Passwords:
Ending an era…
As I think back to “the old days” in the authentication
world, we’ve come a long way; or have we?
In the early 90’s I ran a BBS, who knows what that is? I required users to connect with a username
and password of their choice. Sounds like
what we do today. While login names and
passwords have become increasingly complex the process has not changed. Tell me, who you are and I will let you
in! This is a great strategy, actually
it’s not. There are millions if not
billions of login credentials stolen annually and the majority of data breaches
involve stolen credentials. NY Times
reports in August 2014 “Russian
Hackers Amass Over a Billion Internet Passwords” and InformationWeek
DarkReading reports in April 2014 “Stolen
Passwords Used In Most Data Breaches”.
In the technology world we live in today, a username and password by
itself is not enough, I repeat, a username and password by itself is not enough. Have you been or known someone who’s been
hacked? We all do. Simple steps can reduce the chances
drastically for both businesses and personally.
Use multi-factor authentication
What is multi-factor authentication? Wikipedia says; Multi-factor authentication
(MFA) is a method of computer access control in which a user is only granted
access after successfully presenting several separate pieces of evidence to an
authentication mechanism - typically at least two of the following categories:
knowledge (something they know); possession (something they have), and inherence
(something they are).
Many sites already offer multi-factor
authentication. Turn this feature on. If you are a business owner add this to
access your business resources.
Banks – usually required
Facebook – optional
Google – optional
Amazon – optional
Reduce the complexity and time between password
changes.
Change the password requirements to be less
complex and less characters required after adding addition factor to the authentication
process.
Reduce the frequency between password
changes. If the policy is currently 90
days perhaps 180 days is now acceptable after adding addition factor to the authentication
process.
Close access to resources not secured by
multi-factor authentication
Shutdown access from outside your network to
resources inside your network which are not secured with multi-factor
authentication.
Provide a way to access those resources once
inside a resource (virtual desktop, published application, etc) within the boundaries
of your network.
That’s great Sean, but how do I accomplish the
recommendations you have made? To start
with login to each of the sites you use and see if they offer multi-factor
authentication. Usually this will be
something like; send me an email or text before allowing access. If you are a business look at products like Duo, AuthAnvil,
Azure,
and others to add this functionally to your infrastructure. The main idea is to determine what needs to
be secured, then you can determine the best multi-factor product to secure it.
In conclusion, while all of these technologies have been in existence
for many years the viability is now such all sizes of business should
adopt. The deployment of multi-factor
products has simplified and with smartphones end user acceptance and adoption
is very high.