2FA Is the New Normal of Passwords

 

mattjeacock/Digital Vision Vectors/Getty Images Will Two-Factor Passwords Be the New Normal for Web Life? Introduction: About.com: Robert: thank you for your time.  Being a network security specialist must be both very technical and very frustrating:  you see exciting technologies evolve, and you also see how people's lives are negatively impacted when the bad guys win.  Can you tell us more about your work, and why you find it so interesting to be in networking security? Robert Siciliano: For the past 30 years I've been embedded in the world of personal security as it relates to violence and theft prevention. These issues used to be primarily physical world proiblems and now they've significantly moved into the realm of the virtual world too. My daily routine consists of consuming all that is wrong and bad in the world and breaking it down so people understand how to proactively prevent it from happening to them.  About.com Question 1: The Public Is Being Hurt by Password Theft? Large-scale hacking and credential theft is so commonplace now.  Mt.Gox had $460 million bitcoins hacked in spring of this year. the Target chain of stores had its customers' credit card information credentials stolen this last Thanksgiving.  Sony Playstation Network and Gawker were hacked several months ago to the tune of 77+ million users' credentials.   And now a Russian crime ring has been uncovered as having pilfered 1.2 billion user names and passwords.  Is this a worrisome trend?  How does this hurt and impact us as private individuals using the Web? Robert Siciliano: It has been said that in the year 2000 that bad guys were about one year behind the good guys in technology. By 2004 they were neck and neck with the good guys. Today, the bad guys seem to be winning in many facets of technology that may one day cause such havoc that the lights may go off and bank accounts end up entirely empty, and that scares me. Every little breach is like a stone in a pond. The ripple effects may not have immediate impact, but they eventually trickle down and affect you and me in multiple ways. A compromised account can cause time and financial headaches that result in martial disputes and so on. That's what is so wrong about all this data insecurity.   About.com Question 2: How Hackers Do These Large-Scale Thefts. I know this can be a very technical topic, but you can explain to us how these criminals access private databases and steal our password credentials?  Perhaps give us a semi-technical overview of the holes in our websites and how the hackers get in there? Robert Siciliano: There are a number of ways data gets hacked. the most common include criminal hackers looking for vulnerabilities in a company's networks such as flaws in hardware, software or outdated systems that can be compromised. But even the most secure system can be overtaken by a savvy criminal who simply sends an email or makes a phone call and tricks a company employee into giving up his credentials to log into a network. Once in, the criminal can do significant damage.  About.com Question 3: Is Two-Factor Authentication the new normal?:  Robert, please tell us about 2FA, and how you think it can help.  How does 2FA work?  Will it stop these large-scale password thefts? How much does 2FA cost? Robert Siciliano: Many of the recent data breaches have exposed passwords as a common denominator.And as you know, if someone gets hold of your password, then your account—and all the data in it—is vulnerable. But there's an easy way to protect your critical accounts from hackers and other infiltrators: Set up a two-factor-verified authentication system. With a two-factor-verified system, knowing your password is only the first step. To get any further, hackers will need to know the second factor, which is a special code (another password, also known as a "one time password" or OTP) that only you know and that changes every time you log in. Accessing your account will be a virtual impossibility. Best of all, it's free. If you're interested in setting up a two-factor-verified system on your accounts, follow the directions below for the major platforms: Google. Go to google.com/2step. Click the blue button, upper right corner, that says “Get Started.” Follow the prompts that then lead to the process; choose text message or a phone call to receive your code. Your setup now applies to all Google services including YouTube. Yahoo. After signing in to your Yahoo account, you can begin Yahoo’s “Second Sign-In Verification” setup by hovering over your photo to trigger a drop-down menu. Click “Account Settings,” then click “Account Info.” Scroll to “Sign-In and Security,” and click the link “Set up your second sign-in verification.” Submit your phone number to receive a code via text. No phone? Yahoo will send you security questions. Apple. Visit applied.apple.com. A blue box to the right says “Manage Your Apple ID.” Click it, then log in using your Apple ID. Click the link to the left, “Passwords and Security.” Answer the two security questions to execute a new section, “Manage Your Security Settings.” Below is a link called “Get Started.” Click it, and enter your phone number to receive a code via text. You can also set up a unique password called a recovery key that you can use if your phone is not available. Microsoft. Log in at login.live.com using your Microsoft account. Once you’ve logged in, look to the left where you'll see a link that goes to “Security Info.” Click it. Look to the right, where you'll see the link “Set Up Two-Step Verification.” Click it, then click “Next.” Then follow the simple process. Facebook. To set up “Login Approvals,” go to Facebook’s website. To the right at the top is a blue menu bar; click the arrow that faces down to bring up a menu. Click “Settings.” To the left, you’ll see a gold badge that says “security” beside it; click it. Look to the right where you'll see “Login Approvals.” There will be a box that says “Require a security code.” Check that, then follow the instructions. Facebook will sometimes text you the security code, or it may require you to use the Facebook mobile app on Android or iOS to get your code, which will be in the “Code Generator.” Twitter. Set up the “Login Verification” by going to twitter.com, then clicking the gear icon in the upper right corner. Look left, where you'll see the “Security and Privacy” link. Click it. Then you’ll see “Login Verification” appear under “Security.” You’ll be given a choice of how to receive your code. Make the choice, then Twitter will guide you through the rest. LinkedIn. Go to linkedin.com, then hover over your photo to bring up the drop-down menu. Click “Privacy and Settings.” Toward the bottom is “Account.” Click that to bring up “Security Settings” on the right. Click that to be taken to “Two-Step Verification for Sign-In.” Click “Turn On,” then enter your phone number to receive the code. PayPal. Log in to PayPal, and click on “Security and Protection” which is in the upper right corner. At the bottom of the page you’re taken to, hit “PayPal Security Key” on the left. When you get to that page, go to the bottom of it and click “Go to register your mobile phone.” On the next page, enter your phone number and wait for the code via text. You'll have to keep a few things in mind to make this two-step verification process work. First, make sure you have unlimited text messaging if you're using your mobile and text as the second factor. Next, if an account doesn't offer the two-step-verification, see if it has alternatives that use phone calls, smartphone apps, email or “dongles.” These types of services provide codes that allow you to enter a site you’re already logging on to. Finally, if you receive a text requesting your account information, consider it a fraud. No reputable company would request that information from you. About.com Question 4: What Can a User Do?  People don't need to be reminded that good computer hygiene and rotating passwords is good sense.  But can you offer us suggestion on what people can practically do to avoid being a hacker victim?  Are there some tools or techniques that can help without adding too much burden on us users? Robert Siciliano: Laptop or PC A two-way firewall: monitors the activity on your devices making sure nothing bad is coming in (like unauthorized access) and nothing good is leaving (like your data). Anti-virus software: protects your devices from malicious keyloggers and other badware. Anti-phishing software: watches your browser and email for suspicious inbox activity. Anti-spyware software: keep your PC spyware free. Safe search capacities: McAfee SiteAdvisor plugs into your browser and tells you what websites are good and which are suspicious. Kick-butt passwords. Do away with the “Fitguy1982” password and use an extremely uncrackable one like 9&4yiw2pyqx#. Phrases are good too. Regularly change passwords and don’t use the same passwords for critical accounts. For more tips on how to create strong passwords, go to www.passwordday.org Protect wireless data: whether on a laptop, smartphone or tablet, avoid public Wi-Fi such as at airports, hotels and coffee houses unless you are using an encryption tool called Hotspot Shield. Smartphone or tablet Be leery of third-party apps you install on your mobile phone, since malicious apps are the main threat. Download apps only from reputable app stores. Read reviews and make sure you know what information the app requests prior to download. Use mobile security software that includes: Anti-virus and malware protection Turn off automatic connections to Bluetooth and Wi-Fi unless you’re using them. Apply app and operating system updates. Never store account numbers, passwords, etc., on your phone or tablet About.com Question 5: Where Do We Go for More Password Details? Robert, please tell us where you personally go online for your news and information? Are there favorite resources and blogs that you frequent?  Are there some online resources that would be helpful for the everyperson to become more security-savvy? Robert Siciliano: RSS feeds and Google news alerts keep me informed. Google News key words such as "scam" "identity theft" "hacker" "data breach" and more keep me current on new security issues. With my RSS feeds, certainly About.com, WSJ Tech, ABCNews.com, Wired and a slew of tech trade publications keep me up to the minute. My philosophy is to always be on top of what is new and ahead of what is next at all times. This is how to be proactive, and neither me or my readers/audiences can be caught off guard.  About.com Question 6: Final Thoughts for Our Readers. Robert, do you have any final thoughts to share with our readers?  Any advice for them? Robert Siciliano: We wear our seat belt because we know its just a matter of time before something bad happens. Information security is no different. This is why being proactive and vigilant is essential. Putting systems in place and maintaining those systems will keep most people safe and secure.  About Robert Siciliano: Robert is an expert in personal security and identity theft and a consultant to Hotspot Shield. He is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace.

