I was already thinking about the topic of mandatory two factor authentication before Heartbleed. It was actually the story about Naoki Hiroshima and his post on Medium detailing the account hack at Go Daddy and Paypal, in order to gain access to the Twitter handle @N.
Minda Zetlin of Inc Magazine recently published an article, ” Heartbleed Proves the Password Is Dead. This Is What You Need Now”.
In the article Zetlin goes into the fact that no matter how good you think your password is, with advances in technology it can still be hacked.
From the article:
The Heartbleed bug has made plain what everyone in cybersecurity already knew, whether they admit it or not: Passwords are dying. All of them. Got one of those fancy pieces of software that invents a unique and un-rememberable password for every one of your accounts? It’s not enough. Do you make a new password for every service, based on a phrase so that you can remember it but the dictionary can’t find it? That’s certainly worth doing, but it may not help you.
The Heartbleed fiasco is just the latest in a series of events that demonstrate the password’s obsolescence. In the past year or so, Evernote, LivingSocial, and Drupal are just three of the high-profile online services where passwords were stolen despite having been encrypted.
Even if that weren’t true, it might not matter, as computers get fast enough, and algorithms sophisticated enough to guess the passwords of many or most users by brute force–even those smart enough not to use their kids’ names, birth dates, alma maters, or anything else a clever bit of software could sniff out. Anything from your bank to your social media account that you access simply by typing a password into a computer or mobile device is not as secure as it should be or could be–no matter how sophisticated that password may be.
Read the full article here
Then there was news on the Huffington Post that the U.S. government was advising members of the HealthCare.Gov website to change their password.
From the article:
WASHINGTON (AP) — People who have accounts on the enrollment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding Heartbleed Internet security flaw.
Senior administration officials said there is no indication that the HealthCare.gov site has been compromised and the action is being taken out of an abundance of caution. The government’s Heartbleed review is ongoing, the officials said, and users of other websites may also be told to change their passwords in the coming days, including those with accounts on the popular WhiteHouse.gov petitions page.
The Heartbleed programming flaw has caused major security concerns across the Internet and affected a widely used encryption technology that was designed to protect online accounts. Major Internet services have been working to insulate themselves against the problem and are also recommending that users change their website passwords.
Officials said the administration was prioritizing its analysis of websites with heavy traffic and the most sensitive user information. A message that will be posted on the health care website starting Saturday reads: “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution.”
Read the full article here
So has the time come for two word authentication to be mandatory ? Domains are a valuable asset for many, many domain investors and it certainly is nerve racking to have to go out and recover a stolen domain. It is also nerve racking for the registrar and usually brings some bad pr in the short term.
So maybe by making this a mandatory requirement, laid out in the terms of service, registrars can help registrants be more secure and provide a benefit to both in the long run.
