IT security is all about managing risk. How much does your business place your important data at risk? We're recommending our clients take this quiz and report your results!
Replacing Passwords
I recently read this article from Bloomberg concerning the progress of technology that could help replace passwords for security access. Passwords have lots of problems, the foremost of which is that the average person isn't aware how vulernable they are to password breaking or cracking.
The article discusses presence detection, voice recognition, facial recognition and other biometric measures, and while some of these technologies are promising, there are always people working tirelessly to break these technologies.
I personally believe we are a long way from getting rid of passwords. Essentially, even biometric measures just end up passing passwords behind the scenes, though the end user may not have knowledge of what that password is.
If we are a long way from getting rid of passwords, that means that our password are necessarily going to need to get longer and more complex and thus harder to rememebr.
When I started out in the industry, it was standard that a 6 character password was nearly impossible to crack with techniques available at the time. In the 16 or so years that have elapsed since I've graduated college, that safe number is more like 12 characters.
Best to practice safe secs.
More on multi-factor
Following up on our post the other day regarding the Yahoo! breach, security company Avast-AVG, one of our partners, is offering the same advice we offer, namely, you should turn on multi-factor authentication. This article goes into more depth.
Yahoo!
By now you've probably heard about the Yahoo! breach. This is almost certainly the largest known breach of passwords and user information of all time. What makes it worse is that the breach not only includes passwords and email accounts, but also security questions and answers.
If you've ever been a Yahoo! user, which I suspect is almost everyone reading this, you should first change your Yahoo! password and all your security questions and answers, but secondly, and this is very important, you should enable multi-factor authentication for Yahoo! which provides a second layer of protection. You should actually enable multi-factor authentication for any service that allows you to do so, but especially for email accounts, banking and social media (the most likeley targets of hacking).
The worst part about this is that it is likley Yahoo! has known about this for several months, and it may just be coming out now only the purchase of Yahoo! by Verizon.
Good luck, and please contact us with any questions.
Some advice about security questions
Security questions, typically used to recover a forgotten password, are a frankly unheralded hole in password security. Typical questions include your mother's maiden name, the street you grew up on, or your high school mascot.
It is very easy to see that these questions can be answered by almost everyone you know, and can easily be detected by people you don't really know if they look hard enough.
As a best practice, I recommend never answering these questions with the exact answer, either use a short phrase that you know that someone else would not be able to guess, or use a random string of characters. Either way, you should alreayd be using a password manager, which will then allow you to store the questions and the corresponding answers.
Check out this article from Wired for more background.
Remeber, there is no one solution to the problem of password security, a multi-pronged approach is paramount.
A follow up to yesterday's post
Interestingly, Netflix is cool with you sharing your account password with others. Within reason. It probably goes towards building new customers.
A note about password sharing and the law
All About Passwords
Passwords are a bit of a problem. Everyday I hear new horror stories about massive website breaches, and the theft of millions of username and password pairs. Some of the major sites that have been hit and have been in the news are LinkedIn, MySpace and Twitter.
Passwords are not the best / ultimate solution to security, but they are the best compromise we currently have in the debate of security vs. ease of use. I highly recommend my clients, family and friends use reliable password management software.
Here are the most basic, universal guidelines for password use in today's current climate of data security.
- Use a password manager! It will make the rest of the items on this list easier to accomplish. I need to track thousands of passwords and I also need to follow the very best practices as an IT expert. I have been using LastPass for 4 years and I highly recommend it. I used KeePass before that, it is also highly recommended and I still use it for certain things.
- Do not use the same password at multiple sites - in fact use a different password for each and every website / login you use. This is particularly true for email accounts, social media, and banking, the top targets for hackers. The reason behind this is that if you use the same username and/or password at multiple sites, if one becomes compromised, they are all compromisd.
- Length is more important than complexity! A 16 character password that is all lowercase numbers is several orders of magnitude more secure than a 10 character password that uses lowercase, uppercase, numbers and punctuation. This is due to the way passwords are cracked. The longer the password, the better. I recommend using the max allowable length at each site, where possible.
- Passwords should be hard to remember and impossible to guess. A long string of randomly generated characters is far safer than a short phrase and certainly more safe than your dog's name.
- Changing your password occasionally is a good practice, though not as important as it used to be.
- Use multi-factor authentication wherever possible and feasible, this is especially true for sensitive sites such as your password manager, email, banking and social media.