In this newsletter we are going to understand different types of MFA and about password managers and their safety considering recent attack on LastPass(a password manager).
So, let’s dive in..
Understanding different forms of MFA
MFA can take several different forms, including:
- Inputting an extra PIN (personal identification number) as well as your password
- The answer to an extra security question like “What town did you go to high school in?”
- A code sent to your email or texted to your device that you must enter within a short span of time
- Biometric identifiers like facial recognition or fingerprint scan
- A standalone app that requires you to approve each attempt to access an account
- An additional code either emailed to an account or texted to a mobile number
- A secure token – a separate piece of physical hardware, like a key fob, that verifies a person’s identity with a database or system
Here are some types of accounts that often offer MFA. Check to see if you can turn MFA on:
- Social media
- Online stores
You may ask, can MFA be hacked?
While MFA is one of the best ways to secure your accounts, there have been instances where cybercriminals have gotten around MFA. However, these situations typically involve a hacker seeking MFA approval to access an account multiple times and the owner approving the log-in, either due to confusion or annoyance.
Therefore, if you are receiving MFA log-in requests and you aren’t trying to log in, do not approve the requests! Instead, contact the service or platform right away. Change your password for the account ASAP. Also, if you reused that password, change it for any other account that uses it (this is why every password should be unique).
Don’t let this deter you, though. MFA is typically very safe, and it is one of the best ways you can bolster the security of your data!
A common question is if password managers are worth the risk of using them.
The answer, in my opinion, is yes. I believe that the increase in risks a person will get from using a password manager is offset by all the advantages, which decrease and thoroughly offset the risks from the disadvantages.
Let’s look at the risks and advantages of using a password manager. They can be summed up as:
- Creates and allows the use of perfectly random passwords
- Creates and allows the far easier use of different passwords for every site and service
- Can be used to prevent password phishing
- Can be used to simulate some MFA solutions so users do not need separate MFA programs or tokens
- Can be shared among devices so passwords are where the user needs to use them
- Passwords can be more easily and securely backed up
- All passwords may be protected by MFA login requirement to password manager
- May warn user of compromised passwords that the user was not otherwise aware of
- Will warn user of identical passwords used between different sites and services
- Can be shared with trusted person(s) in times of need, when original user is temporarily or permanently incapacitated or unavailable
It is a very real risk that someone’s password manager could get compromised, and from that compromise, all of the user’s passwords to all stored sites and services are stolen very quickly at once. That is a huge risk that must be measured and weighed by the admins or users who are using password managers.
- User must obtain and install password manager
- User must learn how to use password manager
- It may take a user longer to create or input a password using a password manager (but not always true)
- Subject to attacks
- Password managers do not work with all programs or devices
- If access to the password manager cannot be done (e.g., corruption, lost login access, etc.), the user loses all access to all login information contained therein at once
- If attacker compromises the password manager, the attacker can possibly access and obtain all of the user’s passwords (and sites they belong to) at once
It is the last issue that presents the biggest risk in most concerned user’s minds — single point of failure.
WHY EVERYONE SHOULD USE A PASSWORD MANAGER FOR THEIR PASSWORDS
Despite this big risk, I think everyone should use a password manager for their passwords (if phishing-resistant MFA cannot be used). This is because the two biggest risks to passwords (after social engineering theft) is from passwords stolen from a site or service that the user uses and weak passwords that can be guessed and hacked. According to the National Institute of Standards and Technology (NIST) and other password authorities, the biggest risk of passwords is password reuse across non-related websites and services and users creating “password patterns”, which can be predicted by hackers.
The average user has four to seven passwords that they use across over a 170 sites and services. Those are a lot of identical passwords being used where they should not be. The problem is that once a hacker compromises one or a few of your websites (which you often are not even aware of), the hacker gets your password and then uses them across your other sites and services. One or a few compromises leads quickly to a whole bunch of more compromises. This is considered they major password risk after social engineering your password. And password managers get rid of this risk.
SOCIAL ENGINEERING IS THE BIGGEST RISK
The biggest risk of any password is the user being social engineered out of it. Password theft from social engineering is involved in about half of all successful password attacks. Most password managers allow you to log into your site or service from within the password manager and the password manager will only take you to the true, legitimate site or service. This prevents the most common type of password social engineering attack, where the attacker sends you a social engineering email containing a rogue URL link, which tries to trick you into revealing your legitimate credentials to a bogus, fake website.
So, in review on the benefits of password managers, they mitigate the biggest password attacks (e.g., social engineering, guessing/cracking and reuse). Any password expert would tell you those three types of password attacks present the majority of password risks. And for that reason, everyone should use a password manager, or at least strongly weigh it against the big risk of a single-point-of-failure.
It is up to you whether you put your faith, or the faith of your users, into a password manager. Try to get them moved over to phishing-resistant MFA, if you can, first. But if the site or service will not work with phishing-resistant MFA, consider using a password manager. They are becoming more recommended by more password experts every day.
Thanks for reading.