Something You Have/Know/Are: Multifactor Authentication

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete if we didn’t talk about authentication! Traditionally a perennial topic for cybersecurity training, authentication was also in the news last week with the allegation of a well-known security researcher breaking into a presidential candidate’s Twitter account. The researcher, who also broke into the candidate’s account in 2016, was able to break into the account by brute force, trying out possible passwords based on what he knew of the candidate. In both cases, multifactor authentication was not turned on. If the allegation is true, the candidate did not learn from the 2016 hack, leaving his account vulnerable for all these years.

Why is multifactor authentication (MFA) important? The following is an excerpt from our April post on the LITA Blog where we explain what MFA is, why it’s important, and how to implement it alongside other cybersecurity measures!

Multifactor authentication

Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?

Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:

  • Something you know, like your password
  • Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
  • Something you are, like your fingerprint, face, voice, or other biometric piece of information

(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)

MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.

While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.

This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next tabletop gaming session!

As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.

The Obligatory Password Manager Newsletter

We regularly get asked at LDH about password managers: what they are, if people should use them, and which ones to use. While there is some consensus in the information security world about password managers, there is still some debate – if you ask three security experts about password managers, you will get at least five answers. Today we’ll add to the mix and answer the most frequently asked questions about password managers.

What is a password manager?

At its core, a password manager is a software application that generates, stores, and retrieves passwords and other login information for various accounts. These passwords are accessible through the manager via a master password or passphrase. Think of a password manager as a vault – the vault has your passwords and you gain access to the vault through a combination that you and only you know.

Should I use a password manager?

Yes! Password managers are a great way to help you secure your online accounts. Password managers do the remembering of (almost) all the passwords for you, so you can break the bad habits of reusing passwords for multiple accounts or using weaker passwords that you can remember from memory – both habits put you at higher risk of having your account compromised. Some password managers can automatically change your passwords for you, as well as the ability to generate stronger passwords for each of your accounts. Another benefit of password managers is that you can securely share passwords for family accounts with others in your family (as long as they too use a password manager).

The one password that you have to remember is the master password to get into your manager. To create a strong password that you are likely going to remember, I recommend creating a passphrase. You can generate a strong passphrase through Diceware.

Are they safe?

Safety usually comes up when someone asks about password managers, and for good reason. This is a software application that could potentially have information for your financial accounts, your social media accounts, your shopping accounts, your medical accounts, and so on, and if that application has a data breach or leak, you are at high risk for identity theft at best. There is the fact that some password managers have had breaches in the past, the most prominent one being LastPass. You might also have read news stories about how other password managers might be vulnerable to breaches.

Nonetheless, for most folks, the risks associated with the use of a password manager are far less than using weaker passwords or reusing passwords. This gets into your threat model – what are the most realistic risks in terms of who wants your data, why they want your data, and how they’ll get your data. This is a risk assessment where you not only need to consider the severity of if the risk is realized but also the likelihood that a risk will be realized. Yes, a password manager might be breached, but the likelihood of a well-known password manager being breached is lower than a breach of an account that uses a weaker password or a password that was used by another account that was part of another breach or leak.

[A gentle reminder that using a weak password or reusing a password for your master password for the password manager also puts you at the same level of risk as not using a password manager at all!]

If you’re still wary of using a password manager, there are a couple of strategies I’ve encountered from my discussions with others that can mitigate some risks, including using multiple password managers to store different types of passwords and other sensitive information, or only use their password manager to manage passwords, and not store any other information, like security question answers and payment information.

Which password manager do you recommend?

It depends on your needs.

Some people use their browsers to manage their passwords, but that limits users to the browser that they are using. To get the full benefit, I recommend using a password manager separate from an individual browser’s password vault.
In general, you want to use a password manager that:

  • Uses strong encryption to store and to sync data in and between clients and apps
  • Offers secure cross-platform compatibility (desktop, mobile device) for all the platforms that you use in your daily life
  • Has an established reputation in the password manager world

The question of paid versus free accounts sometimes comes into the conversation. Several password managers have a free plan, while other password managers are free open source software. It depends on your needs and your comfort level when it comes to if you want to stick with a free plan/manager or move to a paid plan.
With all that said, here are some password managers to check out:

Are there alternative ways to store passwords outside a password manager?

There’s always this. ;c)

Special thanks to newsletter subscriber Chris Reimers and the folks in the ALA LITA/OIF webinar last week for the newsletter topic suggestion!

