February 2, 2013 •
It seems like the news of stolen passwords to access user accounts are once again headlines around the world.
Twitter is the latest victim of stolen passwords and it sounds to me like a broken record all over again. Amazingly enough, only 250,000 Twitter passwords were compromised out of an estimated 200 million Twitter accounts. Still, the number of passwords compromised is staggering. To reassure Twitter users, Twitter’s Director of Security recommends “…[to] use a strong password - at least 10 characters or more…”. What difference does it make if you use a “strong password” if it’s stolen?.
Also this past week we learned that the New York Times was attacked and the passwords of NYT employees were compromised to access emails accounts of specific reporters. These news follow the events of last year when almost 6.5 million Linkedin passwords were compromised and another 450,000 passwords were exposed at Yahoo. In both cases the companies recommended their users to “change their passwords”.
Although people may dismiss these events, consider this: passwords used in Twitter, Yahoo or Linkedin may be identical to those they use for other purposes, including online banking or access to a corporate network.
At Cyphercor we are of the opinion that passwords are not longer a reliable way to conduct an internet session, or access a personal or business account. Government and corporate organizations must have a plan to transition their users to a multi-factor access control for online authentication. In other words, multi-factor authentication mitigates the risk of a compromised password. Making the password “stronger” or “longer” is not a mitigation strategy.
This is how we see the future of online authentication:
Two-factor authentication (2FA) will become mainstream
2FA should be easier and more secure to administer, use and deploy than Username/Password
Smartphones will become the universal 2FA
Organizations will standardize with BYOD (Bring-Your-Own-Device)