440
edits
Passwords: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
Line 88:
====Any password manager is better than no password manager====
If above recommendations don't work for you, don't get too bent out of shape over the password manager choice. If a different one seems more attractive to you, generally, go for it as long as the company/service is mainstream and reputable. Password managers are generally highly scrutinised, and any password manager that has managed to operate for a while is generally a valid choice. Basic concepts are valid across all of them.
==Use two/multi factor authentication==
Two factor (or multi factor) authentication (2FA) is simply requiring something else, in addition to a password, to allow you to log into the website or a service. If you've ever received a number code from your bank or from Twitter via SMS, then congratulations, you're already using 2FA! But there's more to it.<br>
A factor of authentication is essentially the type of evidence you can provide a system to prove who are who you say you are. Speaking very broadly, security professionals generally recognise 4 different factors of authentication:
* '''knowledge''', that is ''''something you know'''' - information only you would know
** this covers your everyday password
* '''possession''', that is ''''something you have'''' - proof that you are in possession of something only you would have
** this is what happens when you get that temporary code via SMS; it proves you posses the SIM card tied to the phone number at that moment
* '''biometric''', that is ''''something you are'''' - proof of unique characteristics that only you posses
** this is your fingerprint, your retina scan, or even behavioural characteristics such as style of typing or walking gait<ref>yes, it is possible to identify you by your walking gait. See: https://apnews.com/article/bf75dd1c26c947b7826d270a16e2658a</ref>
* '''location''', that is ''''where you are''''<ref>some experts don't accept this as being one of the factors, and instead say that location is just a mashup of possession and biometric; you cannot be located directly without having a device on you (something you have) and you cannot make meaningful conclusions unless you analyse user's behaviour (something you are)</ref> - proof that you're where you would be expected to be
** if you've ever received an email from some service telling you that you've logged in from your city or town, then you've seen location based authentication
Biggest, and most obvious benefit of 2FA is that it can lessen or remove the danger of using passwords incorrectly. When you actively use 2FA with all the accounts that will allow you, it is much harder to hack you since the hacker needs to defeat all the different methods. This means that in some situations, '''even if your password is compromised, your account may still remain safe'''.
Let's see how we can use these 'multiple factors' in practice.
==Knowledge==
Rest of this page is about passwords, so we won't worry about that here. Instead, let's address secret questions.
===Secret questions===
Many online services may ask you to provide a secret question and answer combination. The most common and infamous one is asking you your mother's maiden name. There are a couple problems with this.<br> Firstly, secret question/answer combo is 'something you know', same as your password, which means that it is vulnerable to the same attacks and issues that passwords have. If your device is infected by a keylogger, and the hacker gets your password, they may very well keylog your secret question answer. It's no protection.<br>Secondly, information like your mother's maiden name is not something only you would know; your immediate family does. It is also not information that is commonly regarded as secret. It is in fact public, the hacker could just look up public birth records, or census, or christening records or indeed, just find it on Facebook.
We recommend you don't answer secret questions truthfully, but regard them as secondary passwords. Fill them with random text generated by your password manager, and record them in the password manager. If you need to use it, you can still use it, but nobody can guess the random string your used as your 'answer'.
==Possession==
===One time password===
| |||