30 November 2015
Peter Wood’s ‘Five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft’ published recently on ComputerWeekly.com are really worth reading.
The checklist is a good starting point for a self-assessment, except for the tip on Two-Factor Authentication. I fully agree that privileged accounts and accounts used for remote access must be given special protection. But this will not stop attackers from theft of information once they got access to the company network e.g. through a phishing attack. In this case the attacker acts as an authenticated user with all the authorizations granted to this user.
If Two-Factor Authentication is required even for access to business critical information inside the company network a large bunch of attacks is no longer possible because the attacker has just no access to the second factor, e.g. the user’s smartphone and the authenticator app.
A 27 chars passphrase like ‘1sn’t th1s a good password?’ is definitely much safer than an 8 chars hard to memorize strong password. But the passphrase is as useless as the password once the attacker managed to get access to the network. In this case a second factor could make life more difficult for the attacker. In addition the chance of getting discovered increases dramatically.
Have a good week.