One Account To Rule Them All
Previously, we discussed various password attacks, password manager benefits, and tips for creating effective but memorable passwords. Today, we will look at other methods to bolster your personal security with additional authentication aides and tools to discover if your passwords have been compromised.
One authentication method you have likely encountered online is the use of Single-Sign On (SSO), which uses an already created account with one service to access and utilize another. For example, when browsing to a food delivery service website, you may be prompted to create a new account for their service, or they may allow you to sign-on with your G-mail or Facebook account. By doing this, the new services trust G-mail or Facebook that you have successfully authenticated with your login and password, and the new service will use that authorization to provide access to their site and services. SSO can be helpful by reducing the number of accounts and passwords a user must create and maintain, and the fewer passwords a user must create, the less likely a user is to create a bad password. However, SSO also ties a lot of 3rd party services to that original account, so if you lose access to that original account, you risk losing access to all other SSO approved sites as well. You also lose any anonymity by linking services together.
Passwords Are Not Enough
Another mechanism for improved authentication that is thankfully increasing in popularity every day is multi-factor authentication (MFA). MFA improves user security by requiring additional information from at least two other “factors”, which are:
- Something you know, like a PIN, password, or security answer
- Something you have, like a token, key file, cellphone, or email account
- Something you are (physically), like the unique biometric signatures of your fingerprints, facial map, or iris patterns.
Some popular tools include RSA tokens, Microsoft Hello facial and fingerprint scanners, Google’s Authenticator app, and G-Suites’ G-codes which are texted or emailed to the requestor who can confirm they have positive access to the phone or email account associated with the user. By combining two or more of these factors, a user can demonstrate with a higher confidence that they are in fact who they are attempting to identify as.
Are You Already Compromised
Lastly, a mindful security practitioner should be aware if they have been compromised. In our previous post, Stop Using Weak Passwords, we mentioned the website “Have I been PWNed” as a useful resource for discovering hacked services, accounts, and passwords.
Looking a little deeper at the site’s hacked passwords, users can use the webapp (at their own risk) or download hacked passwords lists to determine if their passwords have been leaked and are available for public consumption. Attackers understand that many users reuse passwords and often use bad passwords, so these wordlists are prime targets for cracking.