Password and authentication
15 January 2021
Passwords and authentication
The analysis of the most recent attack on the services of the Canada Revenue Agency (CRA) is not yet complete as we already know what could have enabled this attack: passwords reused from another site having been hacked. The CRA’s case is not isolated, over 15 billion accounts (username and password combinations) are currently for sale on the darkweb.
Too many people reuse the same usernames (often email) and passwords on different sites, allowing malicious people who have successfully hacked into one website to reuse these accounts on other sites; including government or banking sites.
How can I protect myself from it?
Starting with the most sensitive sites and systems, especially those containing confidential or financial information, a unique and strong password should be used by every employee with access to these systems. Users having an identity on nearly a hundred sites and systems, how to get there? Here are some possible solutions:
Single sign-on (SSO)
This technological solution makes it possible to delegate the authentication of a site or system to an entity dedicated to performing the authentication. Very practical for the user who then has only one strong password to remember, the fact of having a dedicated and centralized system makes it possible to monitor unsuccessful connection attempts and to add controls add-ons such as multi-factor authentication.
There are three (3) ways to authenticate a user: by what he knows (ex: password), by what he is (ex: fingerprint) and by what he has (ex: a house key). So how much more than one authentication factor is multi-factor authentication. When you withdraw money at the counter, for example, you must provide your bank card (owns) and your PIN (knows). By combining a 2nd factor authentication with your password, you make it even more difficult for an attacker to steal your digital identity. There are many free mobile apps that can help you.
The previous two solutions require that the site or the system support these features. When this is not the case, the password manager can still be used. This allows you to generate and save all your passwords. Some even offer you to fill in the fields for you when you authenticate. Several free apps can help you.
Our team of professionals is at your disposal to guide you in making decisions related to information technology. Contact us for more information!