“…How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it's so common for people to reuse the same password in two places, and it is completely unaffected by password strength.
“The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations a laughably simple but unique password is good enough to defeat the attack.
“There are rare types of attack—offline password guessing—where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing.
“Notebooks are a really good, simple solution to the password reuse problem, but for years people were ridiculed for using them. Password managers are also a good solution but they are much harder to use than notebooks and a majority of people don't use them, and don't trust them, despite years of positive press and advocacy…
“I would instead focus my energy on getting you to do one thing that really can transform your password security, which is using two-factor authentication (2FA):
“My password advice is this: Set up 2FA.
“To explain why: Your Pa$$word doesn’t matter.
“Based on our studies, your account is more than 99.9% less likely to be compromised if you use 2FA. 2FA defeats credential stuffing, password spraying, AND password reuse, AND a bunch of other attacks…
“2FA just means ‘do two different things to prove it’s you when you log in.’ One of those things is almost always typing a password. The other thing is often typing a six-digit code you get from your phone, but it might also be responding to a notification on your phone or plugging in a hardware key (a small plastic dongle that plugs into a USB port and does some fancy cryptographic proving-its-you behind the scenes).
“2FA is very widely supported, and any popular website or app you use is likely to offer it. In an ideal world, those sites and apps would take responsibility for your security and just make 2FA a mandatory part of their account setup process. Unfortunately, we don’t live in an ideal world, and the tech giants that know better than anyone else how much 2FA can protect you have left it for you to decide if you need it…
“If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem.
“If you aren’t ready for the that, the next best form of 2FA uses an app that prompts you with a notification on your phone. Next best after that is 2FA that uses a code from an app on your phone, and the least good version of 2FA uses a code sent over SMS.
“However, don't let anyone tell you any form of 2FA is "bad." It's all relative. Adopt any one of them and you can safely ignore the rest of the password advice you were probably ignoring already. To help you get started, here are links to the 2FA setup instructions for the five most visited websites”:
- Google 2-step verification
- YouTube 2-step verification (the company, owned by Google, uses the same process above)
- Facebook two-factor authentication
- Twitter two-factor authentication
- Instagram two-factor authentication
-Mark Stockley, Malwarebytes
Post a Comment