Two Factor Authentication for email

Very few people today are using two factor authentication for their email accounts. In fact, most people do not even know what it is. If you do know what two factor authentication is, odds are you are not aware if your email provider supports it. You are in luck if you use Google mail (gmail) or Yahoo mail because they both support two factor authentication. In this blog I describe why you need a second factor as well as a brief overview of what two factor authentication is and how it works on both Google and Yahoo.

Why bother?

You are probably asking yourself "why should I hassle with two factor authentication, it sounds complicated". I suggest you read this article on Wired.com that describes how the author, Mat Honan, was hacked. The end result of this epic hack on Mr. Honan was extremely destructive. The hackers obtained control of his Amazon, AppleID, gmail, and Twitter accounts. Using his AppleID They were able to remotely erase all of his data from his iPhone, iPad and his MacBook. They deleted his Google gmail account and took over his Twitter ID to tweet whatever messages they liked under his Twitter persona.

As the Wired article explains, this hack was based on Social Engineering. It involved the hackers physically calling customer support for both Amazon and Apple to provide information that allowed them to gain access to those accounts via their password reset mechanisms. Mr. Honan had "chained" these impacted accounts together and essentially they fell like dominoes after access was gained into the Amazon account.

Two factor authentication on his gmail account would not have stopped all of this destructive damage since Google was not involved in the mechanism used to gain access to Amazon and his AppleID. But, had he enabled two factor authentication on gmail it would have kept the hackers out of his Google account and would have indirectly protected his Twitter account. Unfortunately since both Amazon and Apple had a serious flaw in their security ecosystem Mr. Honan would still have likely lost the data on his iPhone, iPad and his MacBook.

There has been significant press lately about password strength. If you haven't already done so, read my blog on the LinkedIn password hack that managed to steal the password file for thousands of users. In that blog I describe why you should change your LinkedIn password after that attack and ensure that you have a strong password that is not shared with your email accounts. But that blog post is all about protecting, and having an effective, password. Two factor authentication takes security one step farther.

What is two factor Authentication?

Two factor authentication simply means you need two things to log into the account. Two factor authentication most often uses the following two "things" or factors:

1. Something you know (your password)
2. Something you have in your possession that nobody else has (usually a token of some kind)

Google and Yahoo both give you the option of having your phone act as the second factor, or the "thing" that you have. Basically once you log on with your normal password Google, and or Yahoo, will text you a numeric code that will be good only one time. This numeric code is that token that you "have". After the initial log in screen you will be presented with a screen that prompts you to enter the code that was sent to your phone via text message.

Using this second factor essentially means that even if your password has been compromised the hacker cannot access your account unless they have the token that has been sent to your phone. This protects your email account from the type of attack that happened to Mr. Honan, which effectively amounted to a password reset on the email account. It also protects you from other forms of security breaches in which your password has been compromised to an attacker such as the stolen password file incident that happened to LinkedIn.

Two factor authentication may seem intimidating, or an unnecessary hassle, but it really is not that intrusive once you have it setup for the first time. As you can see in the screen shot above Google gives you an option to "Trust this computer". If you check that box you will not need to enter the second factor again from that computer. Do not check that box on any shared computer. Yahoo has a similar feature that allows you to trust a computer and bypass the second factor verification step.

I urge everyone to take this threat seriously and incorporate two factor authentication on every account that they have it available for. Honestly, if your email provider does not offer it I would switch to one that does such as Google or Yahoo. Too much of our lives are dependent on our online accounts to not protect them properly. Think of how many accounts you have, such as your bank, credit cards, brokerage firms, etc., that have a password recovery option that sends a reset notification to your email account. For a hacker, obtaining access to that email account is the equivalent of gaining the keys to the kingdom. Protect it as best you can.

LinkedIn hack - change your email password

If you are sharing your email password with your linkedIn account, change them both now! Read on for more details.

Last week, on or about June 6th, LinkedIn reported a security breach in which 6.5 million passwords were stolen and posted to a Russian hackers website. The internet is abuzz with talk about this hack, including this article on Rapid7.com that lists the 30 most common passwords found in the 6.5 million entry list. According to Rapid7, "link" was the number one password found in the list followed by "1234" as the second most common. The sixth most common was "12345". These passwords are so easy to break they are not really passwords at all.

The file that was posted on the Russian website contained only SHA1 hash values of passwords alone, it did not contain the LinkedIn user id's. The password alone is of no real value unless you know the user id of the account it is associated with. Having said that, it is assumed the hackers have the user ID's for each password, they simply chose not to publish them. As stated above, the passwords are not stored in human readable form, they have been hashed using the SHA1 algorithm. The problem with the SHA1 algorithm, as that of any hash or encryption technique eventually, is it can be broken. SHA1 is easily cracked through various programs readily available to the public, but suffice it to say that the longer and more complicated your password the harder it is to crack.  

This hack should serve as a wake up call to everyone about using stronger passwords. I suggest using passwords no shorter than 8 in length with a mixture of letters, numbers and special characters. Also, avoid using words and phrases since they are easier to crack via brute force techniques.  Take the time to read these ten password tips posted by Rapid7.com even if you think you are savvy about security. 

It is not important if your password was included in the list of 6.5 million posted on the Russian hacker's site. At this time it is unknown if the hacker posted the entire list they have in their possession. For all we know the hacker simply chose to post the 6.5 million but managed to steal all the passwords from LinkedIn. Therefore you should take precautions and change your LinkedIn password regardless if you find yours in this 6.5 million or not.

Ensure Email Password is Unique

Many people use the same password for multiple accounts, including their email account. LinkedIn uses your email address as its user ID. If you had the same password for LinkedIn as you do for your email account it is imperative that you not only change your password on LinkedIn, but on your email account as well. 

You should never re-use a password across multiple websites, but we all know it is a common practice. It is of utmost importance, however, that your email account's password be unique. Many  sites have a "forgot my password" option that simply emails a reset link to the address on file. If the hacker has your email password they can simply access high value websites that use email addresses as the user ID and click the "I forgot my password" link. If the site in question sends a reset password link to your email account, the hacker can now change the password on the new site as well. Therefore if you were using the same password for LinkedIn and your email, you are in a position of extreme risk right now. Not only are your email and LinkedIn accounts at risk, but every account you have that uses your email address as the user ID is also at risk. 

Keeping your email password unique reduces the chances of it falling into the wrong hands via another compromised web site such as this LinkedIn hack. Make this change immediately regardless if you believe your password was included in the 6.5 million stolen from LinkedIn.