Online password protection

2FA

If you want a state-of-the-art solution to password security, you can use two-factor authentication (2FA). The web application asks for a one-time key in addition to the username and password. In most cases, these one-time keys are generated by mobile phone applications such as Google Authenticator or by special hardware such as YubiKey [12]. Users can also print out a list of one-time keys and cross them out manually with a pen after use. Having said this, texting a one-time key via the server is no longer considered sufficiently secure.

Conclusion

When it comes to website passwords, guaranteeing security is a complex task for site admins. Hashes, salts, and 2FA are all tools that can help keep users' credentials safe. However, safety is a two-way street. It is still up to the user to provide unique passwords and keep those passwords private (see the box "Social Engineering").

Social Engineering

With most attacks, it doesn't matter how securely the website admins store the password if the end user can easily be persuaded by social engineering to reveal the password and – if necessary – the 2FA key. Then a simple phone and an untrained employee at the target enterprise are all it takes for the attack to succeed.

The Author

Stefan Wintermeyer is a consultant, trainer, and book author on the subjects of Ruby on Rails, Phoenix, and web performance.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News