Username’s and Password’s don’t work & making them longer is a pain
Either it has happened to you or you don’t know it has happened to you. Your email is spamming your address book without your knowledge. Your Facebook page and messages seem to be available to others to edit or steal those personal pictures. Your company is freaking out as someone breached the network.
The last mentioned situation is one that most people feel is not of their doing and not on the top of their list of concerns. But truth be told, it may be your LinkedIn or Twiiter account that helped the bad guys breach the company you work for.
The Human Element
As human’s we have limitations and are tired of adding extra numbers, capitals and funky signs to our password requirements. This is a common reason that most of us are guilty of using the same or similar passwords for our personal social network accounts and our email or to log in at work.
Many breaches have occurred due to hacking computers finding our personal accounts and pushing to crack our username and password that uses our fluffy dog or favorite car in it. It really is not hard for many to do. Our mom’s maiden name, our cat or dogs name growing up or even the street we first lived on can be found in information we share via conversations online or lost in our postings. In some cases the machines that look to obtain our personal credentials, started quietly hacking you when they found out you worked at that company that someone wants to get something from.
We are all tired of having to create and then remember some word and #, %, Cowboy, etc password, then trying to remember it. Whats the point if someone can find a way to obtain it. But what if there was a way to be more secure without having to deal with passwords and actually make it easier to use? Sounds hard to believe, but ways are being worked on.
Changing the strategy
The concept is similar first to how an ATM machine works when we take out cash. First we use something we physically have. Like a smartphone. Companies have used random number generators that change every minute, but those have been compromised as someone figured out the algorithm. USB Tokens that plug in to the laptop is a physical way to secure, but then people have been able to get around those as they are the second method of authentication, not usually the first.
Back to the smartphone idea…you still could use a USB token…but either is a physical item that we start the process with. By starting with something we have, we can not even go to another step. In other words, No ticky, no laundry. At the ATM we put our card in and then put a passcode. Sure we can say that a passcode is a password, but we can never enter it until we have the physical piece to start with that can not be duplicated. No two phones can be used, that may be a shortfall…but a tiny one.
Security companies are starting to find this way of thinking a good way to stop brute force or phishing attacks that get the bad guys into our accounts. Right now, some multi-factor authentication vendors are doing this. But the second part has become a problem. One vendor has you use your smartphone to begin access or be the username, but after it says you are ok in the first step, a code is then sent to the phone for the passcode part. The problem here is that a third party (a carrier, for example) is introduced into the mix. So the server at the carrier could be hacked. Another way is the dreaded man in the middle who can pull out of the air the information. This is a common way of how information is stolen at a coffeeshop as you work on your laptop using the free wifi – you get the picture.
So now what?
So until we solve this problem, mix up those passwords. Do not just change a letter or number or add a symbol to some passwords. Make them completely different. This way if an account of yours has been hacked, you don’t have to change all of them. Do some for financial sites only, some that are only retail sites and some only your social network…whatever you do…MIX IT UP.