Sep 11, 2014

Passwords Aren’t Enough

The look in their eyes, their handshake, the tone of their voice, and all of the messages they’re sending with their body language– these are all part of the incredibly complex picture of recognizing who someone is, and ascertaining their intent.

For centuries, business transactions were conducted in person. The intermingling of computers, the internet, and business, however, has forced face-to-face interaction to take a backseat to digital forms of identification. The earliest answer to this has been the password.  Yet as password management, standards, and policies have evolved, it’s become clear that good passwords alone can’t protect you from today’s cyber threat landscape.

The hidden risks of passwords

We all have tons of passwords to maintain. Too many, even. You have one for your online banking, your email, your favorite ecommerce store, maybe your school website – they’re everywhere, and they all have different minimal requirements, different expirations and resets.

It’s all becoming very difficult to manage without either 1. some kind of password manager or 2. using the same or a similar password for everything.  Both are risky in their own ways. Password management tools like LastPass and Keepass are great, but using them requires a bit of awareness and auditing. The risk behind using the same password for everything is pretty self-explanatory.  But even if you’ve created strong, separate passwords for all of your critical accounts, another weak link in the chain could compromise everything entirely.

lastPassFor example, if you have a primary email account and all of your other accounts reset to that email, then the email account could be an instant-access gateway to all of your digital life. One solution? Use a secret email account, and never use it for anything but password recovery.

There’s lots of advice on good personal password practices, and some quick research will help you find what pieces of advice suit your needs. At a minimum, if you’re concerned about your passwords, I recommend taking a couple of hours over the weekend to audit or reset your most critical accounts for peace of mind.

Possible pitfalls of verification questions

We’re living in a digital social age, whether you choose to participate or not.  Within the reach of just a few clicks, publicly-gathered information can divulge what school you went to, what town you’re from, your birthday, your family member’s names, and that’s just the stuff automatically being collected.  If you share a lot on social networking or social media, there’s a whole lot more that you’ve possibly told the world.

Unfortunately, this is exactly the kind of information that common “verification” questions request. Whether they’re part of resetting an online account or giving you access to tech support, these questions can’t protect you if you’ve already given away the answer. Even innocuous tweets like “RIP Fluffy, my first pet. Miss you forever.” can deliver your information straight into the hands of a malicious individual.


To combat these threats, you have a couple options. You can try sharing less, keeping that critical information offline, or just being more aware of what you share. When that’s not an option, try picking verification questions with harder to guess answers, or, if you have the option, write your own question.

Where two-step verification can fall short

Two-step authentication has started to take off as an additional layer of security.  You find it now in banking, in commercial applications, even on social media accounts.  It typically means that at one point when you establish your account, you secure it by associating some token – simple or complex with something physical that you have.  It can be a chip on a card or even a system that sends a special PIN to your phone.

2stepVerificationWhen available, you should set up and authorize two-step authentication on every account possible. Of course, where two-step verification can fall short is if you lose your phone. So it’s in your best interest to ask your service provider what other actions you can take if your phone’s been stolen or lost, and keep those instructions handy.

These two tenets of something you know (passwords or verification questions) and something you have (your phone) are major parts of the foundation of digital identity and are critical to digital transactions.  You should, where possible, integrate both of these elements into your world of passwords where passwords alone are not enough, especially with your hosting infrastructure.



Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn

Tags: ,