Recording now available for remote work and data privacy

If you missed last week’s “A Crash Course in Protecting Library Data While Working From Home”, don’t worry – we recorded the session! You can access the recording and transcript of of last week’s webinar in Google Drive. Resources and handouts for the webinar can be access at https://is.gd/LDH_RemotePrivacy.

What’s The Name of Your Pet?

Welcome to this week’s Tip of the Hat!

Our Executive Assistant argues that we at LDH shouldn’t use her name to answer the question in today’s newsletter title. She is, after all, our Executive Assistant, and not a pet. However, the EA’s objection also has merit for information security reasons. Today we visit our information security neighbors to explore one risk to library staff and patron account privacy – the dreaded security question.

Where did you meet your best friend?
This topic was inspired by a recent popular tweet:

normal people: it’s my birthday

infosec experts: THAT WAS HIGHLY SENSITIVE INFORMATION. DO YOU HAVE ANY IDEA HOW EXPOSED YOU ARE

normal people: my dogs name is Jack

infosec experts: YOU’RE GONE. DONE FOR. IT’S OVER
— Katerina Borodina (@kathyra_) September 3, 2019

Common security questions can be easily cracked by a quick search of your online activity. Social media is a gold mine of this type of information, including information about pets, childhood, school, family, or even your favorite color and sports team. Some companies provide less common security questions that would prove harder to crack, though most companies do not stray from the common security questions.

Library staff are in a particular bind in a couple of situations involving security questions. Some vendor products require security questions for account creation, and some libraries are only allowed one institutional “admin” account to share among staff. We bet you a nice cup of quality tea that at least one of the security question answers for that account is a variation of the following words:

  • Checkout or check-in
  • Dewey
  • Books, including bookworm
  • Cat
  • Reading
  • Library
  • Your library’s, organization’s, or department’s name, physical location, mascot, school colors, etc.

Perhaps the person who created the account decided to use their own personal information to answer the questions, which doesn’t get changed when that staff person leaves the library. Resetting the account now becomes trickier, particularly if this staff personal information wasn’t documented. However, if that person posted some of the information on a public site, that staff account is now at a higher risk of being compromised by a threat actor, looking for a way to get into the system.

In either case, library staff accounts that require security questions provide unique security challenges that also carry some privacy risks for both staff and patrons.

What is your favorite color?

By now you’ve heard the advice to not post private information publicly from InfoSec. That doesn’t help much when you have a shared account for library staff. Ideally, you shouldn’t have shared accounts – application permissions and privileges should be granted to individual user accounts. These user-level permissions and privileges should change anytime there is a change in staff or staff responsibilities. Some vendors allow for such user permission granularity, and if your vendor doesn’t support that level of permission control, start asking them to do so!

There is also the fact that security questions themselves are inherently insecure as a way to keep user accounts secure; however, many companies still rely on these questions to authenticate users or for password resets. If you are creating a library staff account for a vendor product or service, and the vendor is requiring you to answer common security questions as part of the account creation process, a good place to start is to randomize your answers.

When we say “randomize” we do not mean swapping out your personal information for information about your workplace but provide an answer that would make no sense in answering the question. For example, “What was your first car?” could have the following answers:

  • A: Treehouse
    • A single word or a simple phrase that is not apparently related to you, the organization, or the question itself
  • A: ur0wIBHRGp9IBi
    • A random string of characters generated from a password generator
  • A: decimallemonBritish
    • A random passphrase generated from a passphrase generator

The more random you get with your answer, the better. To ensure that you are getting closer to a random answer, use a password or passphrase generator. Most password managers have random generators, and some even have the option to create passphrases. If you have multiple accounts that require security question answers, do not use the same answer twice; instead, generate new answers for each account, even if the account shares the same questions with other accounts.

Lastly, document the answers in a secure place. Many password managers have a secure notes function in which you can document your security answers for each account. Make sure that the place you store your answers is encrypted and accessible to only those who need access to those answers in the case that they need to reset the password or access the account. In most cases, that would mean only you, but if your department uses a password manager to manage department accounts, this would be the place to store them as well.

As long as companies require you to answer security questions, you need to mitigate the many risks that come with such questions. Randomizing answers is the first place to start, and not using personal information attached to any staff members or the workplace is another critical step. If all else fails, you can always change your pet’s name to 9AtTsCbWqRww7C…