Explaining Cybersecurity to my Dad: Multi-Factor Authentication (MFA)

WarCollar CEO and DopeScope Inventor, Gene Bransfield, attempts to explain cybersecurity in a relatable way.

Dad: Hey, you got a minute?

Me: Sure! What’s up?

Dad: I’m trying to log in to this website, and it keeps asking me to check an authenticator.

Me: Ok.

Dad: I don’t know what the hell they’re talking about.

Me: Well, this is an MFA challenge. Which Authenticator do they have you using?

Dad: A what?

Me: MFA.

Dad: MFA? That sounds like an abbreviation for something Samuel L. Jackson would say. You know, your mother’s not here. You don’t have to abbreviate things. You’re an adult now – we can talk like men.

Me: Dad – it means Multi-factor Authentication.

Dad: What the hell is that?

Me: When you’re trying to verify appropriate access to things, there’s typically three ways of doing that:  Someone you are, something you know, and something you have. Who you are is your username, what you know is your password, and MFA would verify you have something. It’s another step to logging in. It adds an additional layer of security to make sure it’s really you that’s accessing your accounts.

Dad: How are they making things safer? When they ask for an authenticator, I don’t know what they’re talking about! I don’t know what they mean, so I can’t get into my website! They’ve made it so secure that I can’t even get in there. Hope they’re happy!

Me: Typically, the authenticator will live on your phone. That would be the “something you have” part. Let’s get your phone and search for Authenticator. 

Dad: Shouldn’t they just text me?

Me: That’s another way to do it. It depends on how you set it up. So, I see a Microsoft Authenticator and a Google Authenticator on here.

Dad: Well, which one is it?

Me: Which one did you use to set up this website?

Dad: I don’t know!  It was weeks or months ago when they set it up, and I wasn’t really sure what was going on in the first place, and I was only half paying attention.

Me: Well, let’s open them up and see the numbers. This authenticator says there’s nothing going on. So, let’s try the other one. 

Dad: How many do I have?

Me: Two. This one has some numbers. Try these numbers.

Dad: Ha! That worked. I’m in. 

Me: You happy now?

Dad: Hell no! Why the hell can’t I just use a password like I used to?

Me: Because your password is awful.

Dad: What are you talking about!?!?! I have a great password!

Me: You HAD a great password – when you first created it in 1996.

Dad: Once great, always great!

Me: Not so much. It’s the name of a character in literature. 

Dad: Yeah! And when they demanded numbers and letters, I added those as well.

Me: Yeah – in the early 2000’s.

Dad: You make it sound like it was a long time ago or something.

Me: Yeah – like 20 years ago.

Dad: It wasn’t that long.

Me: It’s 2024. Your password is now probably old enough to vote.  

Dad: Oh hell. You know I thought I was old when my kids graduated high school.

Me: That was 30 years ago.

Dad: You need to shut the hell up.

Me: Well, computer and processor technology doubles about every 18 months. So, if you do some basic math, you should realize that computers today are wildly more powerful than they were in the 2000s when you added a number to your famous fictional character.

Dad: I added a special character, too.

Me: Ok, but by today’s standards your password is very easy to guess. You replaced one letter with a special character and followed it by a number.

Dad: Not true! I replaced a letter with a number and followed it up with a special character.

Me: Whatever. It’s easily “crackable.” How many websites do you use that password on?

Dad: Only the important ones – and the ones that don’t make me try to find out what the hell an "authenticator” is.

Me: So, those websites that are important to you… How many of those are there?

Dad: A few. Maybe more than a few. I tend to stick with passwords that I can remember. I’m sure it’s fine.

Me: It’s not fine. Your password is ‘Grend3l!’

Dad: Yeah! How’d you know?

Me: I’m your tech support.

Dad: Oh yeah. I like it, though. It’s a really great password. It’s a character from “Beowulf.” That’s an ancient poem by…

Me: NOT THE POINT! The point is the most junior of hackers can crack your password in about five minutes.

Dad: What!?!? 

Me: Yup.

Dad: How would they do that?

Me: They get the hash of your password, and they submit it to any number of websites, or they just use their local powerful machine and a password cracking tool. 

Dad: What’s a hash of a password?

Me: A hash is a form of encryption. With typical encryption you have a key or a password that encrypts a message and creates cyphertext. The same key or password can then be used to decrypt that cyphertext back into a message – so you use that for confidentiality. You have to know the password to read the message. 

Hashing was designed to address integrity – to make sure two things are the same. A hashing algorithm takes a small word or a huge binary file and creates cyphertext of a standard size called a hash. If you looked at it, it would basically look like a long group of random text characters. You can compare hashes of two different files and know if those two files are identical or not. This makes hashes perfect for password verification.

