Passwords are one of the most important and least secure security protections we all use. Take a minute to think about how many sites you access with a password: Duke, Facebook, Twitter, Instagram, Gmail, Evernote, Apple, Amazon, Netflix, Twitch, your bank, and maybe a few others. How many of those passwords are the same?
In recent weeks, 5 million Google passwords were exposed and celebrity photos leaked online after a suspected iCloud breach. What would you do if your account password was stolen? What could an attacker do or see?
A 6-character password can be cracked in less than four minutes, and an 8-character password in a little more than a month.
While passwords are a challenge, they don't appear to be going away anytime soon. So, how do you protect access to your accounts? This is where the concept of two-step or multi-factor authentication comes in. Multi-factor authentication is based on something you know (your password) and something you have (such as your phone or a hardware token like a Yubikey). If an attacker gets your password, they would still have to get access to that second “factor” to access your account.
Duke offers multi-factor authentication (http://oit.duke.edu/mfa) that can be used to secure your NetID and access to various web applications at Duke. More than 6,100 individuals have registered so far, and we would like to see everyone at Duke try the service out.
You can also use multi-factor authentication for accounts at institutions like Facebook, Twitter, iCloud, Evernote and Bank of America. Check out this guide for more information on services that use it: https://twofactorauth.org.
So what do you need to do about all those passwords you have? Next week we'll talk about how you can use LastPass to store and create different passwords for all your accounts.