Authentication for the Uninitiated

What every person should know to keep their online accounts safe and secure

As a security professional I am often asked by friends and family how they can best stay secure. After answering this question in detail too many times to count, and struggling to keep it as streamlined as possible; I have decided to organize my thoughts into this article that I hope may help some people. In short, the answer is proper password length, password management, and multi-factor authentication. I will try my best to keep this article as short and concise as possible for the non-technical reader while also providing enough information and references to give the same reader enough confidence in taking control of their own security.

Wait! Before you go…

There will be a lot of information in this article and I understand not everyone will make it through for one reason or another. For this reason I want to highlight one single piece of advice that I believe is the most important in your online safety: secure your email. Think of your email as the “keys to the kingdom”. Once someone has access to your email they can reset any password with which that email was associated. Create a lengthy, unique passphrase and set up multi-factor authentication. The latter of the two is far more important and will be discussed in more depth further on into this article. I will also include in the index at the bottom of this page some resources for configuring multi-factor authentication for your email. This will save you a lot of headache down the road and the one piece of advice I would give to you, the reader, if everything else in this article was dismissed.

Authentication- What is it? The Need to Knows

Now, onto an overview of the topic at hand. Authentication, to put it simply, is a way to prove who you are within the context of a resource you are attempting to access, e.g. social media, online banking, email, etc. The most common form of authentication is passwords, or passphrases (we will touch on the latter in a bit). Although it is the most common form, passwords are also the most insecure due to human nature.

Password Do’s and Don’ts

So why are passwords so insecure? Before answering this we must explore what makes up a good password. NIST, a US based regulatory institution who’s standards and practices are widely implemented in the security industry, has outlined the most recent recommendation regarding passwords. First and foremost, length is far more important than complexity. The minimum recommendation is 8 characters, although I would personally never use anything less than 15 characters and neither should you! This is not to say complexity is not important, but when allowing a human to create “complexity” they will behavior in predictable ways to better help their memorization. Examples of this would be replacing “A” with “@”, appending “!” at the end or beginning of a password, substituting “5” for “S”, and so forth. There are more best practices and standards regarding passwords, but the remaining are more relevant to administration. To continue, it is incredibly important that we never re-use passwords on different websites and applications. The reason this is important is that in the chance that a website experiences a data breach of user information the perpetrator may have your password. They would then begin attempting these credentials on other websites and application they can trying to escalate their privilege. Now, if I have any security or IT professionals reading this they are probably saying to themselves, “Psh, yeah right, any application worth their weight in salt would have those passwords hashed”. Yes, they are absolutely correct, although delving into encryption and hashing would be a bit beyond the scope of this article. It’s much more simple to just state, “Don’t re-use passwords”. With these considerations we are now looking at a minimum 15 character password, unique to every site/application you use, and most likely some form of complexity enforced by the site/application. So now the issue with the effective use of passwords for authentication is more apparent. Very few humans, if any would be able to remember these stipulations and adhere to them consistently; so what are we to do?

For us to maintain the multitude of passwords in our life in a secure way we will need a password manager. Before continuing with these managers in more details I believe it’s important to quickly discuss how not to maintain passwords. First, and by far the worst way possible, is simply saving your passwords in clear text in a spreadsheet or simple text file locally on your device. This is incredibly common, but we must move away form this practice. The next most common bad practice I see is storing your passwords in a physical notebook, potentially even labeled “Passwords”, or on Post-IT notes stuck haphazardly around your workspace or under your keyboard (that’s right, I know your secrets!). Both of these methods are bad practice for similar reasons. There is little stopping a skilled or dedicated adversary from obtaining these lists and once they have them it will be very difficult to recuperate. So we must store our passwords in a way the bad guys can’t get to them, or even see them.

