Skip to main content

The Password Dilemma

According to a Security Magazine poll conducted this past May 2020 over 50% of users are likely using the same passwords for multiple applications, technologies, or services. In other words, it does not matter how strong your password is if you have devices with poorly built-in security that will give it away with minor resistance.




A better approach would be to have different passwords for different technologies or services. You can choose passwords based on the degree of importance of the data the password is linked to. In other words, passwords for a simple smart light switch application that is not saving any personal data, credit card, or other payment info might be simpler than a password for a banking application. As long as the passwords are different, one password is not a variation of the other, this password separation will prevent any potential breach of one technology or service from exposing all of your credentials. Unfortunately, the downside to this approach is convenience, it is very hard to remember a multitude of truly different passwords, and variations of the same password defeat the whole purpose of this approach.

Not to get too much into the complexity of password attacks but if someone has a password of yours, it is not much harder to try adding characters to that password to discover variations. You can find articles on the internet that say that just adding one extra special character or number to your password can make it X times stronger. This is not incorrect, but it assumes that the attacker does not know any part of the password or any other passwords of yours that include this syntax. Think of it like a puzzle, the more pieces of the puzzle you have in place, the more the puzzle starts to make sense. If I know that you have used admin123 in a password that was leaked from the internet along with your email address. I can now take that password that I know and also add some extra characters, such as admin123$$, and programmatically try other possibilities.

Password managers are available and have become very popular, however many of them store credentials in the cloud. Most claim to be using strong encryption, but it is difficult sometimes to know for sure how the data is protected in motion and at rest. In motion means when the data is traveling from the user device to the cloud storage repository and vice-versa. At rest refers to when the data is sitting in the storage repository in the cloud. 

Alternatively, you could use a password management application or service that does not store credentials in the cloud. Those are not as common, but there are a few out there. One such application that is available for Android devices currently is BlackVault Password Manager. BlackVault offers you the peace of mind that the credentials are always with you. If someone steals your device, you will know because your device is missing.

As long as your device is secured with a strong password, or even better, biometric security which is available on most mobile devices today you do not have to worry about your credentials being stolen without your knowledge. Devices can be remotely wiped by the owner. It is important to mention that you must make sure to keep your device safe, and secure. Jailbreaking the phone and downloading applications from 3rd party sources that are not the built-in market place is not a good idea.

Side note, when downloading apps, watch the permissions that the app is requesting. For example, there is no reason for a calculator app to ask for access to your contacts list or your files and pictures.

The downside of applications like BlackVault is that the data is only available on the device where the application is installed. Because there is no cloud backup if the device is lost or something happens to it that renders it useless, all the information on it is lost. BlackVault does allow you to download all of your account credentials into a list that can be printed and safely stored outside the internet, you can also just upload that list to something like Google Drive. Then again, if you are going to do that, you might as well use a password manager that automatically leverages a cloud data repository.

So what do you do?

Usually, the right answer is not one, but a combination of things that together give you the desired effect or outcome.

In my opinion, the right approach to password management is two-fold.

1. Use Two Factor Authentication whenever possible

2. Create entirely different passwords and use a password manager for all the services or tech. where you cannot use two-factor authentication.

Two-factor authentication adds a third and dynamic credential to the sign-in process. This means that in addition to your username and password, you will be asked for a third piece of data to complete the authentication process. This can be a code, on an authentication app like Google authenticator, or it can be a time-sensitive text message sent from the service provider at the time of the sign-in. Which one is best, text message or authenticator app? Opinions vary, but they are both better than none.

Another benefit of two-factor authentication is that now you do not have to use different passwords. It is still recommended, but since you have two-factor authentication enabled, the uniqueness of the password is less important.

Cheers,

J.


Labels:

Comments

Post a Comment

Popular posts from this blog

Who's Responsibility is it?

Work From Home is going to become the new norm for many organizations across the world thanks to mother nature. Covid has forced many industries to evolve at an accelerated rate. Financial Technologies, for example, has experienced a growth of adoption rate that under normal circumstances would probably be observed across 5 to 10 years.  If there is one great thing about us humans, we can adapt to new conditions. Overall, we are great at rolling with the punches.  Working from home, as is the case with any new dynamic, will introduce new challenges and questions that need to be answered with regards to data protection.  These are some of those questions... 1. Now that I am working from home, is my employer at least partially responsible for the security of my network and personal data? This might seem like a reach but think about it... Organizations are constantly targeted by cybercriminals because looking to steal sensitive data about users, employees, patients, etc. Instead, cybercri
Post a Comment
Read more

Your Router is Under Attack

The coronavirus spread quickly but it’s possible cyber criminals moved even quicker in distributing all manner of pandemic-themed scams. Exploit attempts against several consumer-grade routers and IoT were amongst the top Intrusion detections in 2020. This stems from criminals trying to take advantage of “The New Normal” of the network perimeter extending to the home. The barriers that existed between a corporate office network and a home network were eroded in 2020. Networks were turned inside out, with most workers now accessing critical networked resources and applications from their homes. This change happened suddenly, which left little time to plan an effective cybersecurity strategy. As a result, ‘PWING’ an outdated and insufficiently secured home office now also means PWING the corporate network. When the dust settles, who is going to be blamed for that? Some organizations are still trying to figure out how to effectively scale their enterprise security protections out to their
Post a Comment
Read more

My Review of BlackBerry | Cylance

  Most of us associate the Blackberry brand name with its relative dominance in the early 2000s when almost everyone who had a smartphone had a Blackberry. Nothing lasts forever. Unfortunately for the brand, 2007 marked the introduction of touch screen phones with the new iPhone unveil. Android phones also arrived on the scene soon after. What most of us do not know is that Blackberry also provided to their users a secure and at the time revolutionary way for users of Blackberry devices to communicate with each other. In essence, security has always been a part of the Blackberry brand. It takes a lot of courage, work, and time to reinvent yourself as a company. Many do not succeed. For Blackberry, the road to reinventing itself as a cybersecurity brand has not been without its few bumps. Today, Blackberry is recognized as one of the top cybersecurity companies offering protection for enterprises and consumers alike. This review will look at Blackberry | Cylance’s ratings against
4 comments
Read more