Why Relying on “Password123” Won’t Cut It

By

In the wild west of Internet security, enabling two factor authentication is the closest thing you can do to making your accounts hacker proof. In this post, I will walk you through why two factor authentication (“2FA”, and also known as two-step verification) enhances security and how you can set it up to make yourself and your Salesforce implementation more secure.

First, some critical things to know about passwords. Strong password security is an important first step in protecting your accounts. Always use strong passwords (more than 8 characters, and at least 3 character types), and change them regularly. Even President Obama made fun of lazy passwords like “password” or “1234567”.  In addition, never reuse passwords on multiple accounts, or you risk compromise of more than one of your accounts. Last, never share your passwords with anyone, either online or in person — this includes your Salesforce password.

Why a password isn’t enough?

However, even if you do all of these things, password security is not a failsafe. Even the best password security can’t prevent every cyberattack. Weak passwords (under 8 characters or actual words) are easy prey for hackers. Password cracking software can break these passwords easily and sometimes even in minutes. One of these cracker programs uses what’s known as a dictionary attack which tries every word in the dictionary to determine your password. Unfortunately, even strong passwords can be compromised by social engineering the user to divulge them. These attacks can be quite sophisticated and we’re all targets.

What do hackers do with your Password?

Hackers know that people reuse passwords and will take a hacked password and try it on other sites. So if you reuse passwords, every reused site is at risk. A study of the 2011 Playstation Network hack showed that 33% of users had the same password for two unrelated sites, Sony and Gawker. Odds are some of these reused passwords may have also been used for more sensitive accounts, such as e-mail and bank accounts. Password reuse is low hanging fruit for hackers. Don’t be that person!

If your computer gets compromised by malware, any passwords you enter are at risk. Hackers can install malicious software called keyloggers that will record every keystroke, including your seemingly secure, strong password.

Bottom Line: You cannot fully control the security of your passwords. Even though strong password security behavior is important, hackers have many tools to circumvent this. You may not even be the target. Hackers often attack large vendors to collect large volumes of usernames/passwords. You may have seen some in the news.

What is Two Factor Authentication?

Game over, right? Well maybe not. Two factor authentication protects your account even if your password is compromised. Let’s learn how Two Factor Authentication works.

Two factor authentication validates your account with two things:

1. Something You Know – Your Password

2. Something You Have – Your Mobile Phone

For example, “something you know” is your login credentials, and “something you have” is your mobile device, to which a 2FA solution can send a text message with an authentication code that you can then enter into your browser. The second authentication factor can also be a soft or hard token that provides an authentication code. In other words, 2FA gives you an extra layer of security that goes beyond your password. So even if your password is compromised, your account is secure.

What you can do moving forward?

Cyber attacks continue to rise across the world and popular online services you use that store sensitive personal or credit card data are big targets.  It takes a few extra seconds, but it provides a significant extra layer of security. Here’s what you can do:

  • Implement 2FA for Salesforce. You can use the Salesforce Authenticator app, or similar solutions from many security vendors. Learn more about how to implement 2FA for Salesforce by watching this video.
  • Check out twofactorauth.org to find out whether other services you are using support 2FA

Enabling two-factor authentication for Salesforce is one of the most effective ways to enhance security. It helps protect your account even if a user’s password is compromised.  Consider the act of entering a verification code like a deadbolt for your Salesforce app.

Users May Come and Go, But Their Records Must Live On….

These days people change jobs more than ever. And this means that your Salesforce users are constantly changing and shifting – folks leaving the company and new users being added when you add licenses or new services. As an Admin what do we do about deactivating users who leave the company? In this moment when […]

READ MORE

More Ways to Protect your Salesforce Org

In my last post, I shared a key way to protect your Salesforce implementation and still give your users the flexibility they demand, via Login IP Range restrictions.  This important security control prevents unauthorized users from accessing your Salesforce org. If you find that Login IP ranges do not work for your org or you […]

READ MORE