For computer security, username and passwords are two fundamental pillars that we rely on. However, this simple scheme is also inherently flawed due to the human nature of wanting to choose short and easy passwords that are easily memorable. Experience has shown that forcing users to choose super long passwords is not very successful as the users tend to either forget or to write the password down somewhere in plain text. In this article, solutions for when passwords alone are simply not secure enough will be discussed.
Many of us store and upload more and more personal data on various cloud servers. For example, most of us use some kind of web mail service and many of us also use some kind of cloud storage such as Dropbox or Google Drive. Clearly, as we are connected to the internet more and more often, the data that we choose to store in the cloud will also increase rapidly.
In most cases, the only thing that protects our personal data from being accessed by the rest of the world revolves around something as simple as a string of letters, numbers and symbols, known as a password. The users who value security may choose their passwords to be 16 characters long while for the majority of us, the passwords are significantly shorter, perhaps only 6 characters long. In some cases, the worst short passwords are also derived from the personal life of the user, making the passwords even less secure.
Super long passwords is not always equal to high security
One may ask the question as of why the services handling sensitive information simply do not force everyone to use super long passwords, for example, 16 characters. While indeed, it is practically impossible to crack such a long password through means of brute forcing, humans have difficulties memorizing and handling such long passwords. In addition, as we are to use different passwords for different services, it quickly becomes impossible to remember a large number of very long passwords in our minds.
Therefore, by forcing very long passwords onto users, the results could very well be counterproductive as the users will have to write down the passwords or in some other form store the passwords in clear text or other easily accessible forms. If the users do this and a hacker gets a hold of the password stash, it would be the same as someone getting the master key to all of your properties and the damage will immediately become severe.
Therefore, current solutions to enhance security do not rely on making very long passwords, but use other approaches instead.
Security enhancing login credential solutions
There are many different companies and services being offered to enhance the security of various user accounts. However, history and experience have shown some to be more feasible and in particular more acceptable by the user than others. In the following, 3 such solutions are described.
2-step verification
2-step verification setup for Google products to enhance security. |
By using 2-step verification, the user essentially requires an intruder to both figure out his or her username and password but also have access to their phone, something which of course makes the whole process much more secure. In addition, the method is not limited to phones, and can also be implemented on special hardware security dongles with the purpose of simply receiving codes from login servers, making the solution even more difficult to crack.
Password managers
Password managers are like safes and can be good if the master password is secure. |
Clearly, the use of password managers can be dangerous for two reasons. The first obvious reason is that if the master key password is not secure enough, a hacker could very well be able to crack that password and gain immediate access to all the services that the user uses.
The second reason is that the user should really only install fully trusted password managers. It is not at all impossible to find fake password managers which appear to work, but in essence actually transmits the stored passwords to a hacker or malicious individual. In addition, the password managers themselves need to be secure and robust enough such that they cannot be exploited and "tricked" to reveal their database of stored passwords.
A short (and very incomplete) list of trusted and established password managers is given below.
Best recommended password managers
- Keepass: Available for Windows, Mac OS X, Linux, iOS, Android, Symbian, Windows Phone, and Blackberry. Open source and completely free. [Highly recommended password manager]
- 1Password: Available for Windows, Mac OS X, iOS, and Android. 30-days trial, single license fee is $49.99.
- Roboform: Available for Windows, Mac OS X, iOS, and Android. Free to use for up to 10 logins and $29.95 for full version.
- Lastpass: Available for Windows, Mac OS X, iOS, Android, Symbian, Windows Phone, and Blackberry. Free to use with optional upgrade to Premium".
Hardware solutions
Hardware solutions can be thought as a physical key that is required to log in to a service. |
The main drawback, however, with hardware solutions is that they are not usually easily accessible for the regular consumers due to technical complexity and cost.
No comments:
Post a Comment