Internet users are doomed.

I don’t mean you or me, because the fact that we’re reading this article on the Tripwire State of Security blog means we at least have a passing interest in protecting ourselves online.

No, I mean those folks who, like us, use the internet but don’t take the steps necessary to put in place the most rudimentary defences to prevent themselves from being hacked. Sadly, I suspect I’m talking about the vast majority of internet users.

Most people don’t use password managers to generate hard-to-crack unique passwords, preferring to rely on their puny brains instead and inevitably reusing login credentials between multiple services. Most people don’t run a VPN, leaving themselves exposed to having their data grabbed when they use a public Wi-Fi hotspot. And, as a presentation by Google software engineer Grzegorz Milka this week revealed, hardly anyone is is using two-factor authentication (2FA).

A well-implemented two-factor authentication system ensures that it’s no longer the case that the only thing stopping a hacker from being able to access your online account is whether they can determine your username (often just your email address) and password.

Even if a hacker has managed to determine your password (perhaps because you chose a poor one, or perhaps because you made the mistake of using the same password on multiple websites) then the two-factor authentication check will request that they enter a one-time six-digit passcode generated by a tag on your keyring or an authentication app on your smartphone.

No one-time passcode? No entry.

Clearly it’s a higher level of security, and one which is enough to encourage a typical hacker to look for someone else’s account to break into rather than yours.


And yet, Iain Thomson of The Register reports that Grzegorz Milka’s talk at Usenix’s Enigma 2018 (Read more...)