The SolarWinds breach was arguably the most significant computer hack of the decade. At least, of those breaches that we know of. Rather than jump straight into judgement and analysis, we wanted to watch as things unfurled and provide a balanced view with facts and clear thoughts later, rather than fast attention-grabbing reactions.
Hackers have spent well over 20 years stealing users’ passwords from internet companies.
They’ve almost certainly got yours.
The good news is it’s very easy to make your passwords useless to hackers. All you do is switch on Two-Factor Authentication (2FA).
2FA is a second login layer
It works much like the second lock on your front door. If someone’s stolen or copied your Yale key, that double-lock will keep them out.
A digital double-lock is now vital for protecting your online accounts – email, banking, cloud storage, business collaboration and the rest. It’s up there with anti-malware in the league of essential security measures. And it’s much easier to pick a 2FA method than choose the right anti-malware (our Anti-Malware Protection Reports can help you there).
So 2FA is essential, easy, and doesn’t have to cost a thing. It’s a security no-brainer. So how come hardly anyone uses it?
Join the one per cent elite!
Earlier this year, Google revealed that only 10 per cent of their users have ever bothered setting up 2FA. Just a fraction of those – we estimate around one per cent of all internet users – use the most secure type of 2FA, a USB security key.
In this article we’ll show you how to join that elite one per cent for less than £20. If you’d rather watch a step-by-step demo, here’s our YouTube video.
(This blog reflects the views and research of SE Labs, an independent security testing company. We never use affiliate links.)
Why everyone in your business should use 2FA
You’re not the only person who knows your usernames and passwords. Head over to Have I Been Pwned? and type in your email address to find out how many of your accounts have been hit by hacking attacks.
A quick (and scary) web search reveals how many times your passwords have fallen prey to hackers
While you’re digesting those results, here’s a sobering statistic. More than 90 per cent of all login attempts on retail websites aren’t by actual customers, but by hackers using stolen credentials (Shape Security, July 2018).
Nearly everyone has had their passwords stolen. But hardly anyone protects their accounts using 2FA. We’re all leaving our front doors unlocked.
And as hackers plunder more and more big-name services (as well as all those services you’d forgotten you had accounts with), the more chance they have to steal the passwords you use everywhere.
This is why you must never using the same password twice. Don’t be tempted to use a pattern to help you remember them, either (‘123amazon’, ‘123google’ and so on). Hackers decode that stuff for breakfast. We’re also not keen on password managers. They’re Target Number One for hackers.
Instead, store your passwords where no-one can find them (not online!) and deadlock your accounts using 2FA. It’s the only way to make them hack-proof.
Why a USB key is the best way to lock your accounts
The ‘memorable information’ you have to enter when logging into your online bank account is a watered-down version of 2FA. Hackers can easily create spoof login pages that fool you into handing over all your info, as demonstrated in our NatWest phishing attack video.
Proper 2FA methods are much tougher to crack. They involve more than one device, so a hacker can’t simply ransack your computer and steal all pertinent data. Without the separate device, your passwords are useless to them.
Use more than one 2FA method if offered. This double-locks your double-locks – and also gives you another way into your account if one method fails. See our 2FA YouTube video for a step-by-step guide to doing this for your Google account.
Here’s a quick run-through of your options, starting with the most basic.
Google prompt How it works: Tap your Android screen to confirm your identity. Pros and cons: Very quick and easy, but only works with Google accounts and Android devices. Useful as a backup option.
SMS code How it works: You’re texted (and/or voice-messaged) a PIN code to enter after your usual login. Pros and cons: Authentication is split between two devices. It works on any mobile phone at no additional cost. But it can be slow, and the code may appear on your lock screen.
Authentication app How it works: A free app, such as Google Authenticator, generates a unique numerical security code that you then enter on your PC. Pros and cons: Faster and more reliable than SMS, and arguably more secure, but you’ll need a smartphone (Android or iOS).
