Here is the continuation of password security. So you have a password manager, which has some serious advantages:
- You have secure passwords that are 12 to 20 characters long,
- made up of upper and lower case letters, numbers, and symbols
- are random(ish) by not containing dictionary words or their variants (like p@$$woRd)
- You can have a different password for every online account, stored away in an easy to use and retrieve format
You can also store answers to challenge questions in your wallet. When the bank challenges you to name your third grade teacher, you can respond with “Mrs. Smith” or you can answer the challenge with a random string of characters stored in your password wallet. Look at the “notes” field (not from my real account or wallet).
Down there in the “notes” section, I will put the challenge question and its answer. I always use the “generate random password” feature to generate a random password and use that as the answer to the challenge question. Good luck guessing that, hacker bitches.
All of your passwords are secure in your encrypted password wallet. Or are they?
LastPass was recently hacked, and a black hat used the credentials of an employee that was compromised in a phishing attack to gain access to and download their entire database of encrypted user files. I’m not blaming LastPass for that one- it could have happened to any company, and to their credit, at least they came clean and let everyone know.
This created two problems for LastPass users. Now that the black hats had the files, there are two ways that they can access them:
- They can try to brute force the master password for the file. This is where a strong master passphrase works to your advantage. If you are smart, as soon as you learn of the breach, you change the most important of your passwords (master password, followed by bank and email accounts, then others) before they get a chance to guess the master passphrase. By the time they have your passwords, you have already changed them and it won’t matter.
- Since LastPass encrypted file doesn’t encrypt the websites, only the login, password, and notes, the weakness here is that the black hat can do a targeted fishing attack similar to what was done to this Australian woman or this woman who was targeted by a man claiming to be a Chase fraud investigator. These attacks can be quite convincing.
To guard against someone compromising some or all of your passwords, you can use Multifactor Authentication (MFA). All MFA is, is a second way of ensuring that the person who is accessing an account is the authorized user. The most common of those is sending a code by SMS. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
The problem is that SMS isn’t a secure way to perform MFA.
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly-switched telephone networks (PSTN), and they are the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong authentication now – the authenticator app provides an immediate and evolving option.Alex Weinert of Microsoft
Don’t rely on just a password. Don’t rely on one password. There are tons of scammers out there who want access to your stuff. Keep it as secure as you can make it.
The authenticator app still relies on you being in possession of your cell phone, and in my opinion creates a single point of failure- the loss of your phone, that places both the password wallet and the means of MFA in someone’s possession.
I don’t worry about the three letter agencies getting my stuff. If they want it, they are going to get it. They don’t need to steal my passwords, they aren’t going to spoof my phone, and they aren’t going to use my IOT devices to spy on me. You know what they are going to do? Present a national security letter to my bank, my employer, Google, my ISP, and anyone else they feel like, and the companies involved are going to tell them anything they want to know.
The purpose of the security I am writing about is protection from scammers who aren’t the government.
Still, there will be a future post on MFA, since this one is getting a bit long. On a side note, this series of posts represents my ongoing research into ways for securing my information. I tend to research and look into things that I am adopting. I figure that you can benefit from my research efforts.