Time for an upgrade — 2FA

Passwords, unfortunately, aren’t as secure as they used to be, and if someone gets your password, they can access your account without any fuss. Even having a strong password doesn’t completely protect you. That’s why 2FA has been invented.

What is two-factor authentication?

Where can I use it?

Unfortunately, you can’t use two-factor authentication everywhere on the web just yet. But a lot of sites have recently implemented it, including many of our favorite services. Here are some services that support two-factor authentication, with instructions on how to enable it:

  • Google & Gmail: Google’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine, though it also works with the Google Authenticator app for Android, iOS, and BlackBerry. You can save each machine for 30 days. You can enable it here, or check out Google’s documentation for more info.
  • Apple: Apple’s two-factor authentication sends you a 4-digit code via text message or “Find My iPhone” notifications when you attempt to log in from a new machine. You can enable it here, or check out Apple’s documentation for more info.
  • Facebook: Facebook’s two-factor authentication, called “Login Approvals,” sends you a 6-digit code via text message when you attempt to log in from a new machine. It also works with apps like Google Authenticator for Android, iOS, and BlackBerry, as well as the “Code Generator” feature of the Facebook app. You can also authorize a new machine from facebook.com on a saved machine if you don’t have your phone handy. You can enable it here, or check out Facebook’s blog for more info.
  • Twitter: Twitter’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine. You can enable it here, or check out Twitter’s blog for more info.
  • Dropbox: Dropbox’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine, though it also works with Google Authenticator and a few other similar authentication apps. You can enable it here, or check out Dropbox’s documentation for more info.
  • Evernote: Free Evernote users will need to use an authenticator app like Google Authenticator for Android, iOS, and BlackBerry, though premium users can also receive a code via text message to log into a new machine. Enable it here, or check out Evernote’s blog for more info.
  • PayPal: PayPal’s two-factor authentication sends you a 6-digit code via text message when you attempt to log in from a new machine. You can read more about it and enable it here.
  • Steam: Steam’s two-factor authentication, called Steam Guard, sends you a 5-digit code via email when you attempt to log on from a new machine. You can enable it by going to “Steam” > “Settings” > “Manage Steam Guard Account Security” in the Steam client. Check out Steam’s documentation for more info.
  • Microsoft Account: Microsoft’s two-factor authentication sends you a 7-digit code via text message or email when you attempt to log in from a new machine, though it also works with a number of authenticator apps. You can enable it here, or check out Microsoft’s documentation for more info.
  • Amazon Web Services: Amazon’s web services, like Amazon S3 or Glacier storage, support two-factor authentication via authenticator apps, like the Google Authenticator app for Android, iOS, and BlackBerry. It also supports Windows phone via the Authenticator app. You can enable it here, or check out Amazon’s documentation for more info.
  • WordPress: WordPress supports two-factor authentication via the Google Authenticator app for Android, iOS, and BlackBerry. You can enable it and read more about it here.

This isn’t an exhaustive list, but it includes some of the more popular services out there. Check out twofactorauth.org for even more, and check around the documentation of your favorite services to see if they support it.

For every service you use that supports it, you should head over and enable two-factor authentication right now — it’s one of the best ways to keep your data (and in many cases: your money) safe. Of course, you should also make sure you use a unique, secure password for each of your accounts, so if you don’t, now’s a good time to change that.

2 centuries to hack — your password is too damn short

I’m a little tired of writing about passwords. But like taxes, email, and pinkeye, they’re not going away any time soon. Here’s what I know to be true, and backed up by plenty of empirical data:

  • No matter what you tell them, users will always choose simple passwords.
  • No matter what you tell them, users will re-use the same password over and over on multiple devices, apps, and websites. If you are lucky they might use a couple passwords instead of the same one.

What can we do about this as developers?

  • Stop requiring passwords altogether, and let people log in with Google, Facebook, Twitter, Yahoo, or any other valid form of internet driver’s license that you’re comfortable supporting. The best password is one you don’t have to store.
  • Urge browsers to support automatic, built-in password generation and management. Ideally supported by the OS as well, but this requires cloud storage and everyone on the same page, and that seems most likely to me per-browser. Google Chrome, at least, is moving in this direction.
  • Nag users at the time of signup when they enter passwords that are …
    • Too short: UY7dFd
    • Lack sufficient entropy: aaaaaaaaa
    • Match common dictionary words: anteaters1

This is commonly done with an ambient password strength meter, which provides real time feedback as you type.

