Category Archives: IT Tips and Tricks

keeping your accounts safe: multifactor authentication

For extremely sensitive information you should have even higher security than normal. Multifactor authentication is a way to do just that.

Believe it or not, you may already be using multifactor authentication for logging in to your bank! Do you have to answer a security question, or select a picture? Is there any other challenge beyond your password? If so, your bank is great!

Multifactor Authentication (MFA) is exactly what it sounds like. It’s a way to provide a secondary (or tertiary, or more!) way of verifying that you should have access to what you’re trying to get in to. It adds an additional layer of security that will protect you even further in the case that your password is lost or stolen.

This isn’t available on all websites, but it is available on your Google provided Asian Hope account. You can access it in two ways: through SMS or through an app on your smartphone… even in Cambodia!

It’s easy to set up, simply go to: https://www.google.com/settings/security and turn on 2-step verification. Once it’s set up, you can print a list of emergency codes to put in your wallet in case you don’t have your phone. You can also set certain computers as ‘trusted’ so that you won’t be prompted for your code from them. Make sure you password protect your computer though! Otherwise you lose some of the benefits of MFA.

keeping your accounts safe: passwords

Everyone knows you should have a strong password, but what does that mean? In principle, it means generating the greatest entropy. That’s the cool way of saying “hard to guess for computers and humans.” Practically, it means choosing long, highly variable and random strings. The exact math behind calculating entropy changes depending on who you talk to. For this, I’ll be using this password strength tester as it takes into account common combinations. (e.g. ‘q’ is almost always followed by ‘u’ – so you don’t get points for that)

If you’re already bored, try your password out at http://howsecureismypassword.net
It will tell you how much time a common desktop computer will take to break your password.

Continuing on though, let’s look at some examples:

123456
6 characters long, only numbers.
9.7 bits of entropy. 

This is a terrible password. Not only is it on the list of 25 most popular passwords of 2012, it has very low entropy. With only digits 0-9 this would be broken in milliseconds by a password cracker or easily guessed by an average human.

09160417
8 characters long, only numbers.
13.6 bits of entropy.

It’s easy for me to remember: it’s my wife and daughters birthdays! It’s also easy to type! No one will ever guess! You’d think we’re getting better, but we’ve still limited ourselves to just numbers. Trivial for a computer to break. Easy to guess by looking at your Facebook profile.
Mk16Ak17!
8 characters long, numbers, upper and lowercase numbers and special characters.
38.3 bits of entropy.

It’s still easy for me to remember: it’s my wife and daughters birthdays! It’s not so easy to type though. As for entropy, this it the minimum you should have on your accounts.

correcthorsebatterystaple
25 characters long, all lower case
93.6 bits of entropy.

Does this surprise you? It should! It won’t work on some websites that demand you use upper and lower case passwords, but simply having a very long password composed of random words is quite effective! (credit goes to: xkcd) The key to this technique is random words. You can get long passwords by using Bible verses or Shakespeare, but you’re reducing the entropy by selecting words that commonly follow others.

So, how do your passwords fare?