Posts

Are We Safe from Hackers?

10.22.21 | by Lance Fogarty

---

Key Takeaways

• Outdated Password Policies Increase Risk: The traditional approach to password management, such as changing passwords every 90 days, has been proven to be counterproductive, often leading to predictable and insecure passwords. Modern security experts, including those from Microsoft and the SANS Institute, now recommend less frequent password changes and emphasize the use of complex, randomly generated passwords, often managed by password management tools.
• Advancement in Secure Authentication Methods: The integration of password managers and multi-factor authentication (MFA) significantly enhances online security. Password managers simplify the use of unique credentials across various services, while MFA, which includes two-factor authentication (2FA) and biometrics, provides robust protection by requiring multiple forms of verification. These advanced methods are essential in safeguarding against increasingly sophisticated cyber threats.

---

The password policies required by some institutions, for well over a decade, may be unsuitable for protecting security. According to the Wall Street Journal, “The man who wrote the book on password management has a confession to make: He blew it.” His opinions quickly became the industry standard, however, Mr. Burr stated, “Much of what I did I now regret.”

Originally, Mr. Burr suggested passwords should be changed every 90 days. This is only one of the mistakes he regrets as it caused users to create “easy-to-predict passwords.” According to security experts from the SANS Institute, “Password expiration is no longer relevant. In fact, if you conduct a risk-based analysis, you will quickly determine that password expiration does far more harm than good and actually increases your risk exposure.” 

Even Microsoft suggests that users only “reset your passwords once a year” for online accounts unless one becomes aware of a breach of security. Once a year is still not required, if using proper randomly generated passwords like those provided by Chrome, Edge, and password management tools. In fact, both Chrome and Edge and other password managers will monitor the Internet for any leakage of online passwords managed by them.

The proper use of password managers makes it simple to use different credentials for each online service. Password managers, such as 1Password and Dashlane, enable the use of an unlimited number of different credentials for online accounts as well as the many apps we use on our smart phones. These tools even manage secret questions, credit card info, and other private information securely.

For secret questions to be secret, they need to be just as arbitrary as passwords. Tools such as Spokeo and BeenVerified provide vast amounts of personal information to its users. Additionally, scammers are all over social media collecting even more information. Currently, the only forms of supplementary verification that provides adequate and secure authentication would be two-factor (2FA) or multi-factor (MFA) authentication.

2FA means something known in addition to something in one’s possession. For instance, known information (login credentials – username and password) combined with a possession (a code sent via email, text, smartphone authenticator application, or key fob). MFA is an enhancement over 2FA that additionally may include biometrics, time, location, or other factors.

The scope of password managers doesn’t include filling in a computer’s login password. Biometrics provide the strongest security and many of the newer computers come with facial recognition and/or fingerprint scanning. Using biometrics still requires a PIN or password as a backup login method and the same care should be used in creating these as any other password. Utilizing a password manager allows a smartphone to provide access to them when needed.

Unfortunately, all the security measures above mean nothing if a hacker is allowed into to a computer.