I was trying to figure out what to write about; passwords, passphrases, MFA kept coming to mind. I thought no need for that seems to always be in an issue, surely people are taking notice. A couple of days later, I get an email from Krebs on Security about the title "Ukraine Nabs Suspect in 773M Password 'Megabreach’”. Today I was contacted by a friend that had an online shopping network compromised, and her credit card information was stolen. Ok, I guess we need to talk some more about passwords, passphrases, MFA, and keeping our accounts safe. Ok, so what is the difference between a password and a passphrase? Great question! A password has the typical requirements we have all experienced, at least eight characters, one cap, one number, and one unique character looking something like “Crazine5$es!” Well, that is super hard for a human to remember but super easy for a computer to guess. According to a hacker called “Tinker” he claims an eight-character password no matter the complexity can be cracked in about 2.5 hours as of early 2019, I would suspect that time is quicker now in mid-2020. Passphrases are mostly words put together easy for a human to remember but hard for a computer to guess, such a passphrase might look like “longerbettersecurity.” XKCD sums it perfectly in a cartoon.
Now that we covered password vs. passphrase let us talk about all unique passphrases for every account. Many folks have one or two passwords/phrases for all of their accounts. What happens when one of those accounts gets compromised? A malicious actor potentially has access to ALL of your accounts because you have one password/phrase for everything, financial institutions, email, work, social media, etc. How do you expect me to remember a unique passphrase for all of my accounts, you ask?! Well, you can use a password manager such as LastPass! I use LastPass and have 100% of my accounts in there; everything is a unique password, similar to “7p41tw*d7HX3&S2Agiib” of 20-25 randomized characters. I know ONE passphrase that is over 30 characters long to get access to my password manager, it would take years to crack that password.
Ok, perfect, we are moving along. Let's talk about what MFA or two factors are and why you should use it. Think of it as
1. Something you know (passphrase)
2. Something you have (phone)
3. Something you are (biometrics)
We already do it and don’t even think about it almost daily. If you have gone to an ATM, put your card in the slot, and enter in a pin, you have done two-factor authentication (card and pin/have and know). Now we should be doing that on all of our accounts!
What would it look like if you had this enabled on all of your accounts:
1. Go to Chase.com
2. Enter user name and passphrase
3. Chase sends a notification to either your text message or some type of authenticator (something you physically have)
4. You approve the notification OR enter in the number that was texted to you
5. You are allowed to log in
What would it look like if someone compromised your account and entered your password:
1. Watching TV
2. Notification on the phone (text or authenticator push)
3. Select Deny on authenticator or don’t enter text
4. The malicious actor doesn’t have access
5. Change your passphrase immediately
There are many different types of authenticators, Microsoft, Google, LastPass, etc. You download the application to your phone and add the accounts as you enable MFA. Take some time and make your digital life more secure, unique passphrases on every account, use a password manager, and enable MFA on all your accounts.
Not sure what accounts have MFA? Check out this link: https://twofactorauth.org/#
Has your email been compromised? Check out this link:https://haveibeenpwned.com/
Sign up for LastPass or go to the Resources tab of GingerSec I personally think LastPass is the best password manager for the money.
Comments
Post a Comment