In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh
In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time.
On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach.
Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts.
Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that are sufficiently strong.
Users can avoid this problem and improve their data security by implementing a secure password safe, such as 1Password or KeePass, on their end devices and by using a really strong password to secure it. The safe contains the passwords of all accounts and automatically applies them during the login procedure.
Two-factor authentication is equally as safe. In addition to a password, the user is required to have a second component for verification. With this method, the user has to combine knowledge (password) and ownership (mobile phone, token).
Two-factor authentication has long been a standard for safety-critical applications. For example, it has been possible for years to secure VPN remote access using a second authentication factor. In the past, the “something you have” component of two-factor authentication consisted of a small token displaying a number necessary for login. The user had to enter this one-time password (OTP) in addition to the password. Now, other solutions are available that do not require the use of tokens. Select VPN solutions with Secure Enterprise Management (SEM) capabilities, for example, allow for use of OTP with mobile phones or smartphones.
With the exception of online banking providers, websites have rarely offered two-factor authentication. However, due to the increasing frequency of data theft, more sites are offering it. For example, Microsoft (OneDrive, Word.com, etc.) and Facebook now offer two-factor authentication, and Dropbox can also be secured with a second login factor. This added layer of security helps reduce the risk of data theft even if a user could not resist picking his pet’s name for a password, or if he decided to pick the most popular password worldwide: “123456.”
Want to learn more about remote access VPN?
In Remote Access VPN For Dummies, we cover:
- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs