Supplementing Passwords


Why aren't passwords sufficient?

Passwords are a good first layer of protection, but attackers can guess or intercept passwords. Additional security measures can protect you even if an attacker does obtain your password. You can strengthen that first layer of protection by avoiding passwords based on personal information; using the longest password or passphrase possible (8—64 characters); and not sharing your passwords with anyone else. (See Choosing and Protecting Passwords for more information.)

What additional levels of security are available?

Multifactor authentication (MFA), simultaneously using multiple pieces of information to verify your identity, is becoming more common. (MFA is sometimes referred to as two-factor authentication.) Even if an attacker obtains your password, they may not be able to access your account if it's protected by MFA. The theory behind this approach is similar to requiring two or more forms of identification or two keys to open a safe deposit box. You should turn on MFA where it's available. Authentication categories include something you know, something you have, and something you are.

  • Something you know — This includes passwords or pre-established answers to questions. (See tips below for setting up good answers to these "secret questions.")
  • Something you have — This could be a small physical token such as a smart card, a special key fob, or USB drive. You might use this token in conjunction with a password to log into an account. However, software-based tokens are also common. These software-based tokens can generate a single-use login personal identification number (PIN). Other variations include SMS messages, phone calls, or emails sent to the user with a verification PIN. These token PINs can often be used only once and are voided immediately after use. So, even if an attacker intercepts the exchange, the attacker will not be able to use the information again to access your account.
  • Something you are — Biometric identification can include scanning of eyes (retinas or irises) or fingerprints, other facial recognition, voice recognition, or authentication through signatures or keystroke movements. A common example of biometric identification is the fingerprint scanner used to sign in users on many modern smartphones.

Another form of verification is the use of personal web certificates. Unlike certificates used to identify web sites (see Understanding Website Certificates), personal web certificates are used to identify individual users. A website using personal web certificates relies on these certificates and the authentication process of the corresponding public/private keys to verify that you are who you claim to be. (See Understanding Digital Signatures.) Because information identifying you is embedded within the certificate, an additional password is unnecessary. However, you should have a password to protect your private key so that attackers cannot gain access to your key and represent themselves as you. This process is similar to MFA, but it differs—the password protecting your private key is used to decrypt the information on your computer and is never sent over the network.

What other measures keep your passwords secure?

Information technology (IT) security professionals and administrators should implement the following security measures to help further protect passwords:

  • "Salt and hash" passwords. Salting is the addition of unique, random characters to the password before it is hashed. The salt value should be no less than 32 bits in length. Hashing is the process of scrambling a password using a set algorithm.
  • Use strong authentication recovery mechanisms. Weak authentication recovery mechanisms can be misused to allow an attacker to gain unauthorized access to an affected system. Strong mechanisms prevent unauthorized access to an account or to reset the user's password.
  • Implement an account lockout policy. Account lockout should initiate after a pre-defined number of failed attempts.
  • Set accounts to automatically disable. Accounts should be disabled after being inactive for a pre-defined amount of time.

What if you lose your password or certificate?

Perhaps you've forgotten your password or you've reformatted your computer and lost your personal web certificate. Most organizations have procedures for giving you access to your information in these situations. For the best security, keep information on your account up to date. This includes alternate email addresses or phone numbers that can help verify your identity if you forget your password.

In the case of certificates, you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No matter what happened, the organization needs a way to verify your identity. To do this, many organizations rely on secret questions.

When you open a new account (e.g., email, credit card), some organizations will prompt you to provide them with the answer to a question. They may ask you this question if you forget your password or request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. In theory, secret questions and answers can protect your information. However, common secret questions ask for mother's maiden name, social security number, date of birth, or pet's name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions.

Treat the secret question as an additional password—when establishing the answer, don't supply real information. Choose your answer as you would choose any other good password, store it in a secure location (e.g., in a password manager), and don't share it with other people.

While additional security practices offer you more protection than a password alone, they should not be considered completely effective. Increasing the level of security only makes it more difficult for attackers to access your information. Be aware of MFA and other security practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don't be afraid to ask what kind of security practices the organization uses.