Best Authentication Practices
Authentication – one of the basic actions we perform day in, day out, often probably not giving much thought to it as it is so ‘basic’. And yet, as it often is in life, simple things can be amongst some of the most important blocks on which other elements of the system depend. Such as your security in the digital world for example.
The system is only as strong as its weakest link – the original probably is slightly different, but you know what I mean. And so, it should come as no surprise that, according to a Verizon 2019 report, most data breaches are caused using weak, default, or stolen passwords.
If you would like to know what you can do to protect yourself from a security breach resulting from poor password hygiene, below are some useful tips.
1. Use a Strong Password
I am sure you heard time and again that using a strong password is key and yes, here it is again. If your password is too short or contains dictionary words, places, or names, it can be easily cracked through brute force – such as a dictionary password attack (and replacing some letters with numbers became such common practice that state of the art algorithms take this into account). The best way to come up with a strong password is by making it at least 12 characters long, so consider using something called a ‘passphrase’ made up of many words. One of these concepts encourages you to make the password out of three different words which will be easy to remember and at the same time unique only for you. Some years ago, Edward Snowden in an interview shared his idea for such a passphrase – ‘MargaretThatcheris110%sexy’. Be creative! If you know words in different languages – mixed them to come up with passphrases like no others!
2. Don’t use default passwords
How many of you have changed the password of your home wi-fi router after starting using it for connecting to the internet? Or another internet-enabled device? If you still use a default password change it right now! Many of the default passwords on internet-enabled devices are common knowledge and are a weak point in the security of your digital resources network.
3. Don’t reuse passwords
Another bad idea is to use the same password again and again. The main reason is if one site you have an account with suffers a leak then a thief can easily gain access to your other accounts. Use a different password for each of your online accounts and especially come up with really strong passwords for your critical resources accounts such as your email, bank account, social media, etc.
4. Enable 2FA (Two Factor Authentication)
Authentication can be classified into three groups. The first is something you know – a password. The second is something you have – a token, or a key generator. The third is something you are – biometrics. These days a lot of companies such as Amazon, Google, or PayPal use 2FA when you log in to your account. Usually, it is in the form of a text message containing letters or numbers which you must enter on top of your username and password when login in. This is to prevent anybody who might have obtained your password (for example through phishing, malware, or data breach) from being able to log into your account. Setting up is easy as most providers offer this function now. You can do it by either providing your mobile phone number to receive text messages or downloading an authentication app onto your phone and then going to your account security settings and following the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (the app functions without the need to be connected to the internet, and the code usually changes every 30 seconds). When enabling 2FA opt for app-based codes or a hardware token, if supported by the provider. There are several reasons for this. Firstly, text messages are susceptible to several common threats, such as SIM-swapping and interception. It is also dependent on signal quality and can sometimes be delayed beyond the practicality of its application. Secondly, you have no guarantee on how securely your phone number will be stored or what else it will be used for.
5. Keep backup code safe
When you enable 2FA you will usually be given several codes that you can use if your multi-factor authentication is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or unauthorised access.
6. Sign up for Breach Alerts
Should a website or a service suffer a significant data breach, the leaked data often ends up on the internet. There are several websites that harvest these leaked records and allow you to search your email address to check if your data was leaked as a result of a breach. Examples of these sites are Firefox Monitor, Have I been pwned, or Breach Alarm. They allow you to sign up for monitoring and will notify you if your email address appears in any new data sets. This is useful as you can change your passwords as soon as possible when this happens.
7. Shield your password / PIN
This is something you might not be thinking of but when typing your passwords in public places, ensure you are not in direct line of sight of a CCTV camera and that no one is able to see over your shoulder. Cover your passwords or PIN while you type, and do not reveal any plain text passwords on the screen.
8. Update critical passwords periodically
Providing your passwords are strong and unique changing them once a year for your security-critical accounts should be sufficient to ensure you stay ahead of the game in case of database leaks and breaches which are becoming more common these days.
9. Don’t save your passwords in browsers
Most browsers nowadays will offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, and could allow a third party to gain access to your accounts. Use a dedicated password manager to store your passwords.
10. Use private/incognito browsing option
When using a browser always use the private/incognito option in your browser. This will prevent it from logging any of your authentication information or browsing history. This is especially important when using public or other people’s computers.
11. Password hints
Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints are mandatory use random answers and record them in a password manager
12. Never answer online security questions truthfully
If a site asks security questions (such as place of birth, mother’s maiden name or first car, etc) don’t provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead created a fictitious answer and store it inside your passwords manager.
13. Don’t use a 4-digit PIN
Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or a much longer pin. Numeric passphrases are easy to crack – a 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code.
14. Avoid biometrics password substitutes
Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. Although it is convenient, there are numerous ways to fool your device and gain access through digital photos or CCTV footage reconstruction. In addition, in some jurisdictions – such as in the USA – biometrics are perceived differently to an alphanumeric password in the eyes of the law. And so, it can be legal to force you to unlock your device if it is protected by biometrics such as your fingerprints, retina scan, or voice recognition & face recognition.
15. Consider an offline password manager
An encrypted offline password manager will give you full control over your data. The drawback is that it might be slightly less convenient, and it will be up to you to back it up and store it securely.