CYBER SECURITY AWARENESS MONTH
WEEK 1: Every Day Steps Towards Online Safety
Two-Factor Authentication:
Is a six-digit code really safer than my special character password?
The simple answer is, “it can be,” but it isn’t really that simple.
www.nicerc.org
First, let’s analyze the “leet”-style password (for more information on leet or leetspeak, take a
look at this article from Wikipedia https://en.wikipedia.org/wiki/Leet). While this may seem
like a fantastic way to obscure a standard password, hackers have been programming cracking
applications to recognize most character substitutions for many years. Even combining a word
or two with character substitution methods (leetpassword can become 1337p@55W0rd, for
example) to help increase the security is not enough because as computing systems become more
and more powerful, the quantity of combinations that they can process per second is increasing
dramatically!
So what is two-factor authentication (TFA or 2FA)? 2FA is a way of securing a system with more
than one token. For example, when you take money out of an ATM, you’re required to have your
debit card and the PIN. Without both of these factors, the easiest way to get money out of the
ATM might require some heavy duty power tools.
Many email and bank accounts use 2FA by requiring you to first enter your password in the
internet browser, then you receive an SMS on your phone with a code. You then use that code as
the final means to get into your account. This creates a new level of security because a hacker
must both figure out your password, and have access to your text messages, which is unlikely.
However, SMS is not as secure as you think. What if someone was able to get access to your
mobile phone account? Of course someone could physically steal your phone, but that is not
always a requirement. Check this video out, specifically the section from 2:00 to 4:00.
(Warning: mild language)
https://youtu.be/bjYhmX_OUQQ?t=2m
In that portion of the video, we see a social engineer hacker gain complete access to someone’s
cell phone account by a phone call. A skilled hacker could easily gain access to SMS messages
from there. Aside from social engineering, SMS messages also have other known vulnerabilities
that skilled hackers could easily utilize to gain the information in a text that was not intended for
them.
Connect
with us
CIC_NICERC
NICERC
™
Although these vulnerabilities exist, this does not mean that 2FA is unsafe. Many companies have
switched to using a form of 2FA that requires an app to be installed your phone. The app and the
#CYBERAWARE
nicerc.org
CIC_NICERC
AN ACADEMIC DIVISION OF THE
CYBER INNOVATION CENTER
company’s servers are simultaneously generating the same codes and the code changes every 30
seconds. Even if the code was found out, someone would only have 30 seconds to do any damage.
One example of an app-based 2FA is Google’s “Authenticator”.
The following image shows a screen shot of a website accepting Google’s “Authenticator” 2FA data.
#CYBERAWARE
www.nicerc.org
The following image shows Google’s 2FA app called “Authenticator” with sensitive information marked
out.
AN ACADEMIC DIVISION OF THE
CYBER INNOVATION CENTER
In order to gain access to an Authenticator-enabled 2FA site, the user would refer to the app screen to
retrieve the Authenticator code and to determine if there is time remaining to enter the code before it
changes. The clock to the right of the code indicates how much time remains until the code changes. As you
can see from the app image, other websites are partners with Google to use their Authenticator data to
protect user accounts. Other than Google and Dropbox, sites that use the Google Authenticator app include
(as of a 2013 article): LastPass, Facebook, Evernote, Amazon, WordPress, and DreamHost, to name a few
(http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now).
So to answer the initial question, yes­­— 2FA can be safer, but it depends on how you access the 2FA code.
An app-based 2FA generator is going to provide a more secure code than an SMS-generated 2FA code.
1.
Calculate the number of possible combinations of “leet”-style password letter combinations for a
four-letter word, a six-letter word, an eight-letter word, and a 12-letter word.
a.
26 letters per case (upper and lower case)
b.
10 digits 0-9
c.
Assume 20 “special characters” like @, #, $, %, etc.
d.
82 characters per letter
e.
82^n combinations where n is the number of letters in your password
2.
Assume a hacker’s computer can test 100,000 combinations per second. How much time would it
take to test ALL of the possible combinations in a four-letter password? A six-letter password? An
eight-letter password? A 12-letter password?
a.
82^4 is 45 million possible combinations. That would take approximately eight
minutes to break at 100,000 combinations per second.
b.
82^6 is 304 billion possible combinations. That would take just over five weeks to
break at 100,000 combinations per second.
c.
82^8 is 2 quadrillion possible combinations (2 with 15 zeros). That would take 650
years to break at 100,000 combinations per second.
d.
82^12 is 92 sextillion possible combinations (92 with 21 zeros). That would take 29
billion years to break at 100,000 combinations per second.
3.
If Google’s two-factor authentication app “Authenticator” changes 6-digit numbers every 30
seconds, how many possible combinations of passwords are generated every 30 seconds?
a.
10 digits 0-9
b.
10^n combinations where n is the number of digits in the password
www.nicerc.org
Suggested Classroom Activities
4.
Based on the calculations above, how is it possible that 2FA is more reliable than a 12-character “leet”-style password?
a.
First, how many people use full “leet”-style passwords all the way out to 12
characters? Not many.
b.
Second, 2FA uses six-digit numbers, but it is a second level of protection that is
enabled behind user-generated passwords. Even if the six-digit number is cracked,
it’s useless until the password is first cracked – and both have to be cracked within
30 seconds or the Authenticator app will generate another set of digits.
#CYBERAWARE
AN ACADEMIC DIVISION OF THE
CYBER INNOVATION CENTER