Cyber 101 – Multi-Factor Authentication

With a new cyberattack reported every day, everyone is asking one question; how can I make sure I’m not next? Cyber 101 is a series of blogs focusing on the ultimate basics of cybersecurity. By utilizing these simple remediations, your networks and accounts will be on their way to defending against cyber actors.

Authentication Factors

Cybersecurity utilizes three different types of authentication, focused on something that you know, something that you have, or something that you are. The most common example of something known is a password or passphrase. This type of authentication is based on a unique value that should only be known to your user. An example of something that you have can be a physical token or an app on your smartphone. Physical authentication is based on your user maintaining control of a physical object, eliminating the possibility that a known value can be guessed. The last authentication type, and least frequently used, is something you are, such as a fingerprint or ever-emerging face recognition technology. Biometric authentication is based on a unique feature of your user that is part of their physical makeup, and therefore cannot be recreated.

Photo by cottonbro on Pexels.com

Why Use Multi-Factor?

The use of multi-factor authentication has become more common and widespread in recent years. Utilizing multiple authentication factors is growing due to the relative ease in the implementation, which doubles the degree of difficulty in a non-legitimate login. In addition, by requiring two or more authentication factors, you eliminate the ability for a bad actor to compromise an account with only one piece of information, such as a guessed or stolen password. A further benefit of multi-factor authentication is the possibility of setting shorter lifespans for authentication requests. For example, by adding a generated code from a token, administrators can set time limits of the usage of each authentication response, reducing the likelihood that a stolen response will be valid. Requiring a password to be changed every fifteen minutes is not a feasible request, but partnering a known password with a one-time code increases system security.

By utilizing multiple authentication factors, system owners can quickly increase the difficulty of a non-legitimate login from occurring. Users should enable multi-factor authentication for any accounts that contain sensitive information, such as banking or email accounts. 

Cyber 101 – Password Requirements

With a new cyberattack reported every day, everyone is asking one question; how can I make sure I’m not next? Cyber 101 is a series of blogs focusing on the ultimate basics of cybersecurity. By utilizing these simple remediations, your networks and accounts will be on their way to defending against cyber actors.

Password Requirements: Do they work?

The odds are that at some point, you’ve had to battle your computer to find a password the system is willing to accept. So between requiring an ancient hieroglyph, the blood of a day-old fawn, and interpretive dance, why are password requirements so stringent?

Password requirements are built with two different principles in mind; complexity and uniqueness. By deconstructing each of these principles, we can highlight the importance of complex passwords in your environment.

Photo by Mikhail Nilov on Pexels.com

Password Complexity

One of the more common methods used to steal passwords is performed via what is known as a brute-force attack. In short, attackers run through a list of every possible password to an account until they find the correct combination. By introducing more complexity to a password, you drastically increase the possible options for the password. Let’s use some demonstrations with the example, password:

  1. If you have no requirements set, a user could simply choose the password of “password.” With eight lowercase characters, the range of possible passwords is just over 62 billion.
  2. If you set a requirement for an uppercase and lowercase letter in the password, you might end up with “Password.” The range of possible passwords is now over 30 trillion.
  3. Adding a requirement of a number to your password, you could use “Passw0rd.” The range of possible passwords is now over 118 trillion.

This demonstration highlights how password complexity can help prevent brute-force attacks; there are simply too many possibilities for an attacker to try.

Password Uniqueness

Another standard method used to steal passwords is by comparing the top exposed passwords from other breaches. It is widespread for attackers to sell lists of exposed passwords from other attacks. Many attackers will compare the top used passwords from different lists available, then run through the first several hundred options found against a known username or email address. In our previous example, you would expect “password,” “Password,” and even “Passw0rd” to be amongst the most frequently used passwords found. We already established that increasing password requirements increases the range of possible passwords chosen, decreasing the chance of selecting a common password.

The next time you ask your user base to create an intricate password, this Cyber 101 post will hopefully help explain the reasons behind the requirements. An informed user base is an active user base, the best hope we have in recognizing and preventing cyberattacks.