Damien re-posted one of his earlier blog posts yesterday, talking about creating a secure password. I’m here to tell you that your password is not secure. Yes, you can take steps to make it hard to compromise a password, but ultimately there’s always chance it will be compromised as technology improves. Also, it only takes someone watching you as you enter it in for it to be compromised.
As it stands, people have been using Amazon and Google cloud infrastructure to crack hashes for at least 10 years now. A quick google search will find a guide or two on how to set this up cheaply or for free. Taking this into account, relying only on a password for anything other than the most trivial of accounts or data is just asking for trouble.
You might be asking yourself how to protect valuable data right about now, and the answer is multi-factor authentication. Multi-factor authentication proves that a person is who they say they are by comparing a number of different things. Typically these are something you know (e.g. your password), something you have (e.g. a security token) or something you are (e.g. your fingerprint). Two factor authentication (2FA) is becoming more common these days, and typically involves either entering a number from a security token/app, by entering a code sent to the user via email or by plugging in a USB device.
While SMS 2FA might be convenient, it can’t be regarded as completely secure. It is possible for a SIM card to be cloned, allowing the confirmation code to be intercepted by an attacker. A better option is to use a hardware token that randomly generates codes to enter, or is plugged in to a USB port. It is even possible to get apps on smart phones that will generate codes.
Our third factor is something you are, which is typically either a fingerprint, a voice print, or an iris/retina scan. These offer better security, but still can be spoofed. For example, a simple photograph has been used to clone a fingerprint and a photograph of someone’s eye and a contact lens can be used to bypass an iris scanner.
Thankfully there are solutions to this problem being developed, such as Project Stealth Tech. Stealth is a wearable device placed inside the mouth. It scans the ridges on the roof of the mouth much, like a finger print (something you are). In addition, the device utilises the tongue’s senses to deliver a “code”, which the user must respond to with their tongue in a specific way (something you know). Obviously the device itself is the something you have.
This has the benefit of being difficult to spoof (no easy to grab finger prints or photos of irises), and apparently more unique than finger prints. It also has the benefit of being unseen. I do have to wonder, though, how comfortable it is to wear for extended periods of time, and how it would interfere with speech. Either way, this is probably something worth keeping an eye on.