Two-Factor Authentication

Let’s chat about multi-factor authentication, many years ago having a single simple password for all your sites was common practice. As the Internet has grown up so have the mischievous behaviors of others. Today you must enable multi-factor where possible, I strongly urge you to do so. The headache of dealing with a lost account or taken over account is a major pain! Depending on the account it could be financially or emotionally painful.

Call to Action

First – Ensure you have multi-factor enabled is your email account. Why you may ask, most websites allow you to reset your password by sending you an email. This makes your email account one of the most valuable passwords you have.

Second – Ensure the sites you shop at are using multi-factor, think Amazon, Walmart.com and others.

Third- Ensure your social media accounts have multi-factor enabled. Who wants someone to get a hold of their social media account and have access to send wild things to all your friends. or to take over your identity.

Finally – As you visit sites and notice you don’t have multi-factor make sure that you enable multi-factor if possible.

Want to know more?

The idea of two-factor and multi-factor fall in to several categories and you must have two or more to become multi-factor.

Something you know, in this case a password or pin code.

Something you are, think fingerprint, facial id or retina.

Something you have, think a phone with a text message, a time based fob or code, Yubi key, and card keys. Something to think about in regards to the something you have is how easy can someone else gain access to that item, most modern one-time time based token applications like Microsoft Authenticator can enable face ID or a password to show the code, this helps secure the something we have making it a higher assurance level.

Here is a great write up from CISA which is Americas Cyber Defense Agency: https://www.cisa.gov/MFA

Let’s chat about passwords.

So I imagine you are thinking to yourself awesome another post about passwords… Well you are correct, it is another post about passwords. So what is the big deal about passwords, how do we make our passwords better.

If you are like me every time you turn around you find your self watching or reading about some data breach, and how the whole world seems to now be on fire.  At which point you ask yourself if you should sell everything and run away.  Does this specific data breach actually impact you?  The not so simple answer is maybe, IMO even if this breach did not get you, the next one may get you.

A few things could impact if xyz breach will affect you, some of those things you can control, and others not so much since you are the user of someone else’s program.  (At the time of this post Apple had just made two relatively cardinal sins in the programing world with their blank super user password bug.)

  • Do you do business with the company for which the data was breached at or did they make a business of your information?
    • Think Yahoo and LinkedIn – Did you have accounts?
    • Think Equifax – Did they have information on you that you may or may not have purposefully given permission to?
    • Maybe that school PTA website that you bought a yearbook at.
  • How did that company store your data?
    • Is it encrypted?
    • Was it stored in plaintext? (Just like what you are reading now.)
    • What data did they have? Was it all the data needed to assume your identity?
  • Did you create a password that was unique for that site?
  • Did you create a unique username?
  • Could a neighbor guess your password?
  • Is your password something we could find in a dictionary?

Passwords are a big business for those who deal in identities.  There are ways that our passwords get out that we are not in control of, and in those cases we hope that they start to design with security and privacy in mind.  So what can we do?

First let’s chat about the value of unique random passwords.  If you were able to remember a single really amazing password.  I say you would be lost already, if you used your password on one of the sites we chatted about that did not secure their site or data well, then your password strong or not is now available to the world.

(Solution) Use unique passwords for every site that you have accounts set up.

What makes a good password:

  • Length – A password should be at least 12 characters (when we go at the old standby of 8 characters brute force attacks win in no time at all (30 seconds is the generally accepted amount of time.)   Wikipedia has a good article about strong passwords.
  • Characters – Use a mix of alpha both upper and lower case, make sure you have numbers and special characters.  Tip if a site says you have to have two numbers don’t put them at the end of your password and please don’t make them your birth year.
  • Entropy – A random collection of characters is harder to break than your daughters baby dolls name or your dogs name and the year your dog became a part of your family.
    • Password Managers – There are many good password managers out there, some of the big ones include LastPass and KeePass both are great but depending on how you plan to use them one is much better than the other.  If you only ever use one computer and never share your passwords IMO KeePass is the better choice, it is free and you control your destiny.  If you are like me and share passwords with a spouse and have many devices then a cloud based solution like LastPass might be for you.
      • In both cases each password manager can create random and long passwords for every password you need.

If you enjoy reading about passwords I think this one is a good read Password Cracking or if you want watch this you tube video and you may go out and change all your passwords now.