Authentication Blog Post

1. It’s almost 2019, while you’re contemplating a new year’s resolution, take a minute to and review your digital safety and privacy. This article is the first in a series that will walk through different aspects of your digital life and go over simple steps you can take to better secure it.
2.  
3. This article in brief:
4. - The employment of multifactor authentication in conjunction with a decent password yield the largest security gains of your digital life. Many second factor methods are free.
5. - Your email can be used to reset the password of other accounts—take stringent measures to prevent it from being compromised. (Aka a g-o-o-d password and a second factor of authentication.)
6. - Use unique and complex passwords to secure your online presence. Having trouble keeping track and remember them all? Use a password manager. Think your passwords are unique? See if your password has been leaked in a previous data breach.
7.  
8. Authentication:
9. Our online presence is siloed into accounts spanning differing functions: shopping (amazon), social media (facebook), content aggregator (reddit), and email. All these accounts have authentication measures to determine you are who you say you are. Most, if not all, accounts are protected by a challenge based on something you know: a predetermined password you supply a website while setting up your account. The integrity of any given account is dictated by the robustness of your chosen password and any other additional protections you configure.
10.  
11. Passwords:
12. Accounts are often compromised by hackers using dictionary and brute force attacks. These attacks attempt to crack your password through methodical automated enumeration of characters and common passwords. Importantly – These attacks are exponentially more taxing computationally for each additional character in password length. Each character adds orders of magnitude greater computational power required to crack the password.
13.  
14. Attackers use human laziness to their advantage, usually trying passwords from a list of common passwords one-by-one. P@ssword! Has 9 characters, but is significantly easier for an attacker to crack using a dictionary attack than a password like s3cur_Pass. When companies get breached, their user passwords usually get dumped on the clear and dark web for all to see. Hackers rely on the human tendency to use common passwords, and to reuse passwords across several of their accounts. By diversifying your passwords from common passwords that are leaked in data breaches, you make yourself more secure. By diversifying your passwords across your accounts, you reduce risk of total digital compromise through password diversification. E.g. The breach of your 15-year-old Neopets account does not mean that your online banking password is compromised.
15.  
16. Some accounts are more important than others. Your Paypal account is much more valuable than your Opentable account. In an ideal world long, complex, and unique passwords should be used for each and every account a person has. Unfortunately, in reality few live up to the ideal standard. For those of us who don’t practice the ideal, it is worth prioritizing the protection of certain accounts. Top priority accounts to protect include:
17. - Your email, not only for the personal information and communications it contains but, by cracking your email attackers can gain access to the all accounts registered with that email by using the forgot password reset feature employed by most websites & services.
18. - Social Media that authenticates you to other accounts (Like using your Facebook account to log into your Spotify account)
19. - Sites that have payment card information on them.
20. - Sites that have identifying personal information on it or private communications with others.
21.  
22. What to do to protect yourself online:
23. - Use sufficiently strong passwords. Ideally, these are dozens of characters long random gibberish. However, this is pretty much impossible withoutusing a password manager. To make a strong memorable password, use a long phrase or song lyrics with numbers and symbols interspersed throughout it.
24.  
25. - Use a password manager. A password manager securely stores your passwords, allowing for you to create unique, strong passwords for each of your accounts. All you have to remember is a single password to unlock access to your other passwords (please make it a good one). Many password managers assist users in creating long and complex passwords for their accounts. Some have browser plugins that autofill passwords for you as you need them, more convenient than typing them in every time. Two of the most well-known password managers have subscription services with affordable monthly fees: LastPass and 1Password. Keepass is a free, opensource option for more technically savvy users.
26.  
27. - Test password uniqueness. Security researcher Troy Hunt created a website that tracks leaked passwords from data breaches. He has made it freely searchable, allowing users to check if any of their passwords have been previously used and cracked. By checking your current passwords against haveibeenpwned.com, users can ensure they do not fall victim to dictionary attacks hackers employ. 1password will automatically check your passwords against haveibeenpwned.com and informs you if a password you use has been cracked previously.
28.  
29. - Multifactor authentication: There are other methods of authenticating to gain access to their account beyond a pre-shared password. This could include something you have e.g. a smartcard, or something you are e.g. a fingerprint or faceid. Multifactor authentication provides extra layers of security. I strongly recommend that multifactor authentication be employed AT LEAST on your social media and email accounts.
30.  
31. - Not all 2 factor authentication methods are created equal. They differ in convenience and in security. The most convenient and least secure, SMS, texts to your phone of 4-6 digit codes to enter after your password. Various other options include app-based authenticators e.g. google authenticator or openotp and a press-able physical token like Yubikey’s security solution. Any second factor is significantly better than not having it, but sms texts are vulnerable to a common attack method. There are plenty of quality and free solutions available. If you were to take a single piece of advice from this article, this should be it. Implementing a second factor of authentication for your accounts would yield the greatest increase in your personal cyber security.