Passwords are dead - how to move on and how to effectively protect your user accounts from hackers

I've already written about this topic in a previous post (6 Quick tips to protect your passwords) a while ago, before the recent news about a massive security breach caused by Russian hackers, who stole 1.2 billion data and 500 million email accounts.

This latest incident has made it clear, beyond any possible doubt, that we're in a new age of IT Security: passwords, which were already an old technology, have died for good.

That's been clearly stated by major computer security experts, such as Mark Rasch (see Russian Hackers Behind World's Biggest Internet Security Breach for more details), and I fully agree with this point.

I know now you'll surely be thinking  "Well, I have to enter a password to log in, until they find another way to secure my accounts".

No doubt, but you can nonetheless do something in the meantime for you to add another layer of security to your accounts and take action before it's too late.

Have you ever considered how many accounts each one of us owns and handles? A lot, (consider the above figures as a very limited example) and their number increases constantly, because we handle more and more everyday tasks by using the Internet (eCommerce, online banking and so on, including things we wouldn't have thought possible of doing online before - Ever ordered a pizza online? Well, somebody does it).

If you're used to daisy chain them, authorizing third-party applications to access your Twitter, LinkedIn, Facebook or other accounts, the risk factor increases exponentially because hackers have to compromise one only social media account for them to access all the linked ones.

What you can do today

1. Use a two-step (or even 3-step, whereas possible) verification to login, whereas supported: Most ISP's (Internet Service Providers) allow you to add a phone number to your account and activate the so-called two-step verification procedure to sign to your account. What does it mean? You'll need two things to successfully login to your account: a) your password, b) a security code that will be sent to your cell phone through a text message and will automatically change every time you login. Even though a hacker successfully broke your password, he/she couldn't access your account, not knowing your security code (unless he/she's cloned your phone, too, but that sounds too much like NSA). For Google accounts, you may want to check this page: http://www.google.com/landing/2step/. I know, it's a hassle and you think it's not probably worth it. One piece of advice: DON'T BE LAZY, BECAUSE BAD GUYS AREN'T.  If you don't take action today, you could regret about it tomorrow when it's too late. Bad guys always find a way to ruin your banking accounts and your reputation, don't make things too easy for them.
2. Change your mindset: Don't assume everything will magically be alright. Set out from this: you'll get surely hacked sooner or later. What really matters is how to minimize the aftermaths and how to make sure your business (if you have any) can continue just the same afterwards. Several companies, sometimes important, had to close for good because of major security breaches. Don't be the next on the list. A company should set up honeypots to minimize the risk of data loss.
3. Go biometrics: Today you can add a standalone fingerprint reader to your system for as low as $12 (check out this Amazon example). Biometric applications are surely the future of security (I've just finished a college class about it), once people will get more accustomed to use biometric devices and they'll become more widely accepted. I'm not big on trusting my biometric data to companies, but if my fingerprint can prevent a hacker from draining my bank account, it may be worth giving it a go. 
4. If your bank implements it, use devices generating a one-time only password (OTP GENERATORS): In Europe, banks are increasingly using this solution. When you open an account, you receive a token displaying a security code changing periodically after a certain number of seconds. In order to successfully login, you'll need to enter the password received by your bank along with the security code. The encryption algorithm is 128-bit so it's robust enough to make it really hard for a hacker to break it, even because the code changes randomly. See here for an example.
5. Use FileVault (Mac) or BitLocker (Windows) encryption: If you activate it, all a hacker could get from your hard drive is an encrypted blob. An attacker could probably end up breaking the password but it takes much longer and that could be a deterrent.
   
   
6. Think like a bad guy: Where would a bad guy hit first? Use a site like this Password Checker : Using Strong Passwords | Microsoft … to check your passwords and change all the weak passwords you find. If you use LastPass or other password manager, you can implement a multifactor authentication (here for details: Grid Multifactor Authentication). With LastPass, you can also take a security challenge and assess your system security, which I definitely recommend. 

What can be done tomorrow 

Companies and financial institutions must take action and move on towards new technologies and more robust security implementations.

I think that biometric and multi-factor solutions can give back customers the necessary trust level and a relative peace of mind.

More must be done to protect privacy and the IT industry still has a long way to go under this point of view.

I've always been surprised by the way banks send you credit cards here in the U.S., in an unsealed envelope without any caution. Everyone who gets that envelope can open an account under someone else's name and, unless you use solutions like Lifelock, you learn about it when it's too late. In Italy, you need to go to your bank branch in person for you to get your PIN and you have to show an ID to pick it up. Afterwards, your PIN is handed over to you in a sealed envelope that you only can open.

Wrap-up

There are other ways in addition to, or instead of passwords to protect your accounts and you should seriously consider them, because passwords are doomed by now, as the latest security breach has clearly showed.

The IT industry will have to design and implement new security solutions, but there's something you can do since today to be safer, such as adding biometric devices, multi-factor authentication and more sophisticated tools to your security kit.

Don't join the chitter-chatter choir about passwords vulnerability, take action now till you can.