Password Security

From Embedded Lab Vienna for IoT & Security
Revision as of 16:57, 28 August 2024 by NKirnbauer (talk | contribs) (expired link changed with link from wayback machine)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Summary

This documentation provides advice about secure passwords. It covers known problems with passwords and elaborates various solutions for secure password creation and usage. The issue "bad passwords" is the number 1 vulnerability in the Internet-of-Things (IoT)[1].

Nowadays, whenever a service or platform online need to be accessed, a username and password was needed. Thus, anyone in possession of these credentials can access the account. In this day and age, although they are no longer the only means of protection, they are the first line of defense for our data, which is why we need to set them up all the better.

Password Storage

The passwords which were entered during registration are usually stored in a database. Accordingly, these also belong protected from attackers. To protect the database from unauthorized access, firewalls are placed in front of the databases. Additional protection is provided by role definitions, which determine who has access to the database. However, these protective measures will not be sufficient. In case of unwanted access to the database, we must ensure that the passwords present there are in a non-readable (encrypted) format.

The passwords which were entered during registration are usually stored in a database. Accordingly, these also belong protected from attackers. To protect the database from unauthorized access, firewalls are placed in front of the databases. Additional protection is provided by role definitions, which determine who has access to the database. However, these protective measures will not be sufficient. In case of unwanted access to the database, we must ensure that the passwords present there are in a non-readable (encrypted) format.

If we now take a password (e.g.: "myPassword") and apply the SHA-1 function to it, for example, it looks like this:

  • echo -n "myPassword" openssl sha1

Output:

Hash.PNG


Such a value is now stored in the database. When the user logs in again, the password is hashed again and compared with the stored value in the database. If both values match, the user will be logged in. If not, the attempt fails.

If an attacker gains access to the database, they cannot do much with it at first. As with encryption, it is not possible to infer the password from a key. Only a guess is be possible. The attacker would have to know the password, hash it and then compare it. So only guessing is possible. This is because cryptographic hash functions have the following important properties:

  • Each hash has the same length (40 characters), regardless of the length of the file or string.
  • Therefore, it is not possible to infer the length of the original password from the length of the hash value.
  • Likewise, it is impossible to infer other properties of the original password. For example, it cannot tell how many vowels, special characters, or whether some characters occur more than once.
  • This also implies that hash values for similar words are unpredictably different anyway. The hash for "hello" is different from the hash for "hallo".
  • It also follows from all these properties that for a given hash value, for a given hash function, there is not just one original password that generates that hash value, but any number of them. The technical term is "collision". In practice, one wants to have as few of these as possible.
  • To better avoid collisions, "salting" was introduced. A salt is a randomly selected character string that is appended to a plaintext password before it is processed further. This is to increase the entropy even more.

Problems with Passwords

There are several more or less widely known bad habits regarding passwords.

Mistakes by choosing Passwords

Personal information is used to create passwords which is a popular target for social engineering (names, dates, etc.), due to the limitation of the capacity a human can remember. Often standard passwords like "123456" or "password" are used. Actually, "123456" has been the most used password for the last years [2]. The re-use of passwords is one of the main challenges: many users use the same password for various accounts. It should be obvious that it is not a good idea to use the same password for online banking and for an Adobe account. The quality of a password depends on how long a attacker needs to find the correct one.

Password Entropy and Quality

A lot of studies suggest to take Password Entropy to meassure the efficiency of a password. A higher entropy indicates a secure password, where less entropy indicates a less secure passwords. Entropy is the amount of information held in a password. The more information is in your password the more time a hacker has to invest to crack the password. To get a higher entropy you should use more and different characters.

Character Set 1: 26 lower case letters: abcdefghijklmnopqrstuvwxyz

Character Set 2: 26 upper case letters: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Character Set 3: 10 digit characters: 01234567890

Character Set 4: 31 special characters: ~!@#$ %^&*()_-+= {}∣[] \:“<>?;',. /

Keeping Passwords safe

One of the biggest problems is still keeping our private passwords safe. The rule is that for every online service a different password is recommended. Only a few people manage to remember all their passwords. Even if they are chosen according to the rules. Therefore, the majority of users choose simple passwords, which are easy to remember but also easy to crack. For seven years now, the most frequently chosen password has been "123456" and "password".

Fortunately, we can easily outsource this work to so-called password managers, which serve as our safe vaults and do the work for our memory. A password manager gives us the ability to create a secure password for ourselves and store it in its database. A password can be created for each online service for which we need a password. This can be inserted automatically when the website is called. The entire database is protected by a so-called "master password", which we must remember. Accordingly, this password should then also be chosen securely. In addition, there is also a protection via a second factor, which once again strengthens the security.

A password manager also has its disadvantages. Most password managers are associated with a cost factor. Another disadvantage can arise if the user forgets the master password. This can cause all stored passwords to be lost forever. When choosing a password manager, one should be aware that the control over the security of the passwords is no longer with the user, at least this is not the case with all manufacturers. If the manufacturer of the password manager is attacked and hacked, the attacker has access to all passwords. Likewise, one trusts the manufacturer that the corresponding software also has no security gaps and the manager is considered secure.

Good Passwords

There are 3 general aspects to good passwords: the length plays a main role, the password must not be trivial, and the password must be easily memorized. Leet speak (i.e. replacing certain letters with associated numbers, e.g. "p455w0rd") is not a good idea because meanwhile all password crackers know leet speak.

Good Password Checklist

  • Minimum length of 12 characters
  • Contains lower & upper case letters, digits, and special characters
  • As random as possible
  • Easy to remember

How to Create a Good Password

  • Think about your favorite lines of a song, poem, or movie, etc. Take the first letters and special characters to create your password.

Here's an example:

Are you lonesome tonight? 
Do you miss me tonight?
Are you sorry we drifted apart?

The resulting password might be: Ayl2n?Dymm2n?Ayswda?

  • Think about approx. 4 different words which make sense for you but in general, the combination does not make any sense at all. Meaningful sentences are no good passwords.

Here's an example:

Concrete
Ocean
Mouse
Egg

You'll have to add a special character and a digit. The resulting password might be: ConcreteOcean4MouseEgg!

Also GRC Haystack can by used to check how quick a password can be cracked. Just type in a custom password and the tool will show several attack scenarios like it was shown in the figure below. [1]

Haystack.PNG

Further Advice for a Secure Password Usage

Password Manager

The use of a password manager solves the problem to remember numerous different passwords for various accounts. You have one file containing all your passwords which is secured by one strong password. Our recommended password managers are open source, free of charge, and platform-independent.

Recommended password managers:

Differences

Keepass Lastpass
Security & Encryption AES-256, ChaCha20 and Twofish AES-256, Cloud Storing
App Compatibility Mobile and Web Mobile and Web
Usability and Ease of Use Complex UI More user-friendly UI, easy installation
Password Sharing Allows shared Database (for small teams)" Allows Password Sharing (department-wide), easy handling
Price Open-Source" Various price models (starts with 3$)

Two-Factor Authentication

Two-Factor Authentication requires a second authentication method besides the password, e.g. Google Authenticator [3] which provides a 6-digit code for each login. A second authentication factor might also be a biometric factor (e.g. fingerprint). You also might use a crypto token (e.g. a Yubico key [4]).

Some more Tips

1. Unique password for every application you log on to
2. The longer the password, the better
3. Different characters can always be used
4. Use complex passwords (mix of numbers, lower and upper case letters and special characters)
5. Passwords can be tested for their omplexity
6. Users should always log out of application
7. Use password manager
8. Enable 2-factor authentication wherever possib

Courses

  • Workshops (2017, 2018, 2019, 2020)

References