With so many online services on the rise, most people are overwhelmed with the amount of credentials (a.k.a. usernames and passwords) they have to remember. Most users end up with bad habits around their passwords, which makes them easier to guess, but even if you have a good password hackers can sometimes get passwords through phishing or other tactics.

The way to protect yourself from this is by using Second Factor Authentication.

Why passwords aren’t enough?

There are a multitude of reasons why passwords are not good enough, but it all comes down to the fact that: what is easy for people to remember, is easy for computers to guess and what is difficult to guess for a computer, is hard for people to remember.

So in other words, if you try to come up with easy to remember passwords, and do that for all your online accounts, you’ll end up with passwords that follow patterns, or are repeated.

Just in 2019 UK’s National Cyber Security Centre published a list of the most hacked passwords amongst other security gaps statistics1. Some worrying findings include:

  • 23.3 million victim [breached] accounts worldwide used 123456 as password.
  • Less than 50% of people use a strong, separate [not repeated] password for their main email account.

Combine these stats with the fact that stolen passwords are a common trade good commercialized in the dark web, and the picture becomes more troubling. Take as an example the recent case of the hacker known as Sanix who was selling around 773 million stolen usernames and passwords before the Ukrainian police detained him in January 20192.

So it becomes clear people need to start using stronger passwords and stop reusing them across different online services. Yet we come back to the origin of the problem: it is difficult to come up with hard to guess but memorable passwords.

The simple solution to this problem, is to use a password manager. It eliminates the need of remembering passwords and at the same time it generates for you strong, difficult to guess, combinations that you can use for your accounts.

However, what happens if the password was stolen somehow? Well, then you can protect yourself from hackers accessing your account by activating second factor authentication on top of your normal password.

What is Second Factor Authentication?

Is a type of authentication which uses two independent methods (factors) of verifying a user identity3. Put simply, you need to provide a password plus an additional separate component to gain access to your account.

There are several types of authentication factors, to give some examples 4 3:

Something You Know
Something only the user knows

  • Password
  • Personal Identification Number (PIN)
  • Mother’s maiden name (Security Questions)

Something You Have
Physical object the user has

  • USB stick
  • Smartphone
  • Token

Something You Are
A physical characteristic of the user

  • Voice
  • Fingerprint
  • Retina

Somewhere You Are
A location of the user

  • GPS signal

When performing second factor authentication, the user has to provide 2 of these factors. A common example is the combination of Something You Know (a password) and Something You Have (a phone via a secret token).

The limits of Second Factor Authentication

However, not all authentication factors are created equal. Certain mechanisms such as SMS or personal security questions are considered less secure than other options.

Hackers can obtain secret tokens in SMS by cloning SIM cards or by performing social engineering attacks. The US’ National Institute of Standards and Technology (NIST) considers the risk of using SMS to be increasing, and doesn’t recommend using it as a second factor5.

Secret questions on the other hand, can be easily guessed by attackers that know some personal information about yourself; things like mother’s maiden name, the street you grew up in, and first car brand aren’t exactly secret. Malicious actors can dig this information from social media or past leaks on other sites 6.

Moreover, even if you set up your account with a strong password and use a good second factor such as time-based one time passwords7 (Google Authenticator is one example of this type of auth). Attackers might be able to circumvent the second factor altogether by using more sophisticated attacks.

A very recent example of this is the Twitter compromise on July 15, 2020 8. Where hackers were able to get administrative privileges on the twitter platform by targeting “a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to [Twitter’s] internal systems” 9.

TL;DR; How to do “passwords” better

  • Stop remembering passwords yourself.
  • Use a password manager to generate and store passwords (Good alternatives are LastPass and 1Password).
  • Wherever possible enable second factor authentication (Check if your favourite site offers 2FA in twofactorauth.org).
  • If possible do not use SMS as a second factor, nor secret personal questions.

Further Reading

Article. List of “Most hacked passwords”.
By UK’s National Cyber Security Centre. Go to article.

Site. Check if you have an account that has been compromised in a data breach.
“have i been pwned?”. Go to site.

Article. Detailed explanation about authentication factors, advantages, disadvantages and other security implications.
“Multi-factor authentication”. Go to article.

Data Dump. Top 100,000 hacked passwords.
By NCSC, taken from Troy Hunt’s “Have I Been Pwned” data set. Go to list.

Footnotes and References

  1. Most hacked passwords revealed as UK cyber survey exposes gaps in online security. URL. Accessed: 2020-09-05. 

  2. Bryan Krebs. Ukraine Nabs Suspect in 773M Password ‘Megabreach’. URL. Published: 2019-05-19. 

  3. Multi-Factor Authentication: What It Is and Why You Need It. URL. Accessed: 2020-09-07.  2

  4. Multi-factor authentication. URL. Accessed: 2020-09-07. 

  5. NIST Special Publication 800-63B. Digital Identity Guidelines. URL. Accessed: 2020-09-07. 

  6. Lily Hay Newman. Time to Kill Security Questions - or Answer Them With Lies. URL. Accessed: 2020-09-07. 

  7. Time-based One-time Password algorithm. URL. Accessed: 2020-09-07. 

  8. Bryan Krebs. Three Charged in July 15 Twitter Compromise. URL. Published: 2020-07-31. 

  9. Official Twitter Statement about July 15 compromise. URL. Published: 2020-07-30.