More Bad Password Advice and More Good Password Advice

9/16/2020

As I was writing this, Conan the Sysadmin tweeted about passwords and the need to use secure ones. His message was simple: "Passwords and secret signs are crucial #cybersecurity defenses. Craft good ones, and use them well." This is excellent advice and the gist of what I have shared on this blog in the past.

I have suggested some alternatives to plain passwords, too. One of those is two-factor authentication or 2FA. Many sites offer this as an option and require users to supplement their passwords with a code (maybe all digits) they receive in email, SMS (a phone text message), or view on an app such as Authy. I have 2FA on sites that use each of these.

A valuable use of 2FA

In an article in Lifehacker, the author reports a request for a 2FA code to supplement a password to access his Instagram account. The problem is that he had not tried to log in to Instagram! That means- as the article directs - if you receive a random 2FA request, it is necessary to change your password immediately. Someone likely tried to access your account hoping you did not have 2FA enabled.

That assumes that the site only asks for the second factor (the code) if the supplied password is correct. That's probably a good thing because attackers likely try many incorrect passwords to try to break into some accounts. It also means the attackers discovered or guessed the password of the article author. The password was discovered in a breach, as the article explains, it had been the same as a password used on another system whose passwords had been leaked.

This emphasizes the need to use make the password for each site unique. After a recent breach, I received numerous scareware emails saying the password they listed was compromised. Except I hadn't used that password for anything in roughly ten years and I'd only used it on one site. But that isn't the norm, and if a password is used more than once and is discovered, other accounts may be compromised. I'm sure that if a password for a particular username is leaked, bad actors will try it on popular sites such as Twitter, Facebook, Instagram, and others. A good password manager makes the use of site-specific passwords feasible.

A not so good idea

Passwords aren't a great idea anyway, but we have them and need to deal with them. Some systems use PIN codes for access either with or without a second factor. There have been multiple attempts to replace PINs. Face or fingerprint recognition on phones are good examples. But if those mechanisms fail, the phone defaults to a PIN. It happens to me almost daily.

Another proposed alternative to the PIN is a so-called knock code. The basic idea is to press regions on the screen in a particular order. (Yeah, it sounds like a PIN to me, too, except that no numbers are displayed.) Researchers tested users using the knock codes and found out that they were easy to forget and that users were not very creative in choosing the codes. This is true of PINs, too. They are surprisingly easy to guess. That is because flawed humans select their own PINs. They also use the same one in multiple places: bank, phone, tablet, or whatever.

It is time to use reliable biometrics or other reliable methods to replace passwords and PINs to create stronger authentication methods.

To your safe computing,

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.