passwords

Anyone can know your password, but there’s only one you

If the only thing separating a cyber criminal, online stalker or identity thief from your personal data and information is a password or PIN you’ve already lost. There are three primary methods of authentication but “something you know” is the easiest to crack or compromise and is inherently insecure.

I wrote a blog post about why we should just stop using something you know as an acceptable method of authentication:

Secure authentication is crucial to protect data and guard your identity from being stolen or hijacked. The vast majority of authentication used today is based simply on a username and password, which has proven time and time again to be inherently insecure. Perhaps it’s time to change our definition of authentication.

The All-in-One CISSP Exam Guide (a book I *highly* recommend if you’re studying for the CISSP exam) describes authentication like this: “Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.”

Let’s use the front door of your home as an example scenario. Something you know can be a secret knock or secret password or possibly a PIN code used to unlock a door. Something you have would be a physical key required to unlock the door. Something you are would be a fingerprint or retinal scan or facial recognition. It doesn’t even have to be high-tech. It can be as simple as me knowing what my brother looks like and granting him access based on a cursory visual inspection of the person standing on my porch.

Now, let’s examine each of those a little closer. Something you are is difficult to replicate or steal. Your unique biometric characteristics are yours and yours alone. It is technically possible to clone a fingerprint or trick some facial recognition tools with a photo or mask, but even that is becoming less feasible. Microsoft recently revealed that Windows Hello candifferentiate between two identical twins.

Something you have is easier to steal or copy but requires some physical access or possession of the authentication method in most cases. For example, someone can steal the key to your front door or make a copy of the key to your front door so it’s possible for someone else to be in possession of your authentication method or for there to be more than one copy of the authentication method in existence.

Check out the full story on CSOOnline.com: Maybe it’s time to eliminate ‘something you know’ as an authentication method.

Scroll to Top