Machines typically store that hash in a known file. When you enter your password to login, your computer runs the hash algorithm against the text that you enter and comes up with a hash. It then compares that hash to the hash it has stored on your computer. If the hashes match, then your password is correct, and it lets you in. 

Dad: So how do they decrypt my password?

Me: They don’t. A hash is a one-way function. You can’t take a 64-character hex value and from that recreate a file – or a password. An attacker has to guess over and over again, running the hash algorithm against password ‘guesses’ until they come up with the right hash. It’s called “Cracking.” In some cases, they have entire databases with known easy hashes that have already been cracked. The databases of cracked passwords are huge.

Dad: How long does it take to do that?

Me: Depends on how long and complex the password is. Anything less than 12 characters is trivial.

Dad: It seems like it would take months.

Me: With how powerful computers are lately, plus the advent of cloud computing, they can do millions of hashes a second.

Dad: So, people just run hashing algorithms all day?

Me: Some people do.

Dad: Don’t these people have lives?

Me: They do. They spend their time researching cybersecurity projects and learning to hack things.

Dad: They need to get a job!!

Me: They have jobs – they’re generally pretty well paid.

Dad: Who the hell pays them?

Me: Guys like me – but that’s not the point. The point is your password is so simple to crack that you don’t need a high-dollar hacker to break it. Not to mention the fact that you use the same password on multiple sites – “But only the important ones” – so if someone cracks your password then they can get into all those websites.

Dad: Well people shouldn’t be doing things like that for a living!

Me: Look – you have a nice house here. Why don’t you have skeleton key locks on all the doors?

Dad: That’s the stuff MY mother used to use.

Me: Exactly! So why don’t you use them today?

Dad: Because anyone could go buy a skeleton key at the drug store and use it to open your door.

Me: Right! So, since the lock was too easy to defeat, you now use a better lock, right?

Dad: I suppose.

Me: Kind of time to upgrade your password game then. 

Dad: So, I need a new password?

Me: More like a password for every site – AND you should turn on MFA on every website that has the option to do so.

Dad: You’re out of your MIND!! There’s NO WAY I can create AND REMEMBER new passwords for all the sites that I use. I might as well shut down the damn computer and go back to using the mail and the telephone for everything. They don’t need passwords for that!

Me: So, if we could come back to reality here, that’d be great.

Dad: The reality is that this is nonsense. How am I supposed to deal with all these password problems?

Me: So, there are things like password managers that you can use.

Dad: What the hell are those?

Me: Applications you can install on your computer and your smart phone. They help you create complex passwords, and they keep track of all your passwords for you. 

Dad: How do they do that?

Me: They keep an encrypted database of all your passwords and then they use them when they need to.

Dad: Wait, so I give my passwords to someone else?

Me: A trusted vendor, yes.

Dad: But how do they keep my passwords safe?

Me: Encryption.

Dad: How do I get access to them.

Me: A password.

Dad: Are you kidding me?

Me: Yes, you have ONE MASTER PASSWORD to rule them all.

Dad: Is that a Harry Potter reference?

Me: Lord of the Rings, but close.

Dad: So, I’ll just use my favorite password to control this thing.

Me: Really!? Did you miss the part about cracking your password in a five minutes?

Dad: Well, what do you suggest!?

Me: How about changing it up to “Jabberwock1!”?

Dad: That’s not half bad! I love Lewis Carroll! “Beware the Jabberwock my son! The jaws the bite, the claws the catch!” 

Me: Glad you like it. It’s better to use a passphrase like “Wow I Hate Updating My Password Because I’m Old and Cranky.”

Dad: Too much typing!  So how long will it take to crack that “Jabberwock” password?

Me: Technically, with today’s technology, thousands of years. If you introduce more random capital letters, numbers, and special characters it makes it more complex and should take longer. The longer and more complex your password is the harder it is to crack.

Dad: Great! I can remember that password. So, I’ll just go log in to all my important websites and change my old password with my new password, and I’ll be good!

Me: …um, no.

Dad: WHAT!?!  What’s wrong with that idea!? Do you know how long it’s going to take me to change all those passwords?

Me: The password reuse issue makes it such that any attacker only needs to discover your password once and then they can go to all your websites and break in.

Dad: How hard is that to do?

Me: I can be relatively easy. Especially for the Russians, who I know you hate.

Dad: Those communists! They’re behind all of this! This is ridiculous! It’s impossible to stop this! It’s too much!

Me: Well, there are lots of people like you who unfortunately reuse their passwords on multiple websites. MFA ensures that anyone who is trying to login has to correctly answer the MFA challenge to actually get access to your stuff.

Dad: That’s good – but it’s a pain. Why don’t they all just use text messages?

