What is Password?
The password is a little secret that we all are uses. We use a password to access our social media, email, bank, computer. We are using have a password for all connected devices. The password is used to lock our phone. We use a password to access our bank account.
We are getting even password-protected bank statements or our IT Return. Though, they are protected by a random password generated or a combination of what we know already. Our password can be 4-digit code to open the phone or 28-Digit passphrase that we use to access our bank account.
History of Password
So, when did all the password thing started? As per Wikipedia, the passwords are with us for centuries. The Roman army used it, and they are calling it Watchwords. American Army used to secure their information.
For computers, it all started with an earlier version of the computer. The first Computer Operating System build by MIT Compatible Time-Sharing System has a Login screen and password that is in 1961. In the 1970s, Robert Morris developed a system to store the password in hashes. It implemented in Unix operating system, and after that, it is a kind of standard in all modern operating systems. Though the way computing power increased and new hashes developed.
Hashing is an algorithm that is changing the string variable to something more complex. The hashed value may be shorter compare to the original string, and it won’t be reversible.
Following are the known hash algorithms used:
Following are the few hashing password algorithms that are safe to use:
Common myths about password:
Myths, as we know that are fake beliefs. There are several myths about the password as well. I have found a few most common myths that would help you to understand about passwords.
1) Long and Complex Password will keep you safe:
Technologies that is developing day by day like Big Data, Artificial Intelligence, and quantum computing. It won’t be hard to crack any length password. Standard 8 Character password is crackable within seconds. We have to use a passphrase instead of a password that we can remember with complexity.
Here is a small YouTube video of Edward Snowden from Last Week Tonight would make us understand why we need a passphrase
2) Web/Mobile Application that you are using are storing your password securely:
We all have seen that our passwords are getting leaked. There are many security breaches of big brands which stores password in plaintext. Several incidents in the past indicate fortune 500 companies stored the passowrd of a user in plaintext. It allows a hacker to steal username and password.
Following are a couple of example of Plaintext password used by big giants:
- Facebook Uses Plaintext Password
- Google Says There few user passwords stored in plaintext
- Instagram Users Plaintext Password
So, it should be easy to understand that passwords that are stored in the plaintext are more insecure.
3) Mandatory password changes or forcing the user to change the password every few days make your account more secure:
In 2016 there are an article published in USA FTC. There was a study done by the University of North Carolina between 2009-2010. The result of the study indicated that when we are forced to change the password. Most of us only replace the one character of a password; this is a kind of predictable pattern and easily hackable.
Common Facts with Data about Password:
There are several data-driven facts that we should be aware of the password. The password would be helpful to use to protect our data, but there are few facts that we cannot deny.
- There was a poll done in 2018 that indicates that 59% of people use the same password everywhere.
- 34% of people share their work-related password with their teammates
- Every year there is a massive attack on password, and billions of users are data stolen.
- There is a Wikimedia page that displays the top 25 common weak passwords.
- Bill Gates Indicated that Password would be gone in 2004, but we still have the passwords.
- There are 4.1 Billion Passwords that are hacked in just the first six months of 2019.
Common Password Attack Types:
An attacker can use several ways to gain your username and password. They are several types of attack that attacker can use to get access to your password. The following are some of the most common types of password attack and their small introduction.
1) Dictionary Attack
Dictionary attack takes advantage that people are using Dictionary words as a password. We use dictionary words because it is easy to remember them and attacker uses the same thing to still our password.
2) Brute Force Attack
The attacker uses computer software to try all kind of password techniques to guess your password. It is automated software try all possible password and passphrase. It randomly generates password until it finds the correct password.
3) Credentials Stuffing Attack
Credentials stuffing is attack where the attacker uses all hacked usernames and passwords to get access to the system. It is a kind of Brute Force attack. But, the attacker has both username and password. That, they uses try to access compromised or uncompromised systems.
4) Phishing / Social Engineering Attack
It is the most common way to get the password of the user. The attacker creates a phishing website that lets the user provide their username and password. Once someone tries to login to it, they store the username and password and redirects the user to the original website.
5) Password Spraying Attack
Password Spraying attacking is one of the brute force attacks. The attacker would have your password. They try to get access to another system using the same username and password. The attacker uses this method to access your account on another site.
6) Traffic Interception Attack
Traffic interception attack is also known as a Man-in-Middle attack. The attacker creates a connection between the user and the server. Once he made a successful connection, he will try to fetch the information as much as possible. It would allow the attacker to steal your password.
Multi-Factor Authentication – Can this be the future?
Multi-Factor authentication uses technology that allows us to login to the computer/website with an added layer of security. It works like when a user enters username and password after the system will ask for OTP, TOTP based method. The multi-factor generates PIN and sends it to the user in SMS. User than enter OTP received to login to the computer/website. Sometimes people use third-party Mobile Applications like Google Authenticator/Microsoft Authenticator to generate OTP instead of depends upon SMS.
It can make tougher to hack your account, but again, nowadays, there are techniques available to clone the SIM card that would allow the attacker to get your OTP and hacked into your account.
Let us Go Password-Less – The Next Buzz word of technology.
Password-less is going to stay and going to change the way we are using the internet. It is the most secure and robust method to access multiple services over the internet.
What is Password-Less?
Password-Less authentication is not new; this concept is around the internet for quite a few times. Password-Less authentication would help us to secure our accounts more. It would make the attacker work more robust. Password-Less is a method that allows user to access their account more securely. It is a combination of better user experience no need to type the password. Just type the username, and you can access ( he he still needs to do some clicks before you can access your account). Better security because there is no password at all, so the user just must make sure that it has access to certain elements that require to log in, and they are right to do.
There are several password-less implementations. That but a most secure and most recent one is USB token-based authentication that replaces Password with USB token. It can be a Biometric or non-biometric token to login to your account. There are several other implementations as well, like Link-based login, where the user will get an email link that he has to use it login. There are different implementation like Mobile App that would allow the user to login with just typing username.
FIDO Alliance and Password:
FIDO Alliance launched in 2013 by PayPal, Validity Sensors, Infineon, Agnitio, and others to create the passwordless protocol. FIDO Alliance later joined by Google, Ubico, and NXP. There are currently 260 members of the FIDO Alliance. This alliance makes sure that protocols and research work done to make sure that we can go for a passwordless future of the internet.
There are FIDO Compliant hardware that needs to be used to make sure that you can use passwordless authentication. Windows 10 uses Windows Hello USB based Biometric key for login. For Web authentication, you have to use FIDO Standards to make sure that your application is working as expected.
Few Tips for Password and Security:
1) Always use Passphrase instead of Password for all your essential services.
2) Neve and I mean to say Never repeat your same password for all applications.
3) Don’t use your Dog’s or Pet’s Name as Password.
4) Don’t use your name as a password.
5) Make sure that whenever possible, enable 2-factor authentication for your account.
6) Never Share your password with anybody
7) Never use your social media/email password in your financial password.
To implement passwordless for your organization, please feel free to contact Gaurav Maniar.
18 Years Experienced Professional in Cryptography, PKI, Information Security, Data Security, SSL Certificate, TLS Certificate, Cloud Security, Website Security, Email Security, Cloud HSM, IT Infrastructure Management, Cloud Management and Customer Support. Certified in Comptia Security+, EC Council CEHv10, MCSE, ITILv3. Domain Investor by Hobby owns 150+ domains.