“…How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it's so common for people to reuse the same password in two places, and it is completely unaffected by password strength.
“The
next most common attack is password spraying, where criminals use short lists
of very simple passwords on as many computers as possible. In both situations a
laughably simple but unique password is good enough to defeat the attack.
“There
are rare types of attack—offline password guessing—where a strong password
might help, but the trade-off is that strong passwords are far harder for
people to remember, which leads them to use the same password for everything,
which makes them much more vulnerable to credential stuffing.
“Notebooks
are a really good, simple solution to the password reuse problem, but for years
people were ridiculed for using them. Password managers are also a good
solution but they are much harder to use than notebooks and a majority of
people don't use them, and don't trust
them, despite years of positive press and advocacy…
“I would
instead focus my energy on getting you to do one thing that really can
transform your password security, which is using two-factor authentication
(2FA):
“My
password advice is this: Set up 2FA.
“To
explain why: Your Pa$$word doesn’t matter.
“Based
on our studies, your account is more than 99.9% less likely to be compromised
if you use 2FA. 2FA defeats credential stuffing, password spraying, AND
password reuse, AND a bunch of other attacks…
“2FA
just means ‘do two different things to prove it’s you when you log in.’ One of
those things is almost always typing a password. The other thing is often
typing a six-digit code you get from your phone, but it might also be
responding to a notification on your phone or plugging in a hardware key (a
small plastic dongle that plugs into a USB port and does some fancy
cryptographic proving-its-you behind the scenes).
“2FA is
very widely supported, and any popular website or app you use is likely to
offer it. In an ideal world, those sites and apps would take responsibility for
your security and just make 2FA a mandatory part of their account setup
process. Unfortunately, we don’t live in an ideal world, and the tech giants
that know better than anyone else how much 2FA can protect you have left it for
you to decide if you need it…
“If you
have a choice, the best form of 2FA is a password and hardware key, but you’ll
need to buy a hardware key. They are worth the small investment and not nearly
as intimidating as they can seem.
“If you
aren’t ready for the that, the next best form of 2FA uses an app that prompts
you with a notification on your phone. Next best after that is 2FA that uses a
code from an app on your phone, and the least good version of 2FA uses a code
sent over SMS.
“However,
don't let anyone tell you any form of 2FA is "bad." It's all
relative. Adopt any one of them and you can safely ignore the rest of the
password advice you were probably ignoring already. To help you get started, here are links to
the 2FA setup instructions for the five most visited websites”:
- Google 2-step verification
- YouTube 2-step verification (the
company, owned by Google, uses the same process above)
- Facebook two-factor authentication
- Twitter two-factor authentication
- Instagram two-factor authentication
-Mark Stockley, Malwarebytes
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.