BILL FOX | Technology
Passwords Aren’t Enough
Good security is built in layers. LifeLock founder Todd Da- vis attracted a lot of attention
in 2006 when he included his social security number in an ad campaign. He argued the layers of security that his service provided were so e ective, the information was useless to crimi- nals. Unfortunately, according to the Phoenix New Times, Davis subse- quently had his identity stolen at least 13 times.
While it was a brilliant marketing approach, publishing con dential, personal data is never a good secu- rity idea. Only release this informa- tion to people who need to know it. It’s too important of a security layer to ignore. Similarly, one could argue that accounts protected by multifac- tor authentication are so secure that you could publish your password to the world and your account would remain secure. While there is some truth to this, never do it! Use strong, lengthy passwords and do not share them because it is an important se- curity layer. However, additionally enabling multifactor authentication is almost certainly even more impor- tant.
PASSWORD HABITS
In a 2018 study conducted by Log- MeIn and LastPass, 2000 adults re- vealed the following password habits: Fi y-nine percent of respondents said they mostly or always use the same password or a variation of the same password, whether for work or personal accounts. Fi y-three per- cent of respondents say they have not changed passwords in the last 12 months even a er learning about a data breach in the news.
As a result of the large number of data breaches, the website haveibeen- pwned.com estimates over 7 billion user accounts have been compro- mised. Many of these credentials, as well as sample scripts to exploit them, are now for sale at multiple sites on
the Dark Web, and business is brisk. Looking for a return on their invest- ment, hackers will run these scripts using the ill-gotten email addresses and passwords (including variants, such as adding or replacing a single number at the end).
Password Managers such as Last- Pass, Dashlane, and others help in- dividuals and organizations to have a unique, complex password for ev- ery site they visit while having to re- member only one master password. Google’s popular Chrome browser even has built-in basic password management that can help. Review your options for password manage- ment and make smart decisions to help all your employees manage their various accounts. But even with strong, unique passwords, it is un- wise to rely on a single authentication method. No matter how diligently IT administrators set password policies and attempt to educate their users, if a password gets reused and compro- mised, accounts will be hacked.
THE CURRENT OFFICIAL STANDARD
 e U.S. National Institute of Stan- dards and Technology (NIST), in its June 2017 “Digital Identity Guide- lines,” changed its long-standing pass- word recommendations. No longer do they recommend complex pass- words that are changed frequently. In- stead, passwords should be long, easy to remember and hard to guess. As an example, “alongpassw0rdisB3st” (strictly an example, never use this for YOUR password).  e NIST guide- lines advise changing passwords less frequently, but strongly encourage the uses of multifactor authentication.
When multi- or two-factor authen- tication is enabled, each user attempt- ing to access sensitive data must not only provide something they know (a password), but also something they have (electronic token) or something they are (biometrics). Most common-
ly, the thing to have would be a six- digit code generated by an authenti- cator app on the user’s smartphone. Something they are could be a thumb- print or facial recognition. With 2FA enabled, usernames and passwords alone no longer provide the keys to the kingdom, thereby dramatically reducing unauthorized logins.
SECURITYVS.CONVENIENCE
While global adoption of 2FA con- tinues to increase, it is unfortunately far from universal. Microso ’s Of-  ce 365 o ers 2FA at no extra charge for subscribers, but according to a November 2018 survey by Specops So ware, only 20 percent of organi- zations using O ce 365 had imple- mented 2FA for administrators and users. Given choices between security and convenience, most people choose convenience. Additionally, despite the avalanche of news reports about data breaches, too many business owners don’t believe they are likely to a ect them.
Fortunately, the security industry has heard these concerns and 2FA applications are becoming easier to use. In many cases, “Push” noti ca- tions can send a 2FA request to a smartphone that can be answered with a  ngerprint. Firms can start implementing 2FA by enabling it for all cloud-based applications and for laptop and home PC users who access the network remotely. Eventually, it can also be enabled for logins for ev- ery workstation in the organization.
Last Tip: Older 2FA solutions may employ text messaging for sending codes.  is is no longer a recommend- ed practice because text messages can be intercepted. In
the event you lose your smartphone or leave it at home, administrators can provide temporary means for you to login.
Bill Fox is the VP of Client Services for Total Networks, the technology adviser to Arizona’s law  rms. Mr. Fox and his team manage the proactive business technology reviews with Total Networks’ clients, including security and technology assessments and recommendations. Mr. Fox has over 30 years’ experience in business and technol- ogy management. Total Networks is the  rst and only Arizona IT company to earn the CompTIA Security Trust- mark, certifying that Total Networks meets or exceeds security best practices.
9