Sunday, November 1, 2020

More Secure Than Your Password

Hackers break into corporate computer systems and release lists of usernames and passwords on the open web. Home PCs are vulnerable to malware, viruses and other tricks to access your personal, financial and private information. These have now become regular occurrences. The most common weakness in these types of hacks is the password. Passwords are a technology from a time when our computers were not inter-connected. The age of the password has come to an end. 
Here are some security technologies that, once implemented, will replace the traditional password.

Biometrics authentication is used in computer security as a form of identification and access control. It refers to using physical human characteristics and traits instead of a manually entered password. Examples include, but are not limited to, a fingerprint, palm print, facial recognition, retina pattern and even DNA. The products that allow client access will have biometric readers that interface with the host security system.

No one method of biometric security is said to do the best job of protecting system access. When you consider biometric security, you want to select a physical characteristic that is constant and does not change over time, and are also difficult to fake or can be changed on purpose. You also need to consider that some biometric security metrics are consider more invasive than others (e.g. DNA vs. facial recognition). Some methods take a lot of time to execute, such as a retinal scan which can take as much as 15-30 seconds. In addition, ethical use issues have been raised over some of the biometric security metrics. The details of the methods and issues will not be addressed in this post.

A fob, also called a key fob or token, is a small security hardware device with built-in authentication used to control and secure access to a network and data. Typically, the fob randomly generates an access code, which usually changes every 60 seconds. These one time use codes are the "password" used to validate system access, and they work as long as timing and code algorithm synchronization exists between the client's fob and the host authentication server.

Disconnected fobs are the most common type of security  fob, and do not have a physical connection to the client's computer. They use a built-in screen to display the generated authentication code, which the client manually enters via the keyboard. Bluetooth technology is also used as a disconnected fob.

Connected fobs must be physically connected to the client's computer. Authentication is automatically performed once a physical connection is made, eliminating the need for the client to manually enter the authentication code. Smart card technology is also used as a connected fob.

A "wearable" refers to a mobile device such as a cell phone or tablet computer. With wearable security, authentication is a 2-step process. The client enters an account identifier code via a keyboard. The security system then transmits a one-time use pass code to the client via a pre-registered email address, or device for an SMS (text message). Upon receipt of the pass code, the client enters that code via the keyboard. That code is not used again. Typically, the security system will accept the transmitted code only within a set period of time before the code expires. If the code expires before successfully entered, the client must request a new code.

In the Mean Time...
Until you implement stronger security measures, the first step in improving security is to have strong passwords. In SplashData's recently released list of worst passwords, the 2-time annual winner (or loser) of the most common (and therefore worst) password is "123456". Following that is "password". People continue to put themselves at risk by using weak, easily guessable passwords. Individuals and organizations must encourage the adoption and enforcement of stronger passwords.

Microsoft's tips for creating strong passwords are:
  • Is at least eight characters long
  • Does not contain your user name, real name, or company name
  • Does not contain a complete word
  • Is significantly different from previous passwords
  • Contains characters from each of the following four categories:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Keyboard symbol characters (e.g. !@#$%, etc.)

For example, a password of "troubadours" is not considered very strong. A stronger choice would be "Trou8@d0Ur$".

I encourage you to leave a comment by clicking on "...comments" below...
David Schuchman