Loading...

Password as the first line of defence. How to create a strong and unique password

Essay 2019 9 Pages

Computer Science - IT-Security

Excerpt

Inhaltsverzeichnis

Introduction

Single Password Authentication Risks

The Five Factors of Authentication.

Passwords Creation bad habits

Password Creation Guidelines

Conclusion

Future work

Reference

Abstract

Passwords are the first line of defence in any computer systems. Weak passwords or bad habits used when the creation of passwords put sensitive information in danger. In this article, we will discuss the bad habits of password creations, some of the attacks that are used to detect the passwords, identification versus authentication, factors of authentications. Finally, What are the guidelines used to create a strong unique password, and How passwords are addressed in industry standards.

Keywords:

Password, Hacking, Brute Force, Single password authentication, two-factor authentication, MFA, 2FA

Introduction

Password is the first line of defence in today online activity. Everybody has many online accounts on the internet (e.g. GMAIL, Icloud, etc.). Most of the online users reuse their passwords, so they have less number of password. It is said that internet each one uses the internet deal with 25 services within three months, however, the user uses seven passwords only to access them (Florencio & Herley, 2007 cited in Acar, et al., 2013). When a user creates an account on an online service, his credential will be stored in its database which in return will be a target to passwords harvester hackers. So, if the user uses the same password in another online account, it is a matter of time and his account will be compromised. Therefore, this will threaten the accounts that have the same password.

Single Password Authentication Risks

There are many factors affecting password security apart from creating a complex password. Stanislav (2015) mentioned that passwords can be compromised in many ways. For example, user can be redirected a fake web service to steal your login information. Additionally, key logger is a simple form of malware that can steal sensitive information such as passwords. Not only this but also, brute force attacks can be launched to try a different set of passwords to identify user’s passwords. Password database has protected passwords (e.g. passwords hashes) that can be cracked to obtain passwords information. Moreover, hacker can use social engineering to convince users to share passwords. Finally, Lack of user awareness will make the user carelessly write the passwords on sticky note on his table and anyone can use it (See Table 1, Page 2).

The Five Factors of Authentication.

To access resource whether it is online or offline (e.g. Facebook, computer account, et.), the user must identify himself and prove his identity. For example, a user uses his username to login to a server, his username is his identity. This identity will be proved by the authentication process.

Table 1 - Passwords Risk Matrix

Abbildung in dieser Leseprobe nicht enthalten

The authentication is proved by something you know (e.g. Passwords, pin, passphrase, etc.), or something you has (e.g. smart card, swipe card, access card, etc.), or something you are (e.g. Biometric)(Harris, 2013). Furthermore, Authentication can be bounded to somewhere you are (e.g. MAC Address, IP Address). For example, web service is configured not to accept any login request if the source IP address is from outside of the country. Finally, Authentication by something you do such as gestures. Multifactor Authentication is a mixture of more than 1 type of these authentication schemes(Abhishek, et al., 2013).

Passwords Creation bad habits

Some people do bad habit when they tried creating or using their passwords. These habits may lead to password leakage or compromising the protected assets by the end. For example, a user creates a very strong complex password, and he can’t remember it. Then, he decided to write it on a sticky note (See Figure 3, Page 7) and put it on the monitor of his computer. This behaviour leads that everyone in the room might know that the word wrote on the sticky note is most probably his password. Therefore, the password became not secret anymore. He might reuse his password elsewhere, and in return, all accounts that used the same password were compromised (Florencio & Herley, 2007 cite in Acar, et al., 2013).

Abbildung in dieser Leseprobe nicht enthalten

So, it doesn’t matter how complex your password is if it is compromised by bad habit. In addition to this, use common names, special dates, and sequence numbers or letters is a very bad habit when creating your passwords because it makes your passwords predictable. Furthermore, when creating a password, never use a dictionary word. It can be detected easily (See Figure 1, Page 3). Figure 1 Illustrates a packet capture of a dictionary attack against FTP server, In this scenario, we found the username of the account (its identification) is kept general (e.g. Admin), and the attacker is trying a password from a dictionary. Therefore, the account will be compromised if he kept his account generic or its password was a word from a dictionary (e.g. merlin, mercury). Last but not least, Normally, a brute force attack is a number of trails for a password with the aim to gain access to an account(Rouse, 2019). A user might choose a short password (e.g. Less than 8 characters). This bad habit will make it easier for the attacker to crack the password using a brute force attack with less number of trials.

Password Creation Guidelines

It is said that a password is as underwear (See Figure 2, Page 6). Firstly, you must change them regularly. For example, a group policy can be configured from an active directory in a corporate environment to enforce users to change their Passwords every 90 days. Apart from this, you should never share them with anyone. Security awareness campaigns should be conducted to educate corporates’s users for good habits dealing with passwords creation and maintenance. Moreover, user should not write them on paper or sticky notes (See Figure 3, Page 7) and leave them on the desk.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2 - Password is like underwear(REaD Group, 2017).

Passwords should be created from eight characters long and 95-character set should be used including letters (e.g. lowercase & uppercase), numbers, and special characters. First, a user can use password generators to make a unique password(FIPS, 1985). There are many ways to create unique strong password creation. For example, Online services (e.g. Norton Password generators) is a good tool when creating the password. Norton (2019) illustrates that the strength of the password can be enhanced by increasing the combination that formulates the password (e.g. password length, Special characters, Letters, Numbers, etc.).

Keith, et al. (2007) argue that by increasing the length of the password, its strength increased. However, the usability decrease as users tends not to remember it and write it down.

[...]

Details

Pages
9
Year
2019
ISBN (eBook)
9783346075215
Language
English
Catalog Number
v506782
Institution / College
Anglia Ruskin University
Grade
Tags
Password Security Factors of Authentication

Author

Share

Previous

Title: Password as the first line of defence. How to create a strong and unique password