Cyber Authentication – Google Weak on Password Management Systems

by | Dec 13, 2012 | Cloud Security, Cyber Security, Cyber Warfare, Data Security, Identity Theft, Multifactor Authentication,, Online Security, Password Authentication, Password Management, Social Networking

When it comes to cyber authentication, the weakest link is the user.

Cyber authenticationCyber authentication is a hot topic in today’s world of Malware, Cyber Warfare, BYOD, Cloud Computing and Hackers. In a recent Google Password Management blog, “Google Password Management Tips To Increase The Security Of Your Accounts” they asked if your Gmail account is safe. They then give seven tips on how to improve password security. These tips, while basically correct, are so old and have been said ever since the first password was issued that they fail to address the real problem: the human element.

We all know the problems with passwords: there are to many, they need to be complex, IT makes you change them every 90-days, and we can’t remember them all. These Google tips should also be classified as: Policy, Technique, or Management. Security typically is weaker when people are expected to securely “manage” the  “techniques.” Finally, even if you followed all these Google tips you still will be vulnerable because of the password cracking tools and attacks being used. While some are saying that password security is dead. I full disagree since passwords are one of the fundamental cyber authentication methods. So let’s review these tip.

1-    Use a Unique Password for Every Account [Policy].

“It is very essential that you use unique passwords for all of your accounts, especially the ones that contain personal and sensitive information, e.g. online bank and email accounts. If you choose similar passwords for every account and the secret code from any one of the sites is stolen, all the accounts become susceptible to information theft.”

True, but how can you remember them all? This is where a password management system comes into play. But not all password management systems are the same. There are freebies, software only and ones that incorporate some find of hardware token like a smartcard, USB stick or a dongle with a constantly changing display. You have to pick the one that best fits your needs, habits and security requirements. However, I recommend you use one that includes a smartcard or secure USB device.

2-    Set Strong  Passwords [Technique].

“The higher the number of characters in a password, the greater is its strength and safer it is. If you choose to have a 10-character password (with only letters and numbers), chances are that it will be very difficult to be cracked.”

True, but this section should be “Set Long Passwords”. When it comes to passwords, size does matter. One attack method is for the Cracker to try try to guess your password (actually it’s a computer program that does this) called a “Brute Force Attack.” Length determine the possible number of combinations possible. With the computer power today, a password needs to be at least 10-characters long.

When Tip #2 is combined with #1, the password problem for the user starts to increase.

3-    Mix it Up: Use Letters, Numbers and Symbols [Technique].

“A password with a variety of characters including letters, numbers and symbols is the most difficult to guess. Moreover, use high and low case letters always helps. The possibility of variations in passwords greatly increases when you mix different characters, using only the lower case letters.”

True, but this needs to be combined with Tip #2. What is missing is that the password should mix the characters up randomly. Crackers have a tool called a “dictionary” which includes practically every known word, phrases and common character substitutions. Using a dictionary attack, CAT, CaT, cAt, c@t, etc. are all cracked instantly (ignore the length in this example since I’m only discussing character types).

The password problem just grew exponentially for the user by implementing these first three tips.

4-    Use a Phrase That Only You are Aware Of [Management].

“An easy way of creating a safe password is by using a phrase that only you know. For instance, while setting a password for your email account, take the first letters of every word in the phrase ‘Earl sends me two emails every day’, and use them to create a password. You can repeat this process for every site which requires a password.”

I always found this to be a stupid tip. If you follow the top three tips now you have to remember a different phrase for each site. That’s not much different than remember different passwords. Some people will try to put in the site’s name into the phrase but hackers know this and it is part of their dictionary. So don’t think you are cleaver with “ILuvGoOglE”, “ILuvMiCroSofT”, “ILuvWeLlsFargO”, etc..

5-    Keep Your Password Recovery Options Current and Secure [Management].

“To ensure that you can reset your code for when you have forgotten it, it’s critical that you regularly update your password recovery email address. Password reset codes can also be received via text message. Choosing a unique answer to the secret question also helps you verify your identity on the website, in case you forget your password. If the website gives the provision of creating your own question—try to come up with a question whose answer is only known to you.”

