The Whole truth about safety

By Bernardo Ramos, IT security expert

Passwords

Today we are going to talk about passwords, that unpleasant thing that we always remember when we want to access some service on the Web, that we have never been stolen, that is very safe and nobody could guess and, besides, even in that case, I would not care because I change it frequently. Because, of course, we all stick to the safety recommendations that we are reading or listening every day. Or maybe not? On the other hand, are these recommendations really justified? What is the real risk around my passwords?

Keep on reading this entry if you want to find the answer to these questions

What is a password?

A secret known only to one or more users, used to verify the identity of the user or group of users

Usually used to control access to an automated service

Passwords can be:

According to their validity period

• Permanent.
• Single-use (“OTP”=”One Time Password”).
• Limited duration.

According to their content

• A string of characters:
  • Numbers
  • Alphabetic characters
  • Special signs
• A finger path on a screen
  • Usually performed over a picture to facilitate remembering it

The password is usually associated with an identifier, which, in turn, is associated with an identity (person or group of people or even abstract entities).

It is one of the components of the authentication process

What is Authentication?

Processs to verify an identity

There are several types

Ultrasimple:

Uses a single element: The identifier (Username or Login).

Used when no verification is necessary to verify identity

Example: When identifying yourself in a phone call

Simple:

It uses two factors

Strong:

It uses three factors, so it is sometimes referred to as "three factor authentication" or even "double factor authentication", by omitting the identifier in the account

"Something that I am" - The identifier

"Something that I know" - The password

"Something that I have":

• A "token"

Device that provides a number that changes every certain time-lapse

Each device is unique generating different numbers

The authentication system knows which device is associated with the user and is synchronized with it to know which number will generate at any time

Each number generated has a limited validity, usually one minute

• A grid card

It contains a table of X rows and Y columns and at each intersection there is a number or key of 2 or 3 characters

Each card is different

The authentication system will ask me to enter the code of a certain row and column chosen randomly.

• A Mobile phone

The authentication system will send me a message with a one-time code

• An electronic card

With magnetic stripe or RFID

Requires the corresponding reader at the authentication place

• A digital certificate based on Public Key Infrastructure

Each certificate has a public key and a private key and is associated with a specific identity

The public key is available and is known by anyone

The private key is secret and is known only by the owner of the identity

The authentication system is based on advanced mathematics, specifically on operations with polynomials

There is an algorithm, known by the whole system of authentication that allows to generate a string of characters from the private key and another algorithm that allows, from the public key and the string of characters, to know if to generate the latter the associated private key has been used.

The first component of the authentication system is integrated in the device of the user whose identity is to be verified and consists of the algorithm that will generate the string of characters. It will usually ask the user for a password to access his private key

The string of characters is sent to the authentication system, which checks its validity with the public key

The private key is therefore never transmitted, so if its owner protects it from being physically stolen, the system is inviolable

It is the authentication system considered the most secure, as long as it respects the protocol that guarantees that the private key is always in possession exclusively of its owner

The electronic Identity card in Spain (DNI) contains a certificate that is accepted by many services, public and private, to verify the identity of the user

• A combination or modified version of the previous ones

Biometric:

They are based on the physical characteristics of the individual:

• The Fingerprint
• The iris
• The individual´s voice
• The shape of the face
• A combination of the above and even with others such as weight

They have the advantage that we always have them available wherever we are and we do not need to remember them

It can be combined with an identifier or even do without it because the authentication system itself can deduce it.

Require the availability of reading devices in the place where the user is

Myths and legends

A password must be complex so that it is not easy to guess or discover with dictionary or brute force attacks.

A password must be changed periodically to prevent the risk in case it has been discovered by another person with the intention to steal our identity .

How a password can be stolen?

Watching while typing

• Visually
• With a spy program called "key logger"
• Passwords written in a post-it or on a piece of paper

Guessing

• Frequently used passwords
• Frequently used password schemes

Some user data are needed

• Reference dates
• Birthday
• Wedding
• Children birthday
• Name and surname
• Place of birth or residence
• Children’s names
• Name of your pets
• Favorite football team
• Etc.

They are often associated with "social engineering" attacks to obtain the necessary data

Asking the user

• Directly
• With malicious emails
• May be associated with "social engineering" attacks to obtain the necessary data
• They can be associated with “fishing”attacks through false WEB pages that simulate the authentic ones and ask us to type our password

Through computer attacks

• Brute force
• Dictionary
• Stealing a database containing them
• False Websites
• Analyzing traffic on a non-password protected WIFI network
• Virus that steals passwords stored in the browser
• Virus that searches for files that contain passwords and sends them to the hacker

Coherence and proportionality

The effort to protect our password must be proportional to the importance of the service it protects.

The risk is not the same when you access your bank to perform operations than when you search in an internet forum how to change brake pads.

In our "digital" life we can have accounts in 50, 100, even 200 different services.

Some of these services are important and we need to protect them, such as online banking, the Fiscal Administration or e-commerce.

Most of them are not so important and the risk of usurpation of our identity would be of limited value to the usurper and to us.

We can use a simple and easy to remember mechanism for creating passwords for unimportant services.

Instead, we must be very rigorous and devote a significant effort to the design and protection of the passwords of important services.

Instead, we must be very rigorous and devote a significant effort to the design and protection of the passwords of important services .

Latch or lock

Some passwords are used as "latch" to open certain services and their degree of protection should be proportional to what is behind the door.

Other passwords are used as "locks", to keep something protected, usually our information, and, also in this case, the security of the lock should be proportional to the value of what it encloses

Your email is the master key

In terms of computer security you should to be able to abandon everything at any time and start from scratch

Most services have a mechanism that allows you to recover a forgotten password or, better yet, create it again.

To verify the identity of the user requesting the recovery or reset of his password, most services use the user's email.

Upon request to reset a password, the server will send a message to the email address that the user indicated when creating his account. This massage contains a link that will allow him to perform the reset himself.

The link is for one single use and usually has a validity limited in time.

What do we conclude from this?

If someone can steal our e-mail password, he will have the master key to enter all our accounts.

He could just go to the corresponding server and request the reset of the password so that he can change the password himself and access using our identity

Conclusion

The most important password we have is the one of our email.

A good practice would be to use a specific email address only for resetting our passwords, and to use for it a password more complex than usual that we will change periodically.

And let us not forget what was indicated at the beginning of this chapter:

In terms of computer security you should be able to abandon everything and start from scratch.

And in case of doubt, change one or more of your passwords.

The perfect password

It has to be easy to remember and impossible to guess. Probably using sentences with words separated by spaces is one of the best options:

• My dog is hungry!
• The speed of my father's car is + than mine
• Both Madrid teams played the 2017 final

Password Safe: KeePass

Biometric authentication, perhaps combined with public key infrastructure certificates and the generalization of identity federation systems, will likely suppress or at least greatly simplify the use of passwords, but while we wait for that time, here goes a good tip to simplify the handling of the tens, or even hundreds of passwords, that we have to handle today.

A good alternative, used by many computer security professionals, and accessible to all of us, is the use of some tool for secure storage of passwords.

That way we can keep all our passwords protected, avoiding post-its, lists written on a piece of paper or in a notebook or even Excel files or similar, all of them completely unsafe options.

There are different options in the market. From my experience and those of my colleagues in cybersecurity, I recommend the open source tool KeePass, whose security has been certified by public agencies such as the National Agency for Security Information Systems of the French government, among others.

Keepass: Advanced System for Password Management

It is a password safe

Preserve and protect all passwords and identifiers of your applications and websites in a single database

Compatibility

Available on all PC and smartphone operating systems

Easy to synchronize across all your devices (PC, smartphones, tablets, etc.) using Dropbox

Benefits

All your passwords will be securely stored

Never again forgotten passwords

Never again stolen passwords

You do not even have to type your passwords, Keepass does it automatically

The addresses of your websites can be saved and opened directly from Keepass in your browser

Keepass Password (your master password)

It must be solid and easy to remember (Recommendation: complexity 90 bits or more, length 12 characters)

One sentence, with spaces in-between words, will make a very good password by respecting all the security requirements and is easy to remember.

Example: Wash the car today.

It has uppercase, lowercase, spaces and a dot at the end, more than 12 characters and 95 bit complexity ...

There is no way to recover the Keepass password if you lose it

characteristics

Manage all your passwords

Structured in Groups

Each group can have sub-groups and entries

Usage

Función Auto-type function to fill id and password automatically without typing

This allows us to use very complex passwords comfortably

Ability to copy and paste the user and password manually

Like the previous function, since you do not need to type them, passwords can be very complex

Ability to directly open the web page or application directly from Keepass

Precautions, good practices

Remember to lock the session of your device when you are not using it by protecting its opening with a password

As your passwords expire or change, remember to update them in KeePass