One Password For Everything

  

Typically, you get the 'Single Use' password almost every time: any time it detects any change in your system or network or how you access SWTOR. To reduce the number of times you get this 'Single Use' password, make sure that you have a static IP both on the router between your network and your ISP's network and on your internal network and always use the same browser to access SWTOR.com. Consider the eight-character password. If the password we choose allows each character to be any of 26 alphabetic upper and lowercase characters, 10 digits, and 10 special characters, that’s 72 possible characters in each position. If we have eight of those, that’s 72 to the eighth power, or 722,204,136,308,736: 722 trillion possibilities.

When you go on a vacation, you’re probably extremely vigilant with the security of your home. You lock all the windows and doors, and even activate the security camera if you have one installed. After all, you can’t be too careful.

Learn about two-factor authentication

Discover key forensics concepts and best practices related to passwords and encryption. This skills course covers

⇒ Breaking password security
⇒ Breaking windows passwords
⇒ Two-factor authentication

Start your free trial

But how vigilant are you when it comes to securing your digital accounts? Do you take steps to create complex passwords? Do you store them in a folder that’s only known to you? Even if you do, isn’t it possible for a hacker to remotely access your system and cause all kinds of harm? Unfortunately, many people need to take cybersecurity more seriously.

As the number of people using the internet to shop, learn, earn and socialize increases, it’s no longer enough to rely on complex passwords to keep intruders at bay. Businesses that store people’s information (banks, ecommerce firms, social media companies and so on) have realized this, which has led them to take extra measures to prevent fraudulent activities and improve account security.

One increasingly popular measure is the use of one-time passwords, which provide an additional level of security by generating a PIN code that’s valid for just one login session or transaction. How exactly does it help? Let’s take a closer look.

How does a one-time password work?

A one-time password (OTP) is sent to the mobile device of the person who wants to log into his/her digital account. It helps in verifying his/her identity and should be used within a specific period. As soon as the OTP enables access to the account, its validity comes to an end. Since the password (a four or six-digit numerical PIN code in most instances) can be entered just once, it’s not as risky as static passwords that can be used a second time.

Using an OTP can not only save you a lot of expenses and headaches but also provide your clients with peace of mind, knowing that their credentials are safe. If a customer’s account details are compromised, the authorization process won’t be completed without the correct OTP sent to his/her registered mobile account. In case a customer mistakenly enters the wrong OTP, they can always request a new code (up to three times) to gain account access.

One-time passwords function via random algorithms that create a new and random code each time a new password is requested. The code then serves as your second password that’s distinct to every account login and expires three to five minutes after you get it. This makes an OTP ideal for some of the most privileged and sensitive activities performed on the internet.

Who’s responsible for authenticating OTPs?

Where there are one-time passwords, there’ll be a central authority to check their validity. The responsibility is often delegated to authentication servers, which can either exist in the form of hardware controllers or software tools. The servers verify if the code put in by the users on the device is correct before it allows them to log into their accounts.

Authentication servers typically generate one-time passwords based on time, “synchronized” with the OTP code/token as well so that they leverage the same numeric values to arrive at the same OTP. Another approach involves using mathematical algorithms which are derived from the values of the previously used one-time passwords. The authentication servers also integrate with enterprise directories such as AD/LDAP and feature a web-based dashboard for easier control and management.

Some providers also offer applications that make it easier to administer one-time passwords. For instance, if an OTP is associated with a device and the person forgets his/her device at home, they can sign into the web app of the OTP provider to request a one-time password on their email, just for a single day. The same app can also be used to request a new PIN code if the previous one has been lost or wrongly entered. Users can even report the damaged or lost codes/tokens to the administrators via the app.

Pros and cons of one-time passwords

Here are some of the biggest benefits of using OTP.

Pros

Is safe from replay attacks?

The biggest advantage offered by OTPs in contrast to standalone passwords is that they’re safe from replay attacks. In plain language, an adversary who uses trickery to capture your OTP can’t reapply it, since it’s no longer valid for future logins or sessions.

Allows you to keep your emails safe

OTPs are generally received on mobile devices via SMS. This means you don’t need to have access to your email. Hence, you can avoid logging into your email account on public computers or while you’re connected to an unsecured Wi-Fi hotspot.

Is convenient to use?

Most individuals own a mobile phone, and SMS functionality exists on every device. SMS’s ubiquity means that one-time passwords are convenient to use. This is also beneficial for businesses that deliver the OTPs, as end users are already familiar with their phones and don’t need another device to receive the code. As a result, OTPs allow companies to not only enhance the user experience but also reduce their operational costs.

Cons

Could get out of sync

Electronic codes have their fair share of problems. Algorithm-based OTPs need to cope with drifting out of sync with the authentication server if the system needs the OTP to be submitted by a deadline. Fortunately, the problem can be easily avoided by using a time-synchronized system. These systems prevent such issues by maintaining a time clock in electronic codes.

For

Can lock you out of your account

If your OTP device is ever stolen or lost, multiple login attacks by the hacker can permanently lock you out of your account. This can be a hassle when you’re traveling, as getting in touch with the OTP provider may require an international call, incurring expensive roaming charges. And if the provider doesn’t limit the number of login attempts, the adversary may still be able to hack your account through brute force.

