What does iTunes, Yahoo!, Gmail, Outlook, Twitter, Facebook, Bank of America, Chase, Discover, E*Trade, Vanguard, PayPal. eBay, and Etsy have in common with thousands of other secured online services? They all offer their users a secure supplementary method to prevent illicit access to their online accounts, with a level of protection much greater than the traditional password, that method known as “Two Factor Authentication”. While it may increase the time necessary to logon to websites by a few seconds, it also greatly reduces the risk of an unauthorized person gaining access to those websites, even if the users’ passwords have been compromised.
In recognition of “National Cyber Security Awareness Month”, I recently presented two sessions on Password Security for the public event hosted by the city of Port Arthur, Texas. Judging from the questions and responses of those attending these sessions, too many people are still using insecure passwords. Several participants stated that their email accounts had been hacked, and unknown “hackers” had sent spam and other illicit emails from their email accounts. Others had mentioned that an assortment of shopping and financial websites, including online banking, had been accessed by unauthorized individuals, sometimes resulting in substantial financial losses. What many of the participants were blissfully unaware of is the fact that “crackers”, people who can “crack” others’ passwords, can easily crack simple passwords in just a few seconds, and moderately complex passwords may take several minutes or hours to crack. Cyber crooks can obtain passwords and usernames by compromising the servers of popular websites and servers, such as the “alleged” theft of five million Gmail passwords, over a million from CNet, and countless other successful hack attacks on servers all over the world. Often these usernames and passwords are posted online, many times on the “Dark Web”, where illicit information and data is often bought, sold, traded, or given away.
While these cyber heists of millions of usernames and passwords sometimes get the attention of the media, the quiet work of thousands of crackers using simple guessing based on password tables, or a myriad of software utilities that can try hundreds of passwords a minute, continues to this day. The primary reason why the majority of victims who have had their passwords compromised and taken advantage of is their own doing, in that millions of people still use simple, easy to guess passwords to access secure websites and services. What is even more shocking is that most users who use these simple passwords also use the same simple password on multiple websites, meaning that if one is cracked, the cracker now has access to all of the user’s online accounts. The number of Americans using the same password for all of their online access is a staggering 61%, according to a report published by CSID (csid.com) in September 2012, but still considered by many as a somewhat accurate reflection of the risks currently faced by the majority of computer (and smart phone or tablet) users.
According to the most recent surveys performed by several cyber security organizations, the majority of users still continue to use very common and easy to guess passwords. The security firm SplashData performs an annual study of the stolen password files published online by the hackers, and has found that over the past several years, there has been little change in the most widely used passwords, with the “Top 10” list of most widely used passwords in 2014 being (in rank order from 1 to 10) 123456, password (used by 4% of users), 12345, 12345678, qwerty, 123456789, 1234, baseball, dragon, and football. Among some of the next 15 most commonly used passwords, completing the “Top 25” list are 1234567, monkey, letmein, abc123, 111111, 123123, master, and access, along with the current crop of contemporary superheroes including superman and batman being in the top 25. My personal favorite, which was #25 in the list is “trustno1″. In its report, SplashData urges that users follow three simple tips in order to make more secure passwords. Those three recommendations are: 1. Use passwords of eight characters or more with mixed types of characters; 2. Avoid using the same username/password combination for multiple websites; and 3. Use a password manager … to organize and protect passwords, generate random passwords, and automatically log into websites.”
Some users try to outsmart crackers by thinking that they are creating complex passwords by using a simple alpha numeric substitution for some letters that appear similar, such as replacing the letter “E’ with a “3”, the letter “O (oh)” with a “0 (zero)”, the lower case “l (el)” with a “1 (one)”, and the letter “S” with a “5”. In reality, this simple substitution will not slow down even the most juvenile and inexperienced password cracker, as almost all of the readily available password cracking tools that utilize a “brute force dictionary attack” automatically make those substitutions when cracking passwords. I have one old and very primitive password cracking utility that incorporates the top 100 most widely used passwords as its first line of attack, followed by those same 100 passwords substituting numbers for letters, and then using an open source dictionary to crack passwords; this utility can try 1200 logons per minute (20 per second), and I can crack most users’ passwords in a matter of seconds, my personal best being under five seconds, and the longest it ever took me to crack a non-complex password was about six minutes; good complex passwords are difficult (but not impossible) to crack using the most readily available cracker tools. Since a reported 25% of users in aggregate use the “Top 20” passwords to access their accounts, just manually entering each of the top 20 in order will give access to about one in four accounts, unless the website detects an attempted intrusion and locks the user out.
