Skip to main content

 I was trying to figure out what to write about; passwords, passphrases, MFA kept coming to mind. I thought no need for that seems to always be in an issue, surely people are taking notice. A couple of days later, I get an email from Krebs on Security about the title "Ukraine Nabs Suspect in 773M Password 'Megabreach’”. Today I was contacted by a friend that had an online shopping network compromised, and her credit card information was stolen. Ok, I guess we need to talk some more about passwords, passphrases, MFA, and keeping our accounts safe. Ok, so what is the difference between a password and a passphrase? Great question! A password has the typical requirements we have all experienced, at least eight characters, one cap, one number, and one unique character looking something like “Crazine5$es!” Well, that is super hard for a human to remember but super easy for a computer to guess. According to a hacker called “Tinker” he claims an eight-character password no matter the complexity can be cracked in about 2.5 hours as of early 2019, I would suspect that time is quicker now in mid-2020. Passphrases are mostly words put together easy for a human to remember but hard for a computer to guess, such a passphrase might look like “longerbettersecurity.”  XKCD sums it perfectly in a cartoon.

Now that we covered password vs. passphrase let us talk about all unique passphrases for every account. Many folks have one or two passwords/phrases for all of their accounts. What happens when one of those accounts gets compromised? A malicious actor potentially has access to ALL of your accounts because you have one password/phrase for everything, financial institutions, email, work, social media, etc.  How do you expect me to remember a unique passphrase for all of my accounts, you ask?! Well, you can use a password manager such as LastPass! I use LastPass and have 100% of my accounts in there; everything is a unique password, similar to “7p41tw*d7HX3&S2Agiib” of 20-25 randomized characters. I know ONE passphrase that is over 30 characters long to get access to my password manager, it would take years to crack that password. 

Ok, perfect, we are moving along. Let's talk about what MFA or two factors are and why you should use it.  Think of it as

1.  Something you know (passphrase)

2. Something you have (phone)

3. Something you are (biometrics)

We already do it and don’t even think about it almost daily. If you have gone to an ATM, put your card in the slot, and enter in a pin, you have done two-factor authentication (card and pin/have and know). Now we should be doing that on all of our accounts!  



What would it look like if you had this enabled on all of your accounts:

1. Go to Chase.com

2. Enter user name and passphrase

3. Chase sends a notification to either your text message or some type of authenticator (something you physically have)

4. You approve the notification OR enter in the number that was texted to you

5. You are allowed to log in

What would it look like if someone compromised your account and entered your password:

1. Watching TV

2. Notification on the phone (text or authenticator push)

3. Select Deny on authenticator or don’t enter text

4. The malicious actor doesn’t have access

5. Change your passphrase immediately

There are many different types of authenticators, Microsoft, Google, LastPass, etc. You download the application to your phone and add the accounts as you enable MFA. Take some time and make your digital life more secure, unique passphrases on every account, use a password manager, and enable MFA on all your accounts.

Not sure what accounts have MFA? Check out this link: https://twofactorauth.org/#

Has your email been compromised? Check out this link:https://haveibeenpwned.com/ 

Sign up for LastPass or go to the Resources tab of GingerSec  I personally think LastPass is the best password manager for the money.

Comments

Popular posts from this blog

Construction giant gains competitive edge with zero-trust approach to security

When The Walsh Group—one of the largest construction contractors in the United States—moved to the cloud, it realized it needed better ways to manage who accesses its systems. The company set up identity as the control plane—with Microsoft Azure Active Directory at the center and a zero-trust security stance to better protect access to all its resources. Now, The Walsh Group CIO says the company leads the industry in securing access to its hybrid environment, giving it a competitive advantage. Read the article for more. Read More...

A new generation of communication tools for a new generation of Alcoa workers

At the Alcoa plant in the distant coastal town of Fjardaal, Iceland, employees relied on a magnetic board to assign and trade shifts, while standard email was used to communicate critical information from one shift to the next--both of which required people to be physically present to retrieve messages or confirm changes in shift assignments. The adoption of Microsoft Teams transformed these otherwise manual tasks into a workflow better suited to a new generation of digitally savvy Alcoa employees who all carry smartphones. With Teams, company-wide announcements are now made with the confidence that everyone will see them via their devices, regardless of location, while operational information is quickly disseminated and passed along from one shift to the next to improve processes, safety, and efficiency. Watch the video to see how Teams is delivering the future of communication to a new generation of Alcoa plant personnel.