Password Protect your Passwords (Yes, really)

As previously mentioned the solution to these password management issue is a password vault or password manager as they may be referred. A password manager is an application that allows you to store your passwords in one secure place. These tools will also allow you to generate passwords based on whatever specifications you desire, e.g. length, complexity, and included characters. Their security is based on the encryption of the password database. To put it simply, all your passwords will be protected with a single master password (and optional “key files” and/or MFA). Now, the upside to this is that this single master password will be the one and only password you will need to remember. Because of the importance of this password it is an absolute must that it comply with the recommendations lain out previously in this article. For best results remembering a password it is recommended to use a passphrase. The distinct difference is that the latter will be an easy to remember lengthy (in the sense of characters, not words) phrase, but hard to guess or “crack” by a bad guy. Find a book near you, open up to a random page and find a short sentence; one that is easy to remember, though seemingly random. Bingo, that’s your new passphrase. Although I can not in good faith give a recommendation on a particular password manager solution; I can give an overview of the two major pillars- free open-source and paid services.

The two types are straight forward, though each have their own drawbacks and advantages. The first is paid services such as 1Password, LastPass, and Bitwarden. The benefit of these types of applications is they are usually going to be easy to setup and share across all your devices. Where the drawbacks are in the cost and trusting the security practices of these companies while also trusting their closed software is secure (with the exception of Bitwarden which is open-source). The second option will be free open-source solutions such as Keepass. This is the solution that I personally use and is also the only option as of today that is both free and open-source. There is a bit more leg work to get setup and your database synced to all your devices, although if done correctly you will be just as secure, if not more so, than any of the other solutions available (and for free!). I intend to create a write-up on how to set up your Keepass application in a secure and convenient way in the future. Regardless of which application you choose you will be taking a big step in your journey for improved security.

Multi-Factor Authentication- A Modern Essential

The final, yet incredibly important topic to discuss regarding your personal cyber security and authentication is multi-factor authentication (MFA). The concept of MFA is to not rely solely on a single point of authentication, and thus a single point of failure. If an adversary were to get a hold of your password it’s game over. Although through the implementation of MFA we can strengthen our security by requiring a token (software or hardware) or biometrics scan (such as a fingerprint). Tokens will be the most common utilized and the topic of this discussion. A token could be anything form a text message or an application creating a one-time password (OTP) or a physical token you must insert into your device to authenticate. Often when setting up MFA on a particular application or website the two common options will be either SMS or some form of “authentication app”. Given these two options it is always better to go with the latter in the authentication app method, although if SMS is the only option it is absolutely better than lacking MFA all together. Many security professionals (including myself) will scoff at the idea of using an insecure mode like SMS for their MFA. While this is true for any enterprise environment your average user need not concern themselves too much at this incredibly unlikely, though potential security risk. Going into detail regarding the reasons why SMS is insecure would be beyond the scope of this article, although for those interested I will link more information here.

In summary of the basics, authentication is incredibly important aspect of your personal cyber security. Lengthy and unique passphrases are far more crucial than shorter complex reused passwords. Maintaining these passphrases can only be achieved through secure storage within a password manager. Enable and configure MFA wherever it is available and absolutely without question for your primary email.

Hardware Tokens (For the extra paranoid)

The use of hardware keys is a practice not very common even in the security/IT community in the current year of writing this, 2022. Though I do believe within the next five years it will be much more commonly used in enterprise environments and within ten years will become standard practice. So what makes hardware keys the most secure form of MFA? There are a few answers to this depending on the context of the situation. Within an enterprise environment a huge advantage would be how it ties the identity of the holder to their domain and ensures authenticating to a domain that is falsifying its identity in a phishing attempt impossible. The common advantage in both enterprise and personal usage is that it is a physical USB device that can not be cloned, spoofed, or otherwise forged. Meaning, the only possible way an adversary would be able to access an account set up with hardware key MFA would be if they were to physically be in possession of that key, regardless if they know the password. MFA through hardware keys is not yet as prevalent as traditional MFA as described above in applications, although the most important applications I care about being as secure as possible offer hardware key authentication. For me, that would be my email account and cloud storage account. My only recommendation on for this product would be the Yubikey. There are plenty of great articles and blog posts written in much more detail regarding the set up and use of hardware keys and I will leave some of the resources below for those interested.

Additional Resources: