Your super clever password is failing you

Do you have an @yahoo account? If you do, hopefully you’ve been paying attention the last few days. In which case, delete your account and create a Gmail account. Then finish reading this article.

Or finish reading this first then create the account. Up to you…

Yahoo has reported that in 2013 1 billion accounts were hacked1. Oh you didn’t get the memo, well neither did anyone else. But Yahoo knew all about it.

The major problem about these hacking reports is the fact that someone now has access to your email address and password. And what that really means is that 12345, is in fact the stupidest password ever. Only an idiot would use that combination! Thank you Dark Helmet.

But, what sucks more is when your stuff is stolen. I just watched this video about a guy in the Netherlands who purposely had his phone stolen as a way to understand what happens afterwards2. He was clever enough to get a special app on the phone that let him record audio and video remotely. If you don’t mind subtitles and have 20 minutes to kill, I recommend watching it.

So, what can we do to prevent hackers and theft? Truth be told, nothing… it’s always going to be something we have to acknowledge is there and be aware of. But we can make it harder for people to access our stuff.

I’m not talking about making your passwords into some unintelligible string of characters like LKHJg(&(uuh(* because who is ever going to remember that? You’d have to write it down somewhere on a post-it note and stick it to your monitor (yea, I’m onto you). I have this unnerving feeling inside whenever a website demands I use a password like that. Is it hard for a human to figure out? Yes. Is it hard for a computer to figure out? Nope. And it’s super hard to remember.

The only thing worse than those ridiculous password combinations are security questions. With a persistent Google search and social media scouring you can find any information you want about anyone. As long as you’re willing to pay for it. It’s frightening. Those security questions could be bypassed in seconds and your password reset.

Now what? Enter 2-factor authentication.

Here’s a great explanation… and I can’t even take credit for it because I found it on Reddit (so we all know this to be de facto)3

Factors of authentication describe fundamentally different ways you can prove you are who you say you are. There are three classic factors: something you know, something you have, and something you are. The classic examples of them are a password, a key, and a fingerprint, respectively.

The three classic factors have some pretty different properties. Something you know can be copied without your knowledge, but not physically lost and found. Something you have can’t be easily copied without your knowledge; it takes a physical theft to get it (in theory). Something you are is supposed to be hard to forge, but it may be easy to get.

Two-factor authentication uses two of these factors. The idea is that it should be harder to steal two different factors than steal one. For instance, if you need to use a key and enter a code to get in a house, someone who nicks your key can’t get in, and neither can someone who saw you enter the code. You need two different kinds of attack to get in.

The most common kind of two-factor uses something you know (a password) and something you have (a smartphone app, a fob, etc.) The idea here is that someone needs to both steal your phone/fob and your password to enter your account. If you type your password into a computer with a keylogger, the attacker can’t use the stolen password — he doesn’t have your phone. If someone steals your phone, they can’t access your account without the password.

Two-factor does not include a password and “security questions”: those are both something you know. One attack could easily capture both; it’s much harder for an attack to simultaneously capture two factors.

So how it works is when you enter your password, the system will also require a pin number that is sent to your mobile phone via text message. Simple and easy. If you’re like me, your phone is rarely an arm’s reach away, your accounts are always safe. My recommendation is 2 fold…

  1. Use a better system for passwords. You’re better off stringing three or four random words together or use a phrase that you can remember. Edward Snowden said this in an interview and well, you might want to take his advice. Or at the least use a password manager like 1Password or LastPass. Don’t reuse the same password for multiple websites.
  2. Find out if any of your accounts offer 2-Factor authentication (also called 2-step). If they do, follow the instructions and set it up. Here’s a website to find what service is offering it.

I have barely scratched the surface of internet security here. There is so much more to this discussion and I hope this has at least opened your eyes to the reality of our world.


Leave a Reply

Your email address will not be published. Required fields are marked *