Over the course of four days in February 2015, Slack’s database of usernames, email addresses and hashed passwords were stolen. A few months later, LastPass, a cloud service provider that offers its users a way to manage all their passwords with a single master password, divulged that hackers had broken into their database and stolen user email addresses, password reminders, server per user salts, and hashed passwords. LastPass had “hashed” user passwords by taking the plain text password and running it against a mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters. Hashing is similar to encryption, but even a security-minded company like LastPass can make fatal errors in the hashing method used to protect passwords.
In many cases, cyber criminals don’t even need to steal passwords and then decrypt them to gain access to user accounts. That’s because over 10% of users employ the same 20 highly unsecure passwords that contain words that appear in the dictionary, including gems like “password” (#2 most common) and “123456” (#1 most common). By trying just 20 of the most common passwords, a hacker has a better than 10% chance of gaining access to a user’s account.
Like clockwork, data breaches have become a regular part of our modern lives. LastPass and Slack are hardly the biggest victims of stolen user information. It was only 4 years ago when 77 million Sony PlayStation users’ information was stolen by hackers. A couple years later in March of 2013, Evernote notified its 50 million users of a serious security breach in which hackers stole usernames, emails and encrypted passwords. A few months after the Evernote breach, Adobe revealed that hackers stole millions of encrypted customer credit card numbers as well as tens of millions of login credentials. A few months after the Adobe attack, hackers used compromised eBay employee credentials to gain access to an eBay database that stored personal information for 145 million users.
Have passwords outlived their usefulness?
At Skyhigh, we have tirelessly advocated for creating strong passwords that are difficult for a hacker to guess, or crack using brute force. At the same time, we’ve seen the requirements for what makes a password strong become more complicated and harder to remember as increasing computing power drives a password arms race. Cyber criminals are now able to build a computer for $5,000 that can attempt all potential variations of a 6-digit password in under 11 minutes.
With hackers breaking into cloud services and stealing login credentials, passwords alone cannot protect against third parties gaining access to your data in the cloud. A multi-layered defensive strategy is needed. So-called “defense in depth” approaches almost always include multi-factor authentication as an essential part of the authentication process, not as an optional add-on that a user must manually turn on. Multi-factor authentication mitigates virtually all the weakness of passwords, regardless of whether the password is stolen by a hacker or simply guessed.
What is multi-factor authentication?
It used to be that multi-factor authentication was only feasible at relatively large businesses. In this scenario, employees were given a device that generated a token, or code, that was needed in order to login to the company’s digital properties. The code refreshed every 30 seconds, adding protection against someone getting hold of an older token used to login.
The proliferation of smartphones has made it easier for consumers to use multi-factor authentication as the devices that generated randomly generated codes have been replaced by apps that run on the phone. Another key innovation is the use of text messaging to send a user an additional authentication code they must enter in addition to their username and password. When a user attempts to login to their Dropbox service, for example, they would receive a text message with a unique code that’s required in order for them to complete the login process. Since a hacker who has compromised a user’s password likely does not have physical access to their phone, this method makes it significantly more difficult for a third party to gain access to the account.
The benefits of this method are fairly obvious. According to a 2014 study, consumers use their smartphones for an average of 3 hours and 16 minutes a day and check their phones a whopping 1,500 times a week. Another study revealed that 71% of survey respondents reported to sleeping with or next to their smartphones. Barring a lost, stolen, or malware infected smartphone, one can rely on the smartphones to accurately verify one’s identity. It is no wonder immediately after the Slack and LastPass breaches, both companies turned on multi-factor authentication for all users.
As advocates of multi-factor authentication and especially since majority of cloud services don’t have multi-factor authentication turned on by default, we’ve listed below the top 20 consumer cloud apps and top 20 enterprise cloud apps that provide multi-factor authentication as well as links to their website with directions on turning on this feature. It takes just a few minutes to turn on multi-factor authentication for these popular apps, but doing so could save you the pain of having your data stolen or erased in a cyber attack.