Security Watch

Keeping Track of patches and hacks in the IT security world.

Password Lies, Truth and Google Authenticator

What you know or don't know about password security can hurt you.


Every day, we all use passwords to access our email, our servers, our systems—our digital lives. They are often the only thing that stands between our (limited) privacy and anyone/anywhere getting access to our digital selves. This week, I've seen two very different and interesting developments in the world of passwords.

SecurityCoverage Inc. is now out with a neat twist on password education with a Password Pop Quiz infographic . The questions are basic enough, and include such classics as: "You should use a longer password or passphrase because ... " (multiple choice), and "Social media networks like Facebook and Twitter protect my password information" (True or False). Oh, and my personal all-time favorite: "The most common password of the last two years is" (QWERTY, Dragon, 123456 or Password).

It's a little baseline set of questions that are fun to go through (though personally I prefer things a bit more interactive than a static infographic most of the time).

One thing that the pop quiz is missing though is mention of two-factor security. That is a second "factor" or password that is randomly generated in order to grant user access. In my world, any authentication system without two factors is simply not safe. Passwords can be sniffed over the wire (or decrypted) or stolen from databases. When you add a second factor, user access becomes significantly more secure.

This brings me to the Google Authenticator issue.

My Twitter feed lit up this morning (Wednesday, Sept. 4) warning me not to update Google Authenticator. Google Authenticator is a client app that can run on iOS and Android, providing that second-factor password. The problem is that once you tie your Google Account (or other service that uses Google Authenticator) to the system, you need that second password or you don't get into your account.

So today, Google fumbled an Authenticator update, such that after users updated the app, it didn't remember their accounts. That means for those users, they're (possibly) locked out of their accounts.

Google is working on a fix (so don't update Authenticator), but more importantly, there is also a good best practice that you should always consider for any two-factor approach. That is, always have a backup. That backup could be a phone/Short Message Service number that is also an authentication mechanism (in addition to the app). The backup (as it is in my case) can also be a simple piece of paper. You see, when you first set up a Google Authenticator account, you also get the option to print out a set of one-time access codes.

So when all else fails, a simple piece of paper can be the best place to keep a password (two-factor or otherwise).

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.