As a service to our clients during National Cybersecurity Awareness Month, we at CJW Capital are adding our voices to all the business and security professionals who are discussing basic ways to improve your online security and protect your personal data and finances from compromise.
We hope that these articles will be educational, useful, and productive in helping you to make improvements to your own security online, as well as connect you to other writers and other resources to take you further.
We'll begin with a quick look at authentication: the process of logging in to a web site. We'll discuss a few straightforward ways to protect yourself from the most frequently used attacks, including:
Why a password manager can help you avoid these attacks
How (and why) to secure your accounts using more than just a password
How to mitigate some of the downsides of using password managers and stronger authentication
We hope that you take this opportunity to incrementally improve the security of your own accounts. After reading this post, think about all the accounts that are most important to you – your email, online banking, or maybe your medical provider's online portal – and take one or two steps to make sure you are protecting each account with a strong, unique password and multi-factor authentication.
Use a Password Manager
For most clients, we recommend using a password manager like 1Password, KeePass, or LastPass. A password manager is a program that you can install on your computer, tablet, or phone that will remember your user names and passwords and store them securely – think of it as a notebook, locked inside a safe, that has all your passwords written inside. These services can work in your browser and, when you open a web site to the login page, your password manager can automatically fill in your user name and password which saves you time. In addition, when you sign up for a new service and have to create a password, a password manager can usually generate a bit of random gibberish for you to use.
Using a password manager can help protect against some of the most common ways that password-based security gets broken:
Password spray is when a malicious actor tries to log in to accounts using a list of the most frequently used passwords (e.g. passw0rd, 123456, qwerty).
Humans are very bad at creating truly unique passwords. It's likely that someone (or possibly many someones) have used a password like "ILoveBrunch2" and if it's been used before, to be cautious we should assume that it's on a list of passwords to guess – these lists frequently have hundreds of thousands of passwords on them. The gibberish generated by password managers is very unlikely to be on any guess lists.
Phishing is when a malicious actor creates a fake web site that looks similar to a real one, then sends out email messages directing users to the fake. The fake web site records every user name and password as users type them, and then the attacker can use those user names and passwords to log in to the real site.
A password manager can help prevent phishing because it detects which site you're logging in to so that it can look up the correct user name and password. If you're on a phishing page, your password manager recognizes that you're not at the real page and won't automatically fill in your password.
Credential stuffing is when a malicious actor steals the list of user names and passwords from one web site (or buys the list from someone else who did), then tries the same combinations of user names and passwords on other sites.
The best defense against credential stuffing is to never use the same password for multiple web sites. Your password manager can store as many passwords as you need it to store, so you don't have to try to remember each individual password, and you can generate as many unique passwords as you need to.
Some password managers even check your passwords against databases of hacked logins to help prevent you from reusing a previously compromised password.
Add Another Layer of Security with Multi-Factor Authentication
Up until now we've only been talking about user names and passwords, but what happens if one of your passwords does leak? We need a way to protect your accounts even if this happens.
Whether or not you use a password manager, it's a good idea to add an extra layer of security to your accounts. One frequently used method to accomplish this, which most of us have probably experienced, is receiving a numeric PIN by text or email that must be entered after your password. The numeric code is a second way to verify that you are who you say you are when you're logging in. It's a way for you to prove not only "I know the password" but also "I'm using the phone number or email address that I told you about when I signed up". Using an additional factor beyond just a password is called "two-factor" or "multi-factor" authentication, although there are many different forms this second factor can take.
Here are the most common forms of multi-factor authentication, although not all web sites offer all options (and many web sites offer none at all). Without going too much into the technical details about how attackers try to break through the second factor, the list is ordered, roughly, from less difficult to more difficult to crack.
SMS/Text Message: This method proves that you have access to text messages sent to the number you provided when you signed up. After you enter your password, the web site sends you a numeric PIN via text message that you must type in as well. Sometimes this numeric PIN is sent via email instead of text message.
Authenticator applications: This method uses an app on your phone to verify that you are in control of your smartphone. The app generates a series of numeric PINs that change, usually every thirty seconds, and the web site on the other end generates the same series of numeric PINs so when you type in the current PIN it knows that you have access to your smart phone. The Authy app is popular, and both Microsoft and Google make authenticator apps of their own as well.
Hardware token: A small piece of hardware connects to your device - it usually plugs in to a free USB port, or stays on your keychain and connects wirelessly to your phone. This piece of hardware communicates directly and automatically with the web site to prove that you have it – no more typing in numbers. Recent upgrades to Android will let you use a handful of modern smartphones as a hardware token; for everyone else, hardware tokens usually cost around $50. Yubico's Yubikey and Google's Titan Security Key are popular choices. Despite the cost, this method is frequently the easiest to use once set up – no more digging for your phone and typing in numbers!
Drawbacks
Remember when we talked about password managers using the notebook-in-a-safe analogy? The "safe" part has the potential to be a drawback, if it's not secure. Most password managers have login systems that work the same way as everything else – using their own passwords and second-factors – so you need to follow the same precautions as you do with every other account. Remember that since all your passwords are "written in the notebook inside the safe," if someone manages to get inside the "safe" they can read all your passwords.
We also remind our clients that every kind of multi-factor authentication has tradeoffs that can make your account harder to get in to or recover. At its root, each of these forms of multi-factor authentication revolves around proving you have something – for example, your phone or the hardware token – so if you drop your phone in the toilet or it just runs out of battery you may not be able to log in to your accounts for a little while. Nevertheless, in our opinion the added security from using a second factor is worth it.
If a web site offers more than one kind of second-factor authentication – for example, an authenticator app or text message – we recommend using the strongest forms available for your most crucial accounts: anything relating to your email or phone, medical, and banking.
Sources and Further Reading
Thank you to Microsoft's Alex Weinert made two invaluable blog posts with more details on how attackers try to break through password and multi-factor security, including statistics that Microsoft has collected about the frequency of different types of attacks.
Security professional John Opdenakker is also producing a series of blog posts during this month about all things relating to information security. I highly recommend his posts about creating strong passwords, adding multi-factor authentication, how to avoid getting locked out of your accounts while using multi-factor authentication, and phishing. These posts are specifically written with the non-expert computer user in mind so they should be useful for all.
Phishing.org has a good introduction to phishing attacks, including examples of real phishing attacks and a discussion of warning indicators that are common to many phishing emails.
Finally, no discussion about passwords would be complete without mentioning Troy Hunt, a security researcher best known as the creator of HaveIBeenPwned.com. "Have I Been Pwned?" is a database where you can check which sites have leaked your email address and passwords, leaving you vulnerable to credential stuffing attacks. I highly recommend his blog as well, particularly the post titled "The only secure password is the one you can't remember" which makes the case for password managers much more clearly than I could ever hope to.
Disclosure
We are not being compensated for any content in this post. As of the time of posting, we do not have a long or short position in any companies discussed here, except as a holding within a diversified fund, nor do we have any clients who have an advisor-directed position in any companies discussed here.