May be costly for the providers

For OTP providers, costs can be a problem, especially if they’re offering OTP hardware. Other issues with hardware devices are that they can be stolen, damaged or lost. Moreover, users will need to go through the hassle of charging when battery life comes to an end. The best way to avoid these problems is to deliver one-time passwords via SMS messaging.

Conclusion

If you consider the usage, pros and cons of OTPs, every user can enhance their account security by leveraging a unique password for every single login. As long as the provider is using time-based synchronization and you have your mobile or OPT hardware with you, you can prevent threat actors from spoofing your account credentials. Plus, you get to avoid public computers that may have keystroke loggers and other token-capture software or hardware installed.

Sources

  1. Mijin Kim, Byunghee Lee, Seungjoo Kim, and Dongho Won, “Weaknesses and Improvements of a One-time Password Authentication Scheme,” International Journal of Future Generation Communication and Networking, December 2009
  2. You can use OTP – One Time Password for stronger authentication, exciTingIP.com
  3. Indrajit Das and Ria Das, “Mobile Security (OTP) by Cloud Computing,” International Journal of Innovations in Engineering and Technology, August 2013

Early on I was guilty as I’m sure many of you are (unfortunately to this day) of using the same password for several accounts, sites, etc. After all you pick a password that you can remember and you start using it everywhere. Even if it’s a “secure” password by today’s standards (random letters, numbers, symbols, long, etc.) the problem is that if that password is ever hacked or exposed there is nothing to stop the hacker/thief from trying it in other places. For example, big name sites like LinkedIn and others have had recent situations where their user’s passwords were stolen and then POSTED on the web for the world to see. As quickly as LinkedIn found out they immediately reset the password of those exposed and forced users to pick NEW passwords. As a LinkedIn subscriber I was only mildly annoyed and concerned about this. Although my account was not one of the ones exposed, I knew that even if it was the password I was using on Linked In was ONLY FOR LinkedIn. In other words having that password wouldn’t allow access to any of my other accounts.

Let’s say that you need more convincing

Let’s say that you do use the same password for lots of things. Once the user starts trying your “favorite password” on multiple sites they are now into more areas of your life such as your email, banking, social media and other accounts. Here’s a recent story of a journalist who had his iCloud password hacked and the damage they were able to do with just that one password! Imagine if he used that same password in other places.

It’s not too late to fix this

I invested in an App called 1Password for iOS. It worked so well for me on my iPhone and iPad that I quickly saw the benefit in getting the Mac version too. From that point on any new account I created I started using 1Password to generate the more secure random longer passwords for each site. However, that wasn’t really good enough. Many of my existing site passwords were still using either the same password that I had been using for years or using the same password in multiple places. Earlier this year I sat down and using 1Password I did a search for that “familiar, easy to use password” that I liked to use so much to see which of my accounts were still using it. I made the effort to go to each site and change that password to a new random one right there on the spot. It’s a good thing I did because LinkedIn was originally one of those sites.

Yes it’s a little less convenient not being able to use a password that you can remember easily and use it for everything you do, but in today’s world of identity and cyber theft we just can’t afford to be that laxed when it comes to passwords. 1Password makes it as easy as it can be though. You can sync your encrypted 1Password password file between all your devices. It will generate secure passwords and keep track of them for you. When you need to use a password on a site that it stores, it can insert if for you or at a minimum you can copy and paste it where needed. Last month when I set up my New MacBook Pro Retina and MacBook Air from scratch I couldn’t imagine doing so without 1Password. It made it VERY EASY to get all my accounts set back up.

Here’s another tip

Having an easy to remember and use email address also makes it one step easier for hackers to associate passwords with YOU! I got a tip from Linda S. about setting up specific email addresses for specific purposes. For example, do you really need to use your regular email address for your banking? Probably not. So why not set up a specific email address AND password just for your financial institution? I have my own domain name. I can set up as many email addresses as I want. They also don’t have to include the word “terry” since I won’t be giving those addresses out to friends/family. It would be a lot harder for a hacker to figure out [email protected] than your real name. Since 1Password also stores the email address/user name with the password for each account, you can go nuts with user names too! Come to think of it, using the same email address everywhere is almost as bad as using the same password!

Last words of advice

  • DON’T USE THE SAME PASSWORD IN MORE THAN ONE PLACE!
  • Change your passwords on a regular basis. At work we’re required to change our passwords every 90 days. Don’t go longer than a year!
  • Use longer more random passwords. 1Password has an excellent password generator built-in
  • Don’t use an easily identifiable user name either. “Js89h2431” is better than “JohnSmith”
  • If you have the ability to have multiple email addresses, use new random email addresses as another layer of security. Many times you can setup the new email addresses to all auto forward to a main one anyway. If you don’t forward and use a single email address with a single vendor and you start getting Spam, you’ll know where it’s coming from!
  • Don’t write your passwords down on or near your computer. <- yes people do this.
  • As cleaver as you think you are, your dog’s name plus a number is not that hard to figure out.

Here are the 25 Worst Passwords Ever!

  1. password <-using a zero instead of an “o” doesn’t make you smart either.
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

Don’t get caught for using the same password for everything! You’re smarter than that right?

You can get 1Password for iOS here

One Password For All Accounts

You can get 1Password for Mac here