Authenticate your logins with a code that’s sent to your phone (and onlyyour phone)
Backup codes How it works: A set of numerical codes that you download and then print or write down – then keep in a safe place. Each code only works once. Pros and cons: The perfect backup method. No need for a mobile phone. A piece of paper or locally-stored computer file (with disguised filename) is easier to hide from thieves than anything online.
And the most secure 2FA method of all…
USB security key How it works: You ‘unlock’ your accounts by plugging a unique USB stick (such as this YubiKey) into your computer. Pros and cons: A whole list of pros. USB keys are great for business security, because your accounts remain locked even if a hacker breaches your phone. They’re convenient: no need to wait for codes then type them in. And they cost very little considering how useful they are. One key costs from £18, and is all you need to deadlock all your accounts. Buy one for all your employees – and clients!
Give a USB security key to all your employees and clients – their security (and yours) will benefit
Deadlock your Google account: a 2FA walk-through
Google lets you lock down your entire account, including Gmail and Google Drive, using multiple layers of 2FA (which it calls 2-Step Verification). It’s one of the most secure 2FA configurations you’ll find, and it’s easy to set up.
Here are the basic steps. For a more detailed step-by-step guide, see our YouTube video.
Go to Google’s 2-Step Verification page, click Get Started then sign into your account. Choose a backup 2FA method, click Security Key, then plug in your unique USB stick. Google automatically registers it to you.
Choose a second 2FA method such as SMS code, plus a backup method such as a printable code, Google prompt or authenticator app.
That’s it – welcome to the top one per cent!
Double-lock your double-locks by choosing more than one 2FA method – and a backup
Deadlock all your online accounts in minutes
All reputable online services now offer 2FA options. But, as you’ll discover from the searchable database Two Factor Auth, not all services offer the best 2FA options.
For example LinkedIn only offers 2FA via SMS, and doesn’t support authenticator apps or USB security keys – the most secure types of 2FA. Even Microsoft Office 365 doesn’t yet support security keys. We expect better from services aimed at business users.
What’s more, 2FA settings tend to be well buried in account settings. No wonder hardly anyone uses them. Here’s where to click:
Amazon: Go to Your Account, ‘Login & security’, enter your password again, and then click Edit next to Advanced Security settings.
Apple: Go to the My Apple ID page then click Security, Two-Factor Authentication.
Dropbox: Click the Security tab to set up SMS or app authentication. To configure a USB security key, follow Dropbox’s instructions.
Facebook: Go to ‘Security and login’ in Settings and scroll down to ‘Use two-factor authentication’. Click Edit to get set up.
LinkedIn: Go to Account Settings then click Turn On to activate SMS authentication.
Microsoft: Log in, click Security, click the ridiculously small ‘more security options’ link, verify your identity, and then click ‘Set up two-step verification’. Doesn’t yet support USB security keys. Some Microsoft services, such as Xbox 360, still don’t support 2FA at all.
PayPal: Go to My Profile then click My Settings, Security Key and then Get Security Key. Don’t accept the offer to get a new code texted to you every time you log in, because then a hacker can do it too!
TeamViewer: Go to the login page, open the menu under your name, click Edit Profile then click Start Activation under the 2FA option. Supports authenticator apps only, not SMS.
Twitter: Go to ‘Settings and privacy’, Security, then tick ‘Login verification’.
WhatsApp: In the mobile app tap Settings, Account, ‘Two-step verification’.
How do we solve the need for lots of strong passwords?
Mention password strength online and someone will usually reference the famous XKCD password cartoon. If you haven’t seen it, the idea is that the entropy of the password must be as high as possible, and that this can be adequately achieved by stapling together easily-remembered conjunctions of words rather than difficult-to-remember strings of meaningless symbols. Some commentators have since pointed out flaws in the logic behind that cartoon.