If you can’t avoid storing the password — the first two items I listed above are both about avoiding the need for the user to select a ‘new’ password altogether— then showing an estimation of password strength as the user types is about as good as it gets.

The easiest way to build a safe password is to make it long. All other things being equal, the law of exponential growth means a longer password is a better password. That’s why I was always a fan of passphrases, though they are exceptionally painful to enter via touchscreen in our brave new world of mobile — and that is an increasingly critical flaw. But how short is too short?

An eight character password isn’t great, but as long as you use a reasonable variety of characters, it should be sufficiently resistant to attack. By attack, I don’t mean an attacker automating a web page or app to repeatedly enter passwords. There is some of this, for extremely common passwords, but that’s unlikely to be a practical attack on many sites or apps, as they tend to have rate limits on how often and how rapidly you can try different passwords. What I mean by attack is a high speed offline attack on the hash of your password, where an attacker gains access to a database of leaked user data. This kind of leak happens all the time. And it will continue to happen forever.

If you’re really unlucky, the developers behind that app, service, or website stored the password in plain text. This thankfully doesn’t happen too often anymore, thanks to education efforts. Progress! But even if the developers did properly store a hash of your password instead of the actual password, you better pray they used a really slow, complex, memory hungry hash algorithm, like bcrypt.

Then we’re safe? Right? Let’s see.

  • Start with a truly random 8 character password. Note that 8 characters is the default size of the generator, too. I got U6zruRWL.
  • Plug it into the GRC password crack checker.
  • Read the “Massive Cracking Array” result, which is 2.2 seconds.
  • Go lay down and put a warm towel over your face.

You might read this and think that a massive cracking array is something that’s hard to achieve. I regret to inform you that building an array of, say, 24 consumer grade GPUs that are optimized for speed hashing, is well within the reach of the average law enforcement agency and pretty much any small business that can afford a $40k equipment charge. No need to buy when you can rent – plenty of GPU equipped cloud servers these days. Beyond that, imagine what a motivated nation-state could bring to bear. The mind boggles.

The offline fast attack scenario, much easier to achieve, was hardly any better at 37 minutes. Perhaps you’re a skeptic. That’s great, me too. What happens when we try a longer random.org password on the massive cracking array?

9 characters 2 minutes
10 characters 2 hours
11 characters 6 days
12 characters 1 year
13 characters 64 years

The random.org generator is “only” uppercase, lowercase, and number. What if we add special characters, to keep Q*Bert happy?

8 characters 1 minute
9 characters 2 hours
10 characters 1 week
11 characters 2 years
12 characters 2 centuries

That’s a bit better, but you can’t really feel safe until the 12 character mark even with a full complement of uppercase, lowercase, numbers, and special characters.

It’s unlikely that massive cracking scenarios will get any slower. While there is definitely a password length where all cracking attempts fall off an exponential cliff that is effectively insurmountable, these numbers will only get worse over time, not better.

So after all that, here’s what I came to tell you, the poor, beleaguered user:

Unless your password is at least 12 characters, you are vulnerable.

That should be the minimum password size you use on any service. Generate your password with some kind of offline generator, with diceware, or your own home-grown method of adding words and numbers and characters together – whatever it takes, but make sure your passwords are all at least 12 characters.

Now, to be fair, as I alluded to earlier all of this does depend heavily on the hashing algorithm that was selected. But you have to assume that every password you use will be hashed with the lamest, fastest hash out there. One that is easy for GPUs to calculate. There’s a lot of old software and systems out there, and will be for a long, long time.

And for Developers:

  1. Pick your new password hash algorithms carefully, and move all your old password hashing systems too much harder to calculate hashes. You need hashes that are specifically designed to be hard to calculate on GPUs, like scrypt.
  2. Even if you pick the “right” hash, you may be vulnerable if your work factor isn’t high enough. Matsano recommends the following:
    • scrypt: N=2^14, r=8, p=1
    • bcrypt: cost=11
    • PBKDF2 with SHA256: iterations=86,000

(Pictures and information from http://codinghorror.com)