Is A Password Enough? A Closer Look at Authentication
Yahoo reported the theft of some 400,000 user names and passwords to access its website, acknowledging hackers took advantage of a security vulnerability in its computer systems.
The Mountain View, California-based LinkedIn, an employment and professional networking site which has 160 million members, was hacked and suffered a data breach of 6 million of its clients and is now involved in a class-action lawsuit.
These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used in these cases, then the hacks may be a moot point and the hacked data useless to the thief.
The biggest part of the password problem is in 2 parts: first, we are lazy with passwords, for example in regards to the Yahoo breach CNET pointed out that:
2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.
160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.
Second: spyware, malware and viruses on a user’s device can easily record passwords. Which means this username (which is often a publically known email address) and password is easy to obtain from an infected device.
The numerous scams which entice users to cough up sensitive data is a proven con that works enough to keep hackers hacking.
Multi-factor authentication, which your bank uses is far better and more secure and it requires a username, password and “something you have”—a personal security device separate from the PC
While additional authentication measures might be a burden to some, it’s a blessing to others who recognize the vulnerabilities of their online accounts otherwise.
Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures