Tag Archives: hacking

PSA: Password Managers & Multi-Factor Authentication

First thing this morning I received a connection request on a social media platform from a person with whom I already am connected. More accurately, from a person trying to impersonate the person with whom I’m connected. It’s a common enough hacking occurrence these days.

This incident reminded me that after many years inside the technology world, I have learned a thing or two about optimizing personal online security. Though some day we hopefully move beyond the use of usernames and passwords, today they are the primary security mechanisms securing access to applications and other network-based services.

As such, they should addressed and managed in such a way as to provide maximum security. Unfortunately, they are not. The majority of people out there do not choose complex passwords, comprised of random characters, numbers and symbols. Nor are they usually long enough. The chosen password is often something like “dog name+kid’s name+ how old I wish I still was”, and then written down on a Post-It note left handy to the keyboard. I’ve lost count of how many times I’ve found user passwords left on the desk, stuck to the monitor or under the keyboard in workplaces where security is supposed to be important.

To make matters worse, your average user keeps a list of three passwords that are rotated through every application and website used. Why? Because many sites allow for only three tries before the lockout occurs- if you only use three you’ll never get locked out.

There is a better way, and it’s called password manager software. These software utility programs require the user only memorize a single password or phrase. Once setup, the password manager application will track all of the individual passwords for many separate sites used, and provide the user the ability to automatically generate completely random, highly secure unique passwords for all of their apps and services. These managers also can synchronize your passwords across all types of computer hardware- Android, Windows, iOS and more. Moving to using a password manager isn’t the easiest project, for all of your applications, usernames and passwords need to be migrated into the system you choose. That can take a while, as will learning the ropes of the manager software itself. But it’s worth the effort.

There are many quality applications available. Search the Web for “password manager” and find the utility that works for you. Some are free and some come at a small cost. I highly recommend paying for this particular software, because one of the immutable Laws of the Internet states: If it’s “free”, then you are the product. It would also be smart to choose a password manager where you, the user, is in full possession and control of the encryption keys used by the software. If you’re the only person with the keys and your stuff is breached, the only one that could possibly be at fault is you.

Multi-Factor Authentication, or MFA, is a secondary authentication system used to further support the username & password access model.

MFA in operation is fairly simple. Once a user logs onto a service with their correct username and password, the logon process is suspended and a second routine- this is the “multi” in MFA- is started. The user is then contacted via an application, text message, email or phone call and asked to verify their login. Once verified, the user’s suspended logon sequence completes, and access to the service or application is granted. Some of these popular MFA applications include DUO and Authy. There are many others. In some cases, there’s no choice in the MFA method. Many financial institutions prefer to text a code to your mobile phone, or email address on file.

Having a secondary authentication of this type can thwart access attempts by those who have compromised a user’s credential set. While they may have a username and password, they probably won’t have access to the method used for the secondary authentication. No secondary authentication- no access granted.

At the very least MFA should be used for your highly sensitive sites, applications and services. Almost all financial services sites offer MFA use, and using it with these critical sites and services would be a smart move.