Entropy is a head-twisting concept. Put simply, it is a measure of the chaos, disorder or unpredictability something contains. In information theory, entropy can be calculated and boils down to how many unknowns there are in a piece of data.
Consider a game of hangman. At the beginning of the game, none of the letters are known. Because there are many different possibilities, we can say that the unknown word contains high entropy. As you reveal each letter, the entropy quickly drops because of the way the English language works. Q is usually followed by U, for example, and not P or S or J. After revealing surprisingly few letters, we can usually infer the full word and win the game.
Passwords need high entropy. There should be no relationship between letters, so that if one character becomes known, it does not compromise the rest. If someone shoulder surfs you and spots you typing something like “M4nch3st” and they know you’re a Manchester City or United fan from glancing at your coffee mug, then your carefully placed capital and number substitutions are all for naught.
Many people still think that strong passwords are required to protect from brute force attacks, but this is largely false. When cybercriminals want passwords, they either take them by the million using attacks such as SQL injections, or have people hand them over in phishing attacks. Because of this, we need lots of passwords to compartmentalise our lives into discrete blocks. Compromise one account and the others stay secure. Re-use them across accounts, and one key fits many locks.
There are lots of strategies for generating and remembering high entropy passwords. One successful technique is as follows:
1: Take a long line from a favourite book, play, song, nursery rhyme, whatever.
2: Take the initial letters from the words in the line and put them together.
3: Change vowels into numbers and other symbols, capitalise others.
Et voila! A long, high entropy password you cannot forget. Here’s an example based on an episode of a sitcom that came to mind just now quite by chance:
In the Fawlty Towers episode The Germans, the Major says something like: “I must have been keen on her; I took her to see India!”
The 13 initials in this phrase are: imhbkohithtsi
Changing some letters to symbols and capitalising others gives: !mHbK0H1ThTsI
The online password strength meters I tried claim this password is strong or even very strong. Someone would have to know you were keen on that episode of that sitcom, guess the exact line from it, and guess exactly how you’d mangled the initials to stand a chance of recovering the generated password.
Now do that for the dozens of sites you need to log into, even those sites you intend to use very little but for which you must still set up an account. Ideally, each password must be different and unrelated. It’s just not practical, is it? In fact, that sinking feeling you’re probably experiencing has a name: password fatigue.
We could just store all our passwords in our browsers and create a master password to protect them. But what if we want to log in from another laptop, tablet or phone? This problem has led to the rise of the password manager.
A good password manger needs to securely store all your passwords, and to sync across all your devices. It should automatically capture the passwords you enter as it goes, and should contain some nice-to-have features. For example, the option to generate random, very high entropy passwords would be good. Intelligent form filling would also be useful.
There are other potential advantages to password managers. Because they recognise the sites you visit, if you get taken in by a phishing email and click on a link to enter your password, the manager will not recognise it, and should fail to cough up the creds. If you’ve allowed the manager to generate random passwords that you never see, there’s no danger of you overriding it either.
I’m not going to recommend a single password manager, but you should check them out sooner rather than later. Instead I will point you to a comparison chart for you to make your own decision.
There are pros and cons to using password managers, however. Some people, like our own Simon Edwards, have argued that caution is needed. Last year, for example, cloud-based password manager LastPass was hacked and user data spilled (including security questions and encrypted passwords). Malware has also targeted local password managers such as KeepPass that do not use a cloud service.
Because of these weaknesses and attacks, passwords and password managers may not be enough. A good password manager also needs to feature 2-factor authentication. Biometric authentication would be even better as this is substantially harder to subvert.
Could localised pattern recognition solve the password crisis?
Getting answers nearly right could be a way to detect unauthorised access. Security shibboleths can detect the right, and wrong people.
In The Great Escape, a Gestapo officer wishes Gordon Jackson’s character “good luck” in English as he attempts to board a bus. In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word “lollapalooza” to spot Japanese spies amongst Filipino allies.
SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.