Password managers: an intro to 2FA

As cybercrime continues to grow at an unprecedented rate, Infrastructure Engineer Rob Stevens looks at how 2FA can help safeguard your business...

One of the biggest security problems facing the IT infrastructure of most organisations is authentication, proving to the system that you are who you say you are and being accountable for your actions.

Humans are creatures of habit and we have a tendency to gravitate towards the path of least resistance, even if we know that doing so isn’t best practice. This means, in terms of passwords, that we are going to use passwords that we can remember easily and are likely to reuse those passwords everywhere we can get away with it.

This is very bad practice, but it’s something that most people are guilty of unless they make a conscious effort to avoid doing so. In August 2018 the Verizon Data Breach Investigations report stated that over 70% of employees reuse passwords at work, and “81% of hacking-related breaches leveraged either stolen and/or weak passwords.”

Password Managers

The easiest solution to both poor passwords and repetition is to use a password manager which will allow you to use individual, secure passwords, but only remember the one master password. There are two types of password manager – software based, and web based, and some more premium offerings can be a mixture of the two.

Once you have gotten used to the functions and controls, a password manager can make interacting with your computer much easier, as well as being more secure. They offer features like opening webpages for you with one click (even opening different pages in different browsers if required), autotyping usernames and passwords, and generating secure unique passwords for new and existing accounts.

I use two different password managers – for work I use the software-based Keepass (https://keepass.info/) and for personal logins I use the web-based LastPass (https://www.lastpass.com/). Both are free (although LastPass offers a premium version), and both are very simple to learn.

Keepass is simple but effective. You can create folders for different topics, customers, systems, or whatever you need. Once you have created a folder and have started adding password entries, you have either buttons or keyboard combinations to launch URLs, auto-type login details and it allows you to keep separate notes on each entry.

New entries are provided with randomly generated suggested secure passwords. All are very simple to use, and a far better password solution than that unsecure txt file you currently have sitting on your desktop.

LastPass is regularly voted as being one of the best browser-based password managers. The easiest way of using it is to install a plugin on your browser. Once this is installed, the application will automatically provide you with a randomly generated password when it detects you creating an account on a website, and will create an entry for this account including site URL and login details. Existing sites that you log in to will also present you with an easy way to store credentials. The software offers a raft of other features that I’ve yet to delve in to myself, but look very useful.

Two Factor Authentication

Normal username and password logins are known as single factor authentication. It is defined as “Something you are (your username) and something you know (your password)”. As an example, a guard at a gatehouse might be told to look out for and admit people in uniform that know the word of the day. In this case, it would be pretty easy for someone to acquire a uniform, learn the word of the day, and gain access to the fort. In the same way, once someone knows your email address, and can find out your password, then they’re in to whatever system they’re looking at. If you’ve reused your password then the attacker potentially has access to everything…

Two factor authentication (2FA) is defined as “Something you are, something you know, and something you have”. To reuse the above example, in this case admission to the fort would only be granted to someone who turned up in uniform, knew the word of the day, and was carrying a signed letter from the general. When applying this to authentication you would have a username and

password as normal, and in addition to that you would have some form of token. This can take the form of a piece of hardware that generates a random, time-based code, or some sort of signal sent to a separate device such as your mobile. 2FA is available for a number of different services including social media and webmail and switching it on is guaranteed to make your account more secure. There are also solutions to allow to integrate this technology into a number of commercial systems such as logins for VPN client or CRM systems.

For more information on how Nice Network can help you with your IT security, click here.