PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, shares his perspective on the “easier-than-you-might-think” steps we can take to protect our personal and financial information that involves more than just a strong password.

By David Dungan

The fact that passwords are not a “one-and-done solution” might be the cyber understatement of the year.

Yet, because cybercriminals and threat actors are continuing in their efforts to run all sorts of scams – that take aim at everything from our identity and financial well-being to interfering with our job and even our relationships – we need to utilize more comprehensive measures to protect our online accounts.

The attack surface of those accounts continue to grow and evolve, so much so that a single password is seen as a vulnerability. It’s important to keep in mind that passwords can be weak for several reasons and should be avoided as the only option we rely on. Many people use passwords that are either short, easily forgotten, or they’re easy to guess. What’s more, it’s easy for a password to become outdated, reused or, worst of all, they’re stolen and compromised (and sometimes, we don’t even know it).

One solution is to use a password manager, which anyone with many online accounts should certainly consider and while there are risks that could lead to a password manager being compromised, it is, arguably, a safer solution that relying entirely on one’s own memory.

In the alternative, there are several recommend options that includes multi-factor authentication (MFA), security keys or tokens, biometrics, and SMS verification as optimal verification methods.

A nearly non-refutable authenticity option is biometrics. Biometrics are difficult to steal and can be used as a multi-factor authentication method when using a username and password to sign in. Additionally, biometrics can be used in place of traditional credentials as a form of password-less authentication. Biometrics include personal identifiers such as:

• Fingerprint scanning
• Retina scanning
• Facial recognition
• Voice recognition

Another alternative to passwords is the use of magic links. Magic links are sent via text message, push notification, or email and are set to expire and cannot be reused. Related authentication methods are secure codes or one-time passwords (OTPs). These can be sent using the same methods as those used with the magic links.

Another increasingly popular form of retrieving an OTP is through an authenticator mobile app, such as Google Authenticator. Authenticator apps generate new codes every few seconds and old codes are immediately destroyed.  Because OTPs are constantly and randomly generated, it would take an uncanny amount of luck for a threat actor to successfully “guess” someone’s code. That being said, it’s not impossible, and it’s always important to be familiar with the security practices and reputation of the company that is sending the one-time password and to be cautious with the authentication method they’re using when they are asking for your personal information.

Lastly, a third alternative to passwords is identification (ID) cards. ID cards act as physical authenticity tokens that can be enabled or disabled centrally by a system administrator. However, ID cards are not always practical, and RFID technology can be cloned. Just as with all authentication methods, multi-factor models should be implemented throughout every system.

Regardless of which password alternative you select, it’s a good idea to be sure to always implement multi-factor authentication whenever possible. MFA reduces the risk associated with passwords by adding additional security layers on top of or behind ordinary credentials.

Not unlike the yellow flag that we see at a race (usually after there’s been a crash), that reminds the drivers to slow down, passwords are something we need to use with caution, so that we stay safe when we’re online.

Because while it’s true that we’re making progress when it comes improving the methods that are being used for password encryption, a recent report, published on EuroNews.com, reminds us to take a little extra time and consider the fact that a simple eight-character password – composed only of numbers – can be cracked in just 37 seconds.

But, the study found, that if the number of characters is doubled, a hacker would need 119 years to determine it. You’ve got options!