Surviving The Password Apocalypse, part 2

Its been 10-ish years since I first wrote the post about password security, and a lot has changed since then but a lot has stayed the same.

Yes, all the old rules still apply (no short passwords, no words from the dictionary, don’t reuse passwords, etc.), but now there are new recommendations: 2FA, MFA and password managers, and authenticators.

Multi-factor Authentication has several implementations: texting you a code, sending you an email, calling you, sending a message to an app.

The type of MFA you probably are most familiar with is called “2FA” or 2nd Factor Authentication; this is where a website with text you a code to verify your identity. The problem with this is that a criminal can hijack your phone’s SIM card, or takeover your phone account (by convincing the Customer Service rep at your phone store that you want to swap out your SIM card) and then those text messages go to them and not you. Since this attack is against the customer service person at your phone store, and not just your password, it can affect your email as well, so email doesnt become a reliable 2nd factor.

The best way to secure your accounts against attacks, even where the bad guy has access to your text messages, is to use an authenticator app on your phone. This is where the website you are going into sends a code over the internet to the app on your phone, instead of sending it to your texting app.

MFA (Multi-factor Authentication) is where more one way to communicate with you (“factor”) is used. It is also used interchangeably to mean 2FA, which can sometimes be confusing.

A password manager is a program either on your computer or your phone, or both. It stores your passwords so you can autofill password fields without having to type them; The better ones offer to create secure passwords for you, which the app will then remember for you. These generated passwords often look bizarre, because they are; if you can pronounce a password, it isnt as strong as it should be.

Password managers come in both free and paid versions. I use a free version because it suits my needs; your needs may be different, you should look at what service the paid ones offer and read some reviews about them.

And, if you want help figuring out these crazy new things, be sure to call me. I’m here to help.