The password may not be dead, but it is on life support, and the prognosis is bad. Death is not only inevitable, it is immanent. The increasing power of password cracking software and machines, and the proliferation of complete Rainbow tables of solved passwords on the Dark Web markets mean your clever 8, 9 or 10 character password probably has been cracked already and is for sale on the Internet.
One solution to this situation has been the increased use of two-factor authentication (2FA) methods. There are four major versions being offered, and any of them is better than a password alone. You should definitely find out if your bank or brokerage account offers two-factor authentication, at a minimum.
The main methods are:
- Card and PIN or Chip and PIN. We are all pretty familiar with this, as it is how an ATM card works. You have to have the information on the card stripe (or coming soon – on a chip embedded in the card) and a Personal Identification Number (PIN) to complete your transaction. This method does not work online, only in person.
- Smart Cards or Keys. This may be a special SIM in your phone, or a token that has a number that changes every 60 seconds, or a USB devices that provides additional authentication when inserted into your computer.
- Login Verification. Under this scenario, a login notification is sent to your smartphone. Once it is confirmed, you are logged into the account.
- One-time passwords via SMS to a smartphone. When you log in to your online account, a password or number is sent to your phone via SMS, and you enter this number into your browser login page.
- Authentication Apps. This is an application that you install to your smart phone, and uses a combination of a cryptographic seed and the date and time to generate a one-time code that is good for 30 or 60 seconds. This is how the Google Authenticator works.
Of course all of these solutions have issues, if you are out of range of cell service, or overseas, some of these smartphone based systems won’t work. And if you lose your token or USB device, well, good luck. If they are stolen you have other problems. But no system is perfect, and if you have options like these available to you, you should set them up and use them, especially with financial accounts.
For more information check out this article on Sophos.Share