Me: Certain researchers have displayed vulnerabilities with that method. That being said, it’s still better than your Grendel password alone.

Dad: “Certain researchers?” So do THOSE guys have jobs, too? Who spends their time breaking into things like this?

Me: Really smart researchers who are trying to show flaws in a systems that most people think are invulnerable.

Dad: Losers. Somewhere there’s a McDonalds missing a fry cook because this stupid teenager is breaking into my passwords.

Me: If you make the passwords that easy to guess and then don’t change them in two decades, then you’re part of the problem. Using a password manager would probably be the best idea for you. Then you can use your Jabberwock password to manage your password manager, and let the password manager create your super long complicated passwords for your favorite websites.

Dad: But what about my phone? How do I login to those things on my phone?

Me: Password managers work with phones as well.

Dad: Which one should I use?

Me: There are several options out there. Bitwarden is popular and it’s free, but you’ll have to pick one that’s best for you.

Dad: So, it fills in my passwords when I get to the websites?

Me: Yes.

Dad: Doesn’t my web browser do that as well?

Me: The web browser is very vulnerable to quite a few online attacks, and most of those attacks search for username/password combinations stored in the browser. I wouldn’t use the browser.

Dad: This is too damn hard.

Me: Weren’t you in the Army? Didn’t you serve in Vietnam? Weren’t there people shooting at you over there? And this is hard?

Dad: Yeah! Over there the bad guys had the common decency to try to kill you in real life. I knew when they were shooting at me and more importantly, I knew who I could shoot. Right now, I want to shoot my computer, but then I’d have to go get a new computer. 

Me: Don’t you think that’s an overreaction?

Dad: Shooting the computer? Maybe – but it will make me feel better in the moment. The one I need to shoot is the stupid unemployed fry cook who keeps stealing my passwords because he’s too much of a loser to go talk to a girl. I’d be doing the nation and probably his parents a favor by shooting him.

Me: Dad! That’s harsh! 

Dad: You think they’re proud of him!? You think they raised their kid to do this? He’s ruining their hopes and dreams of free French fries by spending all his time in their basement playing video games, wasting time on social media and stealing passwords like a criminal. He probably doesn’t bathe either – or pay rent. They want him gone more than I want him gone.

Me: You seem to know this guy!

Dad: EVERYBODY KNOWS THIS GUY!!! When they tell you about this guy, you see him in your mind!  And then when you spot one of these mega-nerds in the wild you realize you were DEAD ON RIGHT about what he looks like!

You can spot him walking down the street and EVERYBODY knows who he is and what he does because that’s EXACTLY how he looks!  Bad clothes, bad breath, bad social skills, and not a woman within a mile of him.

Me: Come on, now!

Dad: Seriously! I’ve seen girls cross the road to avoid talking to these guys – which is funny because he’s not gonna have the guts to talk to them anyway! But at least if they cross the street they’ll avoid the body odor.

Me: ANYWAY, SO BACK ON TOPIC – MFA helps keep these future fry cooks from breaking into your accounts even if they crack your miserably weak passwords. Using MFA means you still have to solve an additional authentication challenge to gain access to your accounts. It helps a lot.

Dad: So that means I DON’T have to change my password?

Me: No, it does not. You desperately need to change your password. Besides, the Jabberwock idea was cool.

Dad: It is, but still it’s a pain. That said, I might just change it because the Jabberwock is cool.

Me: Really?

Dad: Yes! I love that poem. I have the whole poem memorized because it’s just great! Would you like to hear it?

Me: I’m good, thanks…

Dad: “Twas brillig, and the slithy toves; Did gyre and gimble in the wabe: All mimsy were the borogoves, And the mome raths outgrabe.”

Me: Wow! Speaking of nerds! Oh kettle, thou art black!

Dad: What are you talking about?! That’s great literature!

Me: It was before you started reciting it. What does that even mean? It might as well be Klingon.

Dad: Your mother loved poetry.

Me: Poetry? Really? All of Shakespeare’s sonnets at your fingertips and you went with “The Jabberwocky”? You’re a smooth one, Cyrano! I hope you at least took her to dinner. 

Dad: I’ve taken her to many dinners!

Me: Good for you! So, tell me: when you busted out “The Jabberwocky.” did she swoon on the spot, or did you have to get her drunk first?

Dad: Hey! Show some respect! That’s your mother you’re talking about!

Me: You chose the poem there, Romeo!

Dad: Yes, I did! I was an English major in college!

Me: It’s a wonder I was ever born! You know, with those credentials and your choice of romantic poetry you’ve got a great future as a fry cook.

Dad: What’s that now?

Want more? Check out “Explaining Cybersecurity to My Dad: What is this DopeScope thing anyway?”!