According to a study done by the password manager publisher LastPass (lastpass.com), 42.5% of users use passwords consisting of lowercase letters and numbers only; 39.8% use lower case letters only; 15.7% user numbers only; and only 1% use a reasonably secure and hard to crack combination of upper case and lower case letters, numbers, and characters (such as !, @, #, $, %, &). The same survey found that the average password is only six characters in length, and all lower case letters, which is an open invitation for a cracker to access that user’s accounts. In creating complex passwords, users should never use family member or pets’ names, birthdates, anniversaries, addresses, or other readily available personal information, as crackers often “data mine” social networking services such as Facebook profiles, gathering such information. Likewise, users should not use complete words as these are easy to crack with a simple “dictionary attack”, and should never record passwords in an insecure way such as on a “Post It Note” on the monitor, unencrypted spreadsheet, text file on a phone or computer, or any other mode that can be easily purloined. Likewise, keep passwords absolutely private, and do not share them with anyone. Passwords can be easily captured by cyber crooks when the users access public Wi-Fi in coffee shops, airports, and other public places, with the same cyber thieves often setting up bogus but official looking hotspots in public places (airports are a favorite for this ruse) in order to steal login information including usernames and passwords for the explicit purpose of committing identity theft.
Fortunately for us users, there is an easy way to provide an additional layer of security which will make it nearly impossible for a hacker or cracker to access our most important online accounts, regardless of the complexity of our passwords, and even if our passwords had been compromised in a previous hack. This method of security is referred to in the industry as “Two Factor Authentication”, and is offered as an additional, free level of security by thousands of financial institutions, online retailers, email services, online gaming sites, government agencies, and other web based services that have password based access. The process itself is very simple, takes a few seconds to set up once on each participating website visited, and then a few more seconds when actually implemented. The website turnon2fa.com/tutorials offers simple but site specific instructions on how to implement Two Factor Authentication on hundreds of participating websites; generally it is as easy as checking a “Two Factor Authentication” or similar box on the target website’s user configuration or profile page, and then entering a preferred method of contact, preferably a mobile phone number. That website will now display a third line for a key code, following the traditional username and password boxes.
I have Two Factor Authentication implemented on several of my most sensitive and personal web accounts; if I access those websites from a computer, smart phone, or other device not previously recognized and confirmed as mine, the website will send a verification code as a text message to my phone. Even if I entered a valid username and password (which could have been stolen by a hacker or cracker), the website will also require that the validation code sent to my phone also be entered in a finite number of seconds in order to access the account. Unless the cyber crook also has my smart phone, they will be unable to access my account even if they have my valid user name and password. Many people are unaware that each device on the internet has a unique code number attached to it, which is also sent to websites to help verify the source of an inquiry; if the website does not recognize the unique hardware code previously verified for my computer, smart phone, or tablet, it will demand that I also promptly enter the unique access code that the website sends to my phone; no code, no access, it is that simple.
While there are many websites that explain how to implement Two Factor Authentication on their particular websites, and the process is inheritably simple, as well as similar on most participating websites, my personal favorite is still the directory at turnon2fa.com/tutorials. All of the information that anyone might need, including a 90 second video explaining the process, is available from the “Turn It On” website at www.turnon2fa.com. If you are worried about someone accessing your accounts or hacking into your email (and you should be!), you need to enable the Two Factor Authentication offered for free by many of the websites that we access.
If offered by online services, such as your email provider, and you do not implement Two Factor Authentication (or some similar technology such as the uncommon digital dongles), please do not come running to me if your email or other account is accessed by disreputable individuals. I would hate to say it, but, “I told you so!”.
WEBSITES:
- https://en.wikipedia.org/wiki/Two-factor_authentication
- http://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/
- http://www.cnet.com/how-to/how-to-enable-two-factor-authentication-on-popular-sites/
- http://searchsecurity.techtarget.com/definition/two-factor-authentication
- http://www.pcmag.com/article2/0,2817,2456400,00.asp
- https://www.telesign.com/turnon2fa [Updated 09/17/2020]
- http://splashdata.com/press/worst-passwords-of-2014.htm
Out thanks to Bill Hess from Pixel Privacy for pointing out the outdated links in this article. Bill has provided this link <https://pixelprivacy.com/resources/two-factor-authentication/> to his guide to provide more context to 2FA and the benefits of 2FA .
Thanks Bill.