All Your Accounts Are Belong to Us

The problem with truly "good" passwords is that they rarely meet the requirements for complexity that most websites demand. It seems like companies are perfectly fine with an eight-character password, as long as there's a capital letter, punctuation, a number and no common words. Basically, they demand we have crappy, hard-to-remember passwords. It's very frustrating.

If you're not using a password manager that generates random passwords, the best I can recommend is that you make your password as long as possible. My method for making a password is to string together words (like correcthorsebatterystaple, which I didn't even have to look up, because I totally remembered it), and then add the weird complexity requirements at the end. That still doesn't help with password reuse, however, which is an even bigger problem than using strong passwords. Again, Randall illustrates the problem perfectly here. (I'm just giving a link this time; I don't want to push my luck.)

Basically, if you use the same password everywhere, if one system is compromised, all your accounts are vulnerable. I addressed that problem in my last article about setting up good passwords, but unfortunately, any pattern you might use to create passwords can be figured out. Here's what I mean. Let's say you use this pattern for generating passwords:


word1 word2 sitename word3 word4 complexity_junk

On the surface, this seems brilliant. You can remember four words, have a standard "complexity" ending for meeting dumb password requirements, and you can add the name of the website in the middle. That means every password will be different. The problem is, it's still a pattern. Let's say an attacker discovers that your Facebook password is this:


hampergranitefacebookcoffeeostrich53BLT!

That's a nice, long, unique password. The problem is, now the attacker knows your Amazon password is this:


hampergraniteamazoncoffeeostrich53BLT!

Truly, the best method I know of is to have a password manager that will store and potentially generate passwords for you. I prefer passwords I don't have to copy/paste in order to use, so I usually generate long passwords using words. That way, I can glance at the password and type it out quickly. The point of this whole section is to make you think about passwords. Consider passwords that are truly strong, but also remember that it's extremely important not to reuse passwords on multiple sites.

Adding Another Factor

Two-factor authentication comes in many flavors. For cell phones, the trend is to use fingerprints. Granted, fingerprints aren't the most secure authentication method, but when used in addition to passwords, it does add significant security. (I once heard Kyle Rankin say fingerprints are terrible passwords, because you can change your "password" only ten times, and you leave them written everywhere you touch.)

The cell-phone number itself is one of the most common forms of 2FA. Like my original example demonstrated, many websites utilize SMS messages sent to a phone number as verification of identity. There are many issues with an SMS being the sole form of authentication, but as a required second factor, it's not bad. What I mean by that is, many companies allow you to use your cell phone for 2FA, but they also allow you to recover your password by simply proving who you are by entering a code sent via SMS. That completely eliminates the security of 2FA!

My personal favorite 2FA method is provided by Google. The implementation is fairly robust, and in function, it's very easy to use. Basically, you authenticate your phone, and rather than having a code texted to you, which you have to type into a web form, the Google authenticator just pops up on your phone asking if you're currently trying to log in (with information on where you're trying). You simply click "yes", and the 2FA is successful. I like it not only for simplicity, but also because my phone number being hijacked doesn't automatically give the thief the ability to provide 2FA.

There certainly are other methods for attaining multiple authentication factors. Yubi is a company that has provided hardware-based USB authentication for years. The problem I usually have is not everywhere supports multiple forms of 2FA. However, if a website allows you to log in with your Google account, Google handles the 2FA, thus securing the site without any custom-2FA code on the particular site at all.

If You Use Google, Beef It Up

Part of me dislikes recommending Google as your go-to source for 2FA. Google is a commercial company, and using its proprietary system as a form of authentication is a little unsettling. But here's the deal: I'd rather everyone trust the integrity of Google than trust the integrity of random hackers on the internet. Google's 2FA is easy to set up, has proven to be reliable, and at the very least, it's better than not using 2FA at all. So if you're interested in continuing down the Google rabbit hole, I highly recommend you go through its security wizards to make sure your account is yours.

______________________

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.