Passwords Are Doomed: You NEED Two-Factor Authentication

Two-Factor Authentication
How many people use eight-character or less passwords with the first letter being capital and last entries being numbers? People are predictable and so are their passwords. To make things worse, people are lazy and tend to use the same passwords for just about everything that requires one. A study from the DEFCON hacker conference stated, “with $3,000 dollars and 10 days, we can find your password. If the dollar amount is increased, the time can be reduced further”. This means regardless of how clever you think your password is, its eventually going to be crack-able as computers get faster utilizing brute force algorithms mixed with human probability. Next year the same researchers may state, “with 30 dollars and 10 seconds, we can have your password”. Time is against you.

Increasing password sizes and changing mandatory character types helps combat this threat however humans naturally will utilize predictable practices as passwords become difficult to remember. It’s better to separate authentication keys into different factors so attackers must compromise multiple targets to gain access. This dramatically improves security but doesn’t make it bullet proof as seen with RSA tokens being compromised by Chinese hackers. Ways to separate keys are leveraging something you know, have and are. The most common two-factor solutions are something you have and know which is a combination of a known password/pin and having a token, CAC/PIV card or digital certificate. Biometrics is becoming more popular as the cost for the technology becomes affordable.

There are tons of vendors in the authentication market. Axway and Active Identity focus on something you have offering CAC/PIV card solutions. These can be integrated with door readers to provide access control to buildings along with two-factor access to data. RSA and Symantec focus on hardware or software certificate/token based solutions. These can be physical key chains or software on smartphones and laptops that generate a unique digit security code every 30 seconds. Symantec acquired the leader of the cloud space VeriSign, which offers recognizable images, challenge and response type solutions. Symantec took the acquisition further by changing their company logo to match the VeriSign “Check” based on its reputation for cloud security.




The consumer market is starting to offer two-factor options to their customers. Cloud services such as Google and Facebook contain tons of personal information and now offer optional Two-Factor Authentication. Its common practice for financial agencies to use combinations of challenge and response questions, known images and verifying downloadable certificates used to verify machines to accounts. The commercial trend is moving in the right direction however common practice for average users is leveraging predictable passwords. As many security experts have stated, security is as strong as the weakest link. Weak authentication will continue to be a target as hackers utilizing advance computing to overcome passwords.

VN:F [1.9.22_1171]
Rating: 4.8/5 (5 votes cast)
Passwords Are Doomed: You NEED Two-Factor Authentication, 4.8 out of 5 based on 5 ratings

13 thoughts on “Passwords Are Doomed: You NEED Two-Factor Authentication

  1. Visited yuor web blog through Reddit. You know I am signing up to your feed.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  2. Many thanks for spending some time to explain the terminlogy for the inexperienced persons!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  3. Reached your blog post through Reddit. You know I am subscribing to your rss feed.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • True but time is against common password use. Most brute force methods used today require certain elements to match predictable behavior mixed with short passwords not containing special characters. The research stating 10 days with three thousand dollars changes quickly by increasing the password to 9 or more characters as well as adding special characters. The point is computing power is dramatically increasing while people’s password habits remain static. Eventually computers will be fast enough to break complicated passwords so its a good idea to start considering multi-factor authentication methods.

      Another point is if you make the standard password requirements too hard for users to remember, they will end up on sticky notes under the keyboard. They may also use predictable behavior such as using a row of keys (IE using qazwsxedcrfvtgb or qwertyuiop). Either way, it defeats increasing the password requirements.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  4. Pingback: How Secure Is Your Home Wireless Network? Wireless Network Security 101 | Joey Muniz - The Security Blogger

  5. I liked your article is an interesting technology
    thanks to google I found you

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. Pingback: Gemalto | Enterprise Security | Three-factor authentication: Something you know, something you have, something you are

  7. Pingback: Gemalto | Enterprise Security | Are we seeing the death of the password?

  8. Pingback: Authentication: Why Authentication Solutions Are Import To Security | Joey Muniz - The Security Blogger

  9. Pingback: [BLOCKED BY STBV] Defending Against Google Hacking : Know What Can Be Found On Search Engines | Joey Muniz - The Security Blogger

  10. Pingback: [BLOCKED BY STBV] Defending Against Google Hacking : Know What Can Be Found On Search Engines

  11. Pingback: [BLOCKED BY STBV] Defending Against Google Hacking : Know What Can Be Found On Search Engines – Dr. Chaos

Leave a Reply

Your email address will not be published.