Your Passwords Are Lame

cybersecurity Feb 20, 2018

A national survey from Common Sense Media found that adults spend over nine hours each day in front of various screens – including computers, tablets, phones and televisions. I will confess that the first thing I do upon waking is grab my phone and check message notifications, news feeds, and the occasional startled cat video from Reddit. It seems that online is the new default setting for the world.

During a recent holiday break from school, my kids spent a lot of time blissfully adding to this staggering statistic with a mixture of Spotify, Netflix, Xbox Live and various MMOs. All was right with the world until an unexpected power outage in the neighborhood brought things to a screeching halt. I’m not sure I have ever seen such looks of dismay-edging-toward-terror on their young faces. They have always existed during a time in which being unplugged from the web is an unimaginable state.

Security Concerns

With our ever-increasing screen time and desire for continuous web access, it’s not hard to see why security becomes a concern. In a Centrify study, a quarter of surveyed respondents said they entered a password online more than ten times per day – that’s potentially over 3,650 times per year. The unfortunate truth is that the most basic recommendations about cybersecurity aren’t getting through to the average user. Nearly two-thirds of adults with a social media account say their accounts have been compromised. Studies have found that 90% of employee passwords can be cracked within only six hours.

Disregard human error briefly, and we still must deal with data breaches that are out of our control. Most are familiar with the Equifax breach, which was revealed earlier this month to be much more damaging than initially thought. Yahoo parent company Verizon revealed that in 2013, every single Yahoo account was hacked – three billion in all.

I could go on and on with frightening statistics about poor password management, and the handling of our personally identifiable information by large corporations, but I digress. The underlying question is, how do we battle against data breaches, phishing attempts, and general human error? Experts say that passwords are simply a memory test, and one that we are most epically failing. Let’s face it, your passwords are probably lame. An important step toward mitigating this risk is multi-factor authentication (MFA).

Multi-Factor Authentication (MFA)

MFA is a login method that requires successfully presenting multiple pieces of authentication before being granted access into an account. A subset of MFA is 2FA, or two-factor authentication. Think about your bank ATM as a good example of 2FA. You are required to have two factors before you can receive cash from your account – your ATM card and your PIN. 2FA is becoming quite common among most large online companies that you are familiar with: Apple, Google, Facebook, Twitter, and Instagram, just to name a few. If you have experience with this, you know that you can setup your account to require a verification code each time during login. This code is typically delivered by an SMS text message but can also come through email or standalone application.

When I worked for a healthcare-focused MSP, I was required to use MFA heavily to be within HIPAA compliance guidelines. When consulting and implementing new network solutions, we advocated that our clients enforce MFA for their employees as well. For example, many of our clients utilized the SSL VPN function of their Cisco security appliances, allowing employees to connect to corporate resources while offsite. We worked with them to integrate Duo Mobile 2FA with their Cisco AnyConnect client. After entering their username and password into the VPN client, the employee was notified through the Duo Mobile smartphone application that there had been a connection attempt. They were presented with the option to approve or deny the connection attempt, which would timeout shortly if no input was given. This required them to have two factors – what they knew (username and password) and something they had physical access to (their smartphone). If either piece was missing, their VPN connection could not be completed.

Protect Your Accounts

If you’re not sure whether your online services have MFA or 2FA capabilities, here’s a searchable database for quick reference: PC Mag also published a list of popular services that have 2FA, including instructions on how to setup authentication for each, which can be found here.

While we know that no method is completely secure, MFA is certainly an improvement upon traditional password methods. I encourage you to test out some popular MFA applications, such as Google Authenticator, Last Pass, Yubico, and Authy (my personal favorite). It’s a great idea to enable this extra layer of security on all your supported accounts, the list of which is growing daily thanks to the support of the security community. While you’re at it, you should probably make sure yours isn’t among the world’s most common list of passwords. It’s on a sticky note under your keyboard, isn’t it? Don't worry, you're in good company.

All the best,

Charles Judd - Instructor
CCNA R/S, BS Network Security