From Russia With Two-Factor Authentication Love

/, Healthcare IT/From Russia With Two-Factor Authentication Love

Posted on behalf of Scott Anderson, Quality Assurance Manager

Admit it.  We’d all like to think we are the James Bond of strong passwords.  In reality, the majority of us are the “James Bombs” of passwords.  And not in a good way.  The family pet’s name.  Add a number and special character slapped on the end of it and we’re tight as a drum!  Sometimes a capital letter might sneak in there if push comes to shove via some password policy.  Universal passwords for multiple accounts.  Weak, universal passwords for multiple accounts.  We’ve all been there and have been guilty of it at some point.  In today’s ever evolving world of cyber security, HIPAA and sensitive data, data breaches are becoming the norm.   It is more important than ever to use strong passwords that are not vulnerable to word list hacks and brute force attacks.  There are 2 issues in play.  First is keeping track of multiple passwords.  Second is keeping strong passwords that are random character/case strings.  It is all getting to be too much!  How does one deal with such information overload and still stay secure?  The answer is two factor authentication and LastPass!

Two factor authentication – such a necessary evil!

What is “Two Factor Authentication?”  Two-factor authentication (also known as 2FA) is a method of confirming a user’s claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication.

A good example of two factor authentication would be utilizing an app such as “Authy” and couple it with the authentication of say a client portal.  After logging in to the client portal the customer must then authenticate via a second avenue.  This is where Authy comes in.  The application provides a temporary 6 digit PIN code on the users’ phone so the login to the client portal can be completed.

The beauty of this solution is that the 6 digit code is temporary and is sent to the users’ phone.  The majority of people always have their phone with them.  This way if an email address is compromised the “dual authentication” can mitigate a hacker being able to reset passwords or gain access to the client portal illegally.

What about this LastPass thing?  LastPass is a password manager that allows a user to store insanely complex passwords for different accounts that can be filled in automatically or configured for automatic logins.  Another neat feature of the LastPass software is that there is a password generator function.  When paired with Active Directory this can be quite a powerful tool to keep users secure.  Yes, every time I try and connect to a network that is not my domain I have to perform the two factor authentication waltz but it’s a necessary evil that is just about required nowadays.  Granted this software is not free but any investment into LastPass will pay for itself by preventing just one data breach.

Password Tips

Has 12 Characters, Minimum: You need to choose a password that’s long enough. There’s no minimum password length everyone agrees on, but you should generally go for passwords that are a minimum of 12 to 14 characters in length. A longer password would be even better.

Includes Numbers, Symbols, Capital Letters, and Lower-Case Letters: Use a mix of different types of characters to make the password harder to crack.

Isn’t a Dictionary Word or Combination of Dictionary Words: Stay away from obvious dictionary words and combinations of dictionary words. Any word on its own is bad. Any combination of a few words, especially if they’re obvious, is also bad. For example, “house” is a terrible password. “Red house” is also very bad.

Doesn’t Rely on Obvious Substitutions: Don’t use common substitutions, either — for example, “H0use” isn’t strong just because you’ve replaced an o with a 0. That’s just obvious.

Try to mix it up — for example, “BigHouse$123” fits many of the requirements here. It’s 12 characters and includes upper-case letters, lower-case letters, a symbol, and some numbers. But it’s fairly obvious — it’s a dictionary phrase where each word is capitalized properly. There’s only a single symbol, all the numbers are at the end, and they’re in an easy order to guess.

In the end is all this additional security annoying?  Yes, it is.  Is it a necessary evil?  Unfortunately, yes.  Since nobody really knows what evil lurks in the hearts of mankind, the added security layers/policies will not be going away anytime soon.  Please keep yourselves safe out there in cyber land.

By | 2017-09-20T11:34:14+00:00 April 20th, 2017|Computer Security, Healthcare IT|