18 June 2015

2 Factor Authentication

With hacking becoming more and more of a common everyday occurrence, it seems as if nothing and/or no one is immune.  Recently Last Pass which is a password vault service became a target.  Fortunately, they have some good security in place and there is a minimal risk to anyone that uses the service.  Since this type of event seems to be on the rise there are several things that you can do to protect yourself at last a little bit. 

First if you are using Last Pass make sure that you change your master password, like right now!  That is presuming you haven’t done it already. 

Second, turn on two factor authentication.  I wasn’t aware they had such a thing for free users but they do.  I chose to use a service called Toopher.  You go through the steps online to tell Last Pass that you want to turn on the service, I believe it’s under Account Settings.  Then you download the app on your phone.  When you open the app, tell it that you want to pair with a new service.  It will give you a passphrase typically two words.  Type those words into Last Pass and presto your account is paired up.  Then when you want to login to Last Pass do so as you normally would.  An alert will pop up on your phone from Toopher.  Tell Toopher that you wish to allow the login and then your in.  Just that easy.  So now if someone has your master password they don’t have the 2nd piece of the puzzle which is your phone, so they cant login. 

Lots of services and accounts offer two factor authentication.  It’s a smart thing that makes the bad guys job harder.  I won’t say that it can’t be defeated because in today’s world it seems like something new is invented and someone finds a way to crack it.  However, it is something that BIG business has used for years.  Ever hear of an RSA Token?  It’s a device that typically you carry on a key ring.  It displays a series of numbers that change like every 30 seconds.  The token is paired with a server that tells it what series of numbers (keys) to generate.  Big Business has used that for years, but it isn’t cheap. 

The moral of the story is make it difficult for others to hack and you can rest easy.  A good password is another step and of course change them often.  It’s something that is said time and time again but it’s true.  I am guilty of not changing passwords but recently I have been more on the ball.  At work I am forced to change my password even on my phone, which is tied to work I have to change my PIN every 90 days and it remembers the last 24 numbers.  Talk about a memory.  It makes life difficult but minor inconvenience is worth the piece of mind it brings.  Last Pass is a great service and I highly recommend it if your looking for a password manager. 

If you want to geek out and learn more about the hack check out Security Now with Steve Gibson on twit.tv.  Happy Thursday! 

No comments: