My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.
Last week Yahoo announced that over 1 billion user accounts had been breached, exposing usernames and passwords. This account information has been available to attackers since 2013.
Passwords as a means for secure authentication are anything but secure. Analysis of passwords from network breaches shows that most people choose simple, easy to guess passwords. WordPress Engine has an in depth paper title “Unmasked: What 10 million passwords reveal about the people who choose them” which describes how people pick passwords and how that gives an attacker insight into cracking passwords.
Even worse is password reuse. The security community has been educating people for years to use long, complex passwords. People can’t remember long, complex passwords easily so they either write them down or memorize one and use it everywhere. Unfortunately, reusing passwords everywhere means that a breach of one website, like Yahoo, exposes the same password on all websites where it is used.
The passwords in the Yahoo breach were also associated with usernames and email addresses. Many people will use the same username or email address on multiple sites, allowing the attacker to exploit multiple accounts with the same credentials.
For more advanced protection people should use 2-factor authentication on any sites that support it.
2-factor authentication requires 2 types of information to let you in:
- Something you know (like a password),
- something you are (like a fingerprint), or
- something you have (like your cell phone).
Google, PayPal, Amazon, and, yes, Yahoo allow the consumer to enable 2-factor authentication. It usually isn’t on by default, though, so the user has to affirmatively turn it on.
Amazon explains how 2-factor works, you can quickly enable 2-factor authentication with a video entitled “About Two-Step Verification.” After 2-factor is enabled, each time the user logs into Amazon they will be prompted for their password as normal, then receive a text message with a random 6 digit number they have to enter into their web browser. Thus they have used 2 factors: something they know (their password) and something they have (the ubiquitous cell phone).
2-factor authentication does add a step to logging into a website, but it also means that an attacker cannot login unless they know the password AND have access to the user’s text messages. For sites that store or handle financial, personal, or confidential data this additional step is well worth the extra minute or two to use the second factor. In cases like the Yahoo breach, this step implemented on sites other than Yahoo would prevent the attacker from using their stolen credentials.