Tuesday, May 06, 2014

Hiawatha Bray on Computer Security in the Wake of Heartbleed

I keep meaning to post about an excellent column by the Boston Globe technology columnist, Hiawatha Bray on May 1. "After Heartbleed, Change the Locks," is partly a sympathetic note to all of us who are tearing our hair out, or maybe just apathetically groaning, at the news that we must change all of our passwords because of this new security breach!! But it also is a much more useful, step-by-step explanation of different levels of security. In part, Bray discusses why passwords are just NOT doing it for us as security.

But passwords are pretty much what most of us are stuck with. Most of us don't yet have fingerprint or iris scan technology. So,... Bray explains that the best way to deal with passwords is two-factor authentication. Actually, Bray's explanation is not the clearest. What his column does very nicely is scan the current state of security options, and review them. Very nice and handy!

Two-factor authentication typically requires something you know (i.e., a password) PLUS something you own (for instance an ATM card or cell phone. That way, even if a clever hacker figures out or steals your password, it is exceedingly unlikely that they will also have your cell phone or ATM card. (Here is a link to Google's set up two-step authentication link for Android Phones, as an example) and a general Google Two-Step explanation. This Lifehacker post includes a long list of links for a number of social networks and other services that now offer two-factor authentication.

Two-step can work with another combination, as well, such as a printed list of codes. You use each code once, and mark it off each time you use it. Those codes are used in combination with your password, so again, it is a combination of something you KNOW and something you HAVE. So long as you keep the thing you KNOW (password, computer with passwords saved as cookies, or PIN) separate from the thing you HAVE (phone, ATM card, list of codes), this is a very secure way to access online data. So, for instance, don't copy your PIN number on your ATM card!

I previously posted about two-step authentication here before. See....

No comments: