It is hard to believe, but it is true! I had not changed my Google password for over 5 years!! That’s embarrassing, I know.. but I can explain..(maybe not). Not, entirely satisfied with that news, I also checked in the site https://haveibeenpwned.com/ and the occurrences of my email and related passwords are exactly 14. Yes! 14 services in which my password or email have been leaked. I checked the services that have had data breaches in the past 5 years and pretty much all of them were in the list including LinkedIn, Dropbox and more. I even tried the Brazilian http://minhasenha.com.br but they don’t give you the list of services which your passwords is leaked, but instead they send you an email with the bloody leaked password! With that your only option is to change your password in all services you might have an account with!
I do use a password manager, but I have to admit that I use a single password for sites that I will most likely use only once. It is a weak password (not 123456) that is easy to remember and serves as default if I ever come back to that particular url. For services that matter I use a password generator that will spit a long, complicated impossible to remember set of 18 characters. Yet for Google, something mystic called 2FA,prevented me from changing it more frequently.
Two Factor Authentication Paradigm
2FA (2 factor authentication) – Is an authentication method that uses 2 pieces of information to allow your “entrance” to a given system. The 2FA is composed of two of these 3 things: Something you KNOW ( like your password), something you HAVE( like a key fob) and something you ARE (such as your fingerprint, or eyes). Nowadays the “something you have” that used to be a token with a screen displaying random numbers, is commonly replaced by a SMS that is sent to your phone. That is what I use for my Google account. There is a website that tracks downs services with 2FA, you will be surprised by the number of big companies that doesn’t have it yet.
It is true that a 2FA is more secure that simple password authentication but it is not massively used by people… for example, less than 10% of Google users have the feature activated. Apparently the more secure ( by consequence more steps involved) less is the interest and adoption. On the other side of the spectrum however is if after subjecting to these additional steps there is more likelihood of negligence with time. And that is where my theory comes in. I will call it, “The two factor Authentication Paradigm”. It is applied, only, to those 10% that have some form of 2FA activated.
It is basically the false sense of security that is immediately absorbed right after you elect your 2FA. You simply forget about it. Like, you are now part of a protected group of people, surrounded by a field of energy that won’t let any evil in. “I have 2FA, let me carry on with my life….this item can be checked as done, let’s move on”. I am a victim of such feeling as I just realized that it had been 5 years without touching base or even worrying about it. Is this true? Can we 100% trust 2FA, to the point to never check our passwords again? Questions like the below, didn’t even cross
our my minds..
- Can it be brute forced?
- Can it be guessed?
- Can the messages be hijacked/intercepted?
- Can the software be hacked?
- Social engineering hacked?
All of this questions can be answered positively, since most of the efforts employed by companies to deploy 2FA are around SMS – https://twofactorauth.org/. Advanced hacking techniques and social engineering that has been used and reported here, here, here , here, here, here , here… there is more…. here and here proves that 2FA is not something that you enable and forget about it. There are threats and one needs to be on top of it, to avoid being hacked, loosing money or have his life turned upside down.
These false notion of security is extremely dangerous as 2FA is indeed secure, but is not bullet proof. It is definitely not the silver bullet of authentication. Flaws can be found in the mobile network, public wireless network, password recovery procedures, emails, social network and as always (as the user now thinks he is safe), the social oversharing of sensitive data. For example, a hacker can guess your security question’s answers based on your twitter profile.
Among the possible actions that is to be implemented and considered to add layers of security to your digital life is:
- Change your darn password (5 years is too much)
- Don’t take 2FA for granted
- Do not use SMS based 2FA
- Use the software based token
- If possible try using the U2F ( Universal 2nd Factor)
- Make sure you know you mobile company polices and procedures against social engineering and account recovery – Here is the Vivo’s
- The info provided in the password recovery must be double checked (phone number, email (disable the voice prompt))
Luckily, my life and accounts have not been (yet) hacked, so there is bandwidth for improvements. First measure..is obvious… 🙂