Secure IT Foundation

Secure Passwords using Two Factor Authentication #1

Posted on: October 10, 2009

Currently the most popular method of securing a computer is to use passwords. This is an old technology that dates from the earliest shared computers. To understand why passwords on their own are not ideal for security, you need to understand a little history of early computers.

In the old days, many academics shared a very big computer called a ‘mainframe’, the type that took up a whole floor in a building! Only people with authorised access to the building could use the mainframe, and to keep the results and information separated, short passwords were used. 6 characters or shorter passwords were the norm like ‘god’, ‘robot’, ‘123456’ and ‘passwd’. As you had to be in the same building as the computer and knew most of the other users there was little need for security. Only when academic rivalry and corporate information stealing become widespread did the situation begin to change. The capability for longer and longer passwords were introduced with each new computer operating system. Windows XP and later can use over a 100 character long passwords, not that you would want to type that in every time you logged in.

Passwords are better than no security, but there are two major flaws in passwords. You have to type it in, and the way the computer sees the passwords.

When you type in a password, anyone watching can copy it. Technology called ‘keylogging’ allows a bad guy to copy the keystrokes you type in, either by attaching a device to your computer or by having software installed on your computer. This can be by a virus or by a legitimate application that has been modified by a bad guy before putting on a peer to peer network like Bittorent. You think you are saving money by downloading illegal software, but may be installing the bad guy’s keylogger for him! Once your details copied, you may not know until money comes out your bank account or unusual events start happening in your life.

The second issue is the way computers store passwords. The computer receives the keystrokes from the keyboard so if a password was ‘securityforall2009’ and the computer just stores this in readable text, then anyone with access to the hard drive could read the password. To make it harder for passwords to be read of a computer hard drive, a mathematical formula is used so that the computer converts the password into gibberish. When you enter a password the same formula converts you typing into gibberish, and if the two sets of gibberish match then you are let in. As usual with human designed technology, problems are found in the formulas, or ways to circumvent the whole password access are found. If anyone can physically access your computer (PC or Mac) they can change your passwords with a little time and skill using just a CD!

So what do you do if passwords are known to have problems, stop using them? In an ideal world yes, passwords would be consigned to the history book. There are other ways to identify the computer user e.g. fingerprints, iris scans, facial recognition but all have their own problems. You can give your password to someone intent on knowing it, but do you want your fingers cut off or eyeballs removed by a bad guy! Passwords can be changed if no longer secret while your biometric information cannot be changed so easily.

The best security method for proving you are who you are and you are authorised to use the computer, is to use ‘two factor authentication’ as it called. This combines a password (something you know) with a token / dongle (something you have). A bad guy needs to have both…

Dutch banks already use this method to secure bank accounts. You place your bankcard (something you have) into a device called an authenticator which gets you to enter your PIN (something you know) plus a code from the web page. This uses a complex formula to generate a code that can only be used once for the current session which proves it is you making the transaction. Because you need both items, the PIN and the bank card, it makes stealing your money on the Internet very difficult (but not impossible!).

So how do you get this ‘two factor authentication’ security on your home computer? Read part two.



3 Responses to "Secure Passwords using Two Factor Authentication #1"

[…] Passwords #2 September 5, 2009 secureitfoundation Leave a comment Go to comments Last week we discussed the history of passwords, this week  you will learn how to create a secure password […]

[…] September 12, 2009 secureitfoundation Leave a comment Go to comments In the first part of this blog we told you about the history of password, the second part we explained how to […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


  • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
  • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
  • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]


%d bloggers like this: