now you only need remember the decryption key, and your cloud credentials.

Your choice of password is also very important. Stupid passwords are easy to decrypt. One very simple exploit is to simply hash the top stupid passwords and compare them with the giant hashed password file.  You are likely to get at least a few hits.

Instead of a password, use a pass phrase. A simple sentence such as "I love hash browns with ice cream" can be extremely hard to crack. So how to you remember the phrase? Take your favorite poem, short story, or song. Employ the lyrics along with a userid helping you remember which lyric or sentence you are using. Avoid extremely popular pieces such as the Bible. You might also employ the approach of changing some characters to others, such as 4 for a, 0 for o, etc. A simple algorithm for this is easy to remember.

To give an example, my home network has WPA2 PKS for security. I have seen methods for cracking WPA2 PSK, but they rely on having a password of 12 characters or less, otherwise the time involved is too great. So my pass phrase is 27 characters. When I travel I turn the router off, but that is a story for another day!


No comments:

Post a Comment