Two-Factor Authentication Transforms Even ‘123456’ Into a Secure Password

Thursday, January 29, 2015

Patrick Oliver Graf


Since 2011, the same two passwords have ranked as the most common (and worst) among users. Care to take a guess as to what they are?

You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now.

As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords.

Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6″ or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips.

At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall.

The problem with each of these solutions is that they’re really just temporary bandages – they still don’t account completely for the human factor. An employee could still circumvent these processes, either deliberately, for convenience, or accidentally. Then the network administrator is back to square one – the network security vulnerability still exists.

A stronger solution for IT departments is two-factor authentication. By adding another step to the user verification process, beyond requiring just a password, the security of the account suddenly becomes much stronger. This is why nine in 10 global IT managers said they would plan to use one-time passwords (OTP) in 2014 as part of a two-factor authentication strategy to help improve their network security.

So why isn’t every IT department rolling out this seemingly ironclad method of verification across the board? The answer is simple. As is often the case with any issue involving network security, the conflict lies in the balance between convenience, resources and security. Simply, it’s not practical or expedient for every server or file folder to be accessible only through two-factor authentication.

At the same time, selectively protecting only certain files through two-factor authentication could leave an entire network vulnerable. As PC World’s Tony Bradley points out, “It’s like locking every door and window in your house except for one, and hoping a burglar isn’t thorough enough to find the one unlocked entrance.”

Bradley is right. And to elaborate on his point, one of the most glaring “unlocked entrances” a network can have is in its remote access infrastructure. Fortunately, some VPNs come equipped with secure enterprise management capabilities that include support for two-factor authentication and a randomly generated, one-time password sent to a user via SMS.

When faced with this additional hurdle, any hacker hoping to exploit a remote access vulnerability would be even less likely to successfully break into an account, even if a user made the mistake of setting a password to a laughably common one like “123456” or “password.”

This was cross-posted from the VPN HAUS blog. 

Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking
Post Rating I Like this!
jagadish sastry it is a veyr good post and i am from Happy Ugadi 2015
happy holi nice
Happy holi images
carol bland In this you have illustrated the evolution of knowledge which is more valuable for me. Thank you
Please Visit:

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.