Authentication and Credentials

What’s to talk about?

Proving you are who you say you are is one of, if not the, key to computer security. In this post, I’m going to discuss passwords (and password managers), multifactor authentication, and security questions. I’m going to try and point out why it’s important to get it right, some common mistakes and how they can bite you, and some very simple, life-changing ideas to make your online security posture much, much safer.

Passwords, PINs, and Passphrases

This is the most basic way of authenticating yourself, and one you’re doubtless very familiar with. A username (usually, sometimes a physical card instead) and a password, usually with an impossible to meet set of rules about what the password needs to include. What is there to say about it?

Passwords have gone a bad direction, in my opinion. I’m not the first to point out we’ve made it so our passwords are made for machines, not people. How can anyone reasonably remember a 20 digit, completely random password”? Ready for your first life changing idea? Just this: in addition to letters, numbers, and symbols, a space is a legal character in most password systems. So instead of This1sACr4zyPassword!46528, try this for a passphrase: I love $0.99 steaks! Yum yum. Easy to remember. Impossible to hack. Upper case, lower case, symbols, and numbers.

So now that you have a password that you know is totally safe and secure, you can start using that everywhere, right? No. Your passwords are only as safe as everyone you share it with, and hackers are smart. If they found out about your cheap steak habit from a security breach at a poorly defended website, they’re going to take that password and try it everywhere they can think of in association with your email address and any usernames they can pair with it.

This leads us to password managers. These are systems that allow you to make long, random character passwords but not have to remember them. Good ones allow you to install the application on all of your devices and it will randomly generate, securely save, and automatically enter passwords for all of your accounts (apps, websites, etc.) There are quite a few options out there, and I won’t be recommending any particular one(s) (although if you buy me a coffee I’ll tell you what I use), but if you stick “password managers” into your favorite search engine, you should get all the info you need to make an informed decision. As long as you use a nice, long, complex, never-before-used passphrase for your password manager, that’s about as safe as you can expect to be using just passwords. But, can we do better..?

Multifactor Authentication

A password, or phrase, is only as good as its secrecy. Anyone who knows it can pass the challenge. Multifactor authentication (sometimes called two-factor authentication, MFA, or 2FA) helps mitigate this risk by adding additional requirements (“factors”) to the process. Very generally, this is broken down into three domains: what you know (passwords, etc.), what you are (finger or retina prints, etc.), and what you have (authenticators.) So, to use a very common example, you can think of an ATM card as a two-factor challenge. You need to have the card (what you have) and know the PIN (what you know) to access it.

The easiest and most common way to enable MFA is to use an authenticator. An authenticator is a device that, using magic*, is able to show six random digits that the MFA system can predict. This number changes regularly, and only the appropriately provisioned authenticator can guess correctly. Being able to enter the number shows you are in possession of the authenticator (what you have) and adds another factor to the password (what you know.) This eliminates the risk of someone else knowing your password, as well as the risk of the loss of the authenticator (it’s no good without the password.)

* OK, not really, but it’s easier this way.

Security Questions

But what about loss of the authenticator? Or forgetting the password? Sometimes you need to answer security questions. Which means remembering how you phrased where you met your second girlfriend, or which cousin you said was your favorite five years ago. Which brings us to another of those life-changing ideas: security questions aren’t a quiz. You don’t have to answer them correctly, just consistently. A security question is just a prompt, what if you use it as a code to know exactly what to answer? So, instead of honestly trying to answer the questions, you just reply with, say, the third word. Q: What street did you grow up on? A: did Q: What was your mother’s maiden name? A: your. It’s easy to remember. It’s hard to guess. It disconnects it from any information someone other than you has access to.

Summary, and so what?

In conclusion, the digital age has bestowed upon us a world where our personal and professional lives are increasingly intertwined with the online universe. The keys to our digital kingdom, passwords, are the guardians of our online presence. Yet, too often, they are neglected, leading to vulnerabilities that can have dire consequences. The use of password managers and the practice of strong password hygiene are not just recommendations; they are essential habits for safeguarding our digital identities.