Unless you change or have multiple email accounts – oh boy, something more to manage – regularly updating email accounts won’t work. As for the the security challenge question you don’t have to answer honestly or use an answer that makes sense to the question asked. For example, say you’re asked the name of your first high school, you can answer with the name of your first pet. The answer to your mother’s maiden name is the town you were born in. You get the idea.

Why you need to do this is because of a little thing called social media profiles. Crackers and Identity Thieves are constantly looking over profiles to get more information on their marks. Think about all the information you have willingly given the Internet about who you are. And once entered it never goes away. Ask yourself this simple question: “Do I have any passwords or challenge answers that can be found in any of my profiles?” If you answered “Yes,” then stop reading this post and change all your passwords, NOW!

Hey, Big Brother isn’t watching you; your telling him everything in Tweets, Facebook, etc.

 

Cyber Authentication

Rule #4: The best way to keep a secret? Keep it to yourself. Second best? Tell one other person – if you must. There is no third best.

6-    Try to Keep Your Password Reminders in a Safe Place [Management].

“Try to avoid writing all your passwords in one file but still, if you decide to create a file with all your passwords in it—give it a very unique name. Avoid giving obvious names to the document. Another reliable solution is to use a password manager to ensure secure and efficient management of your passwords.”

Sorry, but this is another dumb tip. With Googke toolbar one can easily search the content inside a document no matter what you call it. I am willing to bet if you have such a document you have the word “password” in it, or at least the name of the site (Google, BofA, Citi, etc.) or the categories (bank, online shopping, email, etc.). Post-it Notes, Excel files, notes in your phone book are not considered safe places either. What is safer is a system where you don’t have to remember, type or know any of the passwords, and where every password is unique and strong. That is where a password management system that stores passwords away from the computer is better. Some products on the market will use smart cards, USB sticks, dongles, etc. The security is that they are stored away from the computer so others have a harder time accessing them.

If you do have such a document then the only security is to encrypt it, or at lease password protect the document. If you go with the encryption method, I would strongly suggest you encrypt the contents of the entire drive.

7-    Create Extra Measures of Security for Your Google Account [Technique & Management].

“Locking a door is good but having a guard at the door is even better. Similarly, adding a 2-step verification of your Google account adds an extra layer of security to it.

The 2-step verification integrates your phone with the logging-in process of your account. Hence, if by any chance, someone steals your password, access will not be possible as they won’t be having your phone.” [I wonder if they used the phone example because of their Android phones? I’m sure it’s just a coincidence.]

Another way of stating this is to use multi-factor authentication. There are three different components to cyber  authentication: Something you have (i.e. a phone, smart card, USB stick); Something you know (i.e. a password or Pin); and Something that is unique about you (i.e. fingerprint, facial, voice, iris, etc.). Using just one factor for authentication is very weak. That is why the combination of any two exponentially increases security. The ultimate is to require all three. The cost to do Three Factor Authentication is more affordable than you might think.

The phone strategy is not as great as you might think. What happens if you forget to charge your phone and you want to get on the Internet? What happens if your phone is stolen; and is the phone secured with a PIN? Does the phone carrier charge you for all the text messages with your log-on passwords? These are all consideration you need to answer.

Cyber Authentication Conclusions:

No security you implement will keep you 100% safe. If that were the case there would be no more burglaries in today’s world because we all have door locks, window locks and alarm systems. Security is really only capable of doing two things:

  • Helping you sleep at night.
  • Acting as a deterrent for armatures or those wanting to make a quick score.

If someone really want’s your stuff, information or accounts, they will get it. All you want to do is add enough barriers that encourage them to go somewhere else where it is easier.

There are many companies all trying to help with the password management system problem, including us at Access Smart. The truth is that no one single cyber authentication solution will work for everyone. The trick is to knowing your own habits to determine what is most comfortable for you. Statistics has shown that people will circumvent security for their own convenience. It is that habit that the crackers and identity thieves thrive on.

Security is important, there are many facets to it, and there are many scams being used to get your passwords. But here is a tip that won’t cost anything or require you to manage anything: Use your common sense. If it seems to good to be true, it probably is.

Please click LIKE if this was useful. It really helps me.