The recent news that Slack, a team communication tool, had a breach that leaked email addresses, user names, encrypted passwords and some other stuff is kinda scary. In response, they have activated something called two factor authentication for their users, something that I heavily promote.
So, what good does two factor authentication do with hacks and breaches similar to what apparently happened to slack? It doesn’t help at all.
Username and password, please. This is the most familiar user authentication method in place today outside of a simple PIN to access your phone/atm. This is generally the first, and only, barrier between you and the data hosted by some service or application. Keeping your password safe, complex, and unique across sites will be recommended by most security experts and I also recommend keeping your username and email addresses unique across sites.
Top password of 2014: “123456”. Ok, that takes a password hacking system zero nanoseconds to crack but it’s the highest ranked password in use across hacked services. So what can you do? YouShouldUseAPasswordLikeThisIn2015#*!. That would be an awesome password that no one would remember.
Solution? Use a simple password that you can remember and have the system verify it is you by contacting something you have control over (phone via sms, browser via email, or some time based token thing.) Easy and top notch control of access to your account.
Problem? Hackers don’t need that username/password crap. What if hacker could simply email some nasty virus-like thing to an employee of Slack, Sony Pictures, Uber, etc. Well then they could potentially have raw access to all user data without the need for a pesky username or password… in fact, they could dump all of that data, copy it to some drop in Russia/China and be out in 5 minutes. You find out months later and learn a new cool term “bad actor” instead of hacker. You’ll also find out that the company has access to way too much information, could some administrator at Slack read all of your company data/chats? They answered that for us:
Solution? Well that encryption thing I’ll leave that for another post, it involves prime numbers. For now, turn on two factor authentication when offered… and when a company tells you that a small, teeny weeny, part of their service was hacked but the other major part wasn’t, say ‘bullshit’ and take your business elsewhere.