There is no real good reason anymore to only use a username and passwords to login to popular apps like Facebook, Dropbox, LinkedIn, Mailchimp, Twitter, Gmail, Yahoo, etc… All these services offer you strong multi-factor authentication totally for free. If you set up multi-factor authentication for these apps, will see that is quite user-friendly to use.
Remember that the holy grail for hackers is hacking your email address. Why? Because once they have access to your mailbox they can use it to request password resets of all our apps where you have registered using that email address. Consider protecting at least your mailbox with multi-factor authentication today.
Secure Passwords Reality Check, An Inconvenient Truth
It is amusing to see how some security experts are still trying to convince people that they should create a unique secure password for each website. On top of that, your passwords should contain small letters AND capital letters AND numbers AND a special character AND be at least 10 or more characters. To make things even worse, you should change these passwords once every 3-6 months or so. Yeah right… Are you kidding me? And how the hell do I get that secure password typed in using my smartphone mini-keyboard? It seems impossible. If you want to follow this advice you best consider using a password vault like 1Password, LastPass or KeePass.
While creating secure passwords is good advice, evidence shows that not a lot of people follow this advice. It seems just too hard to manage. With the amount of passwords that we need every day, this is hardly a user friendly approach. And security only works if it is also user friendly. The reality is:
- Humans are not good at following a password strength discipline.
- People re-use passwords across sites, most of us are guilty. We just have too much accounts to manage.
- Complexity requirements are not really relevant when your passwords get stolen via a password capture email phishing scam or malware.
- Complex passwords annoy your more than they hinder hackers since they automate their attacks.
- Complex passwords like all those security guys recommend are just not practical since they are impossible to type on a smartphone.
- Lowercase passwords without complexity requirements are fine as long as they are long enough 12-14 chars.
Secure passwords don’t protect you anymore.
The make things even worse, if you follow all these secure passwords complexity requirements it doesn’t not keep your digital identities safe anymore todays cyber world. You need to look at some form of stronger of multi-factor authentication (MFA). Multi-factor authentication instantly prevents hackers from using your stolen passwords. Other terms commonly used for multi-factor authentication are: two-factor authentication (2FA) and 2-step verification. With a multi-factor authentication you don’t need to care so much about having different and complex passwords everywhere and changing them all the time.
How hackers steal your passwords
Hacker are constantly developing new techniques to steal usernames and passwords. To steal passwords hackers can break-in to big and smaller organizations IT infrastructure and try to steal a big set of passwords directly from the database of the application. There is plenty of proof that this has been happening on a large scale with millions of stolen accounts from Dropbox, Yahoo, etc… There is nothing the user can do about this, this will keep happening. Stolen passwords are the reason why experts say you need a different password for each app.
But everyone is also directly targeted with email phishing scams that lure people to fill in their passwords on fake website that look just like the real website of Facebook, gmail, LinkedIn, your organization, etc…. A password vault and unique strong passwords don’t protect you here, only multi-factor authentication will.
Time to choose stronger, multi-factor based authentication
Multi-factor or two-factor authentication requires that you enter an additional code that gets uniquely generated each time you login. The two most popular free approaches are SMS based codes and Google authenticator based codes. In both cases it is still best to use your (smart)phone for this. Nowadays most people have a phone constantly with them so this is not the issue anymore.
Sounds like a difficult task procedure to follow? Yes, that is true if you need to enter username, password and special code every time you login. That is why many popular apps take a hybrid approach. The hybrid approach recognizes your devices that you have authorized. This way you only need the extra two-factor code when you are using new devices or you are changing important settings.
With multi-factor authentication based on device recognition you have dramatically decreased your attack surface to a very small circle compared to the previous surface:
- No-one can login to your account using a new device or browser even not when they have stolen your username or passwords that you might re-use on other sites.
- Hackers must now specifically infect your approved devices before getting access to your account without a special one-time (SMS) code.
- Hacker must now be capable of stealing your SMS based one-time password codes, before they can change passwords or other important settings. This is not so easy todo.