Are squiggly lines the future of password security?

 

June 4, 2014

Rutgers University

As more people use smart phones and tablets to store personal information and perform financial transactions, the need for robust password security is more critical than ever. A new study shows that free-form gestures -- sweeping fingers in shapes across the screen -- can be used to unlock phones and grant access to apps. These gestures are less likely to be observed and reproduced by 'shoulder surfers' who spy on users to gain unauthorized access.

---

Researchers studied the practicality of using free-form gestures for access authentication on smart phones and tablets. With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords. Since users create them without following a template, the researchers predicted these gestures would allow for greater complexity than grid-based gestures offer.

As more people use smart phones or tablets to pay bills, make purchases, store personal information and even control access to their houses, the need for robust password security has become more critical than ever.

A new Rutgers University study shows that free-form gestures -- sweeping fingers in shapes across the screen of a smart phone or tablet -- can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer "connect-the-dots" grid exercises to be observed and reproduced by "shoulder surfers" who spy on users to gain unauthorized access.

"All it takes to steal a password is a quick eye," said Janne Lindqvist, one of the leaders of the project and an assistant professor in the School of Engineering's Department of Electrical and Computer Engineering. "With all the personal and transactional information we have on our phones today, improved mobile security is becoming increasingly critical."

Lindqvist believes this is the first study to explore free-form gestures as passwords. The researchers will publish their findings in June as part of the proceedings of MobiSys '14, an international conference in mobile computing.

In developing a secure solution to this problem, Lindqvist and the other researchers from Rutgers and collaborators from Max-Planck Institute for Informatics, including Antti Oulasvirta, and University of Helsinki studied the practicality of using free-form gestures for access authentication. With the ability to create any shape in any size and location on the screen, the gestures had an inherent appeal as passwords. Since users create them without following a template, the researchers predicted these gestures would allow for greater complexity than grid-based gestures offer.

"You can create any shape, using any number of fingers, and in any size or location on the screen," Lindqvist said. "We saw that this security protection option was clearly missing in the scientific literature and also in practice, so we decided to test its potential."

To do so, the researchers applied a generate-test-retest paradigm where 63 participants were asked to create a gesture, recall it, and recall it again 10 days later. The gestures were captured on a recognizer system designed by the team. Using this data, the authors tested the memorability of free-form gestures and invented a novel method to measure the complexity and accuracy of each gesture using information theory. Their analysis demonstrated results favorable to user-generated, free-form gestures as passwords.

To put their analysis to practice, the Rutgers researchers then had seven computer science and engineering students, each with considerable experience with touchscreens, attempt to steal a free-form gesture password by shoulder surfing. None of the participants were able to replicate the gestures with enough accuracy, so while testing is in its preliminary stages, the gestures appear extremely powerful against attacks. While widespread adaptation of this technology is not yet clear, the research team plans to continue to analyze the security and management of free-form passwords in the future.

---

Story Source:

The above story is based on materials provided by Rutgers University. Note: Materials may be edited for content and length.

Weak Passwords: Are You Making It Too Easy For Criminals?

 

The password to your online account is like the key to your front door. How strong are your passwords? We’ll address some troubling facts about weak passwords and what you can do to make them stronger.