Monday, February 17, 2020

Introduction to Pa$$w0rds

When people hear the word "password", the first thing that comes to their mind is the pesky, hard to memorize code they are required to enter when accessing their online accounts. The truth is that passwords have been around for centuries, long before the first computers were introduced in the 1930s and 1940s (remember "I think there is a world market for maybe five computers"? Well, think again! But I digress).

Passwords were used in the Roman Military by sentries as a method of access control to restricted areas, challenge-response phrases were used by the American 101st Airborne Division in World War II by presenting a challenge "flash" with the desired response being "thunder".
In 1961 Fernando Corbató, an MIT Professor, first implemented the password in a computer system called Compatible Time-Sharing System (CTSS) which was an operating system used by researchers. In the 1970s Robert Morris first implemented the passwords hashing mechanism as part of the UNIX operating system.

In the mid-1990s when the internet started taking off, passwords became an integral part of our day-to-day, online life. Despite global efforts that include the largest tech giants (e.g., FIDO Alliance), passwords are still the most common method of online access control.


The good

Although extremely outdated, passwords have one significant advantage – they can be used almost from any device, assuming a physical or virtual keyboard is present. Technologies such as one-time passwords, tokens or fingerprint provide a much better user experience, but they still require the device to be present for the verification to take place.
Another important upside of passwords is preserving user privacy, since passwords are not considered Personal Identifiable Information (PII) they can be stored in the cloud or on-prem, assuming proper security measures are taken such as hashing and salting.

Assuming we are the type of people that "look at the full half of glass", password sharing can be considered a good thing in some cases, for example if you need to grant your spouse access to your email or bank account. Although in general, it is best to grant access in such cases beforehand using proper authorization mechanisms, that grant multiple users access to a single account or resource.


The bad

Where should we begin? Generally speaking, passwords are a lose-lose situation both for the enterprise as well as for the end users. This includes but is not limited to poor security, poor user experience and a high operating and maintenance cost.
Security wise, passwords suffer from a multitude of attack vectors that in most cases, can be mitigated by sticking to security best practices and proper employee training.

Data leakage: There are many different reasons why hackers gain access to restricted data - from unpatched vulnerabilities in the OS, to misconfigured cloud instances. Eventually someone bad will get to our data so we need to make sure we follow security best practices. With passwords this usually means hashing, since passwords should never be stored as plain text. But hashing alone is not enough, as it opens up the hashed passwords to a "rainbow-table" attack, that basically uses a precomputed table for reversing hashes. Therefore, hashing should always be done using a "salting" mechanism, by adding a random piece of text to the password and only then hashing it. By doing so, it will significantly increase the effort required to crafting an attack at scale, when exploiting the hashed passwords that were harvested.

Phishing websites: An extremely common attack vector, typically done by sending a link and redirecting the user to a "fake" website, that in most cases looks identical to the naked eye. The unsuspecting user inputs their credentials and poof… Their username and password are suddenly for sale on the dark web, for a dime-a-dozen. There a many elaborate and highly sophisticated tools to handle these attacks, from automatically taking down these websites to tools based on computer-vision that distinguish between a real and fake website. But in many cases, nothing beats the good old employee training and guidance, which are an integral part of the anti-phishing arsenal. Now you might say something like, "But hey, I got 2FA, I'm safe!". Well guess again, especially if you're using SMS OTPs. More on that on the next chapters.
Weak and re-used passwords: Some websites go to such great lengths with the password complexity requirements, that it can take several minutes just to come up with a password, let alone memorize it without writing it down. Eventually we are humans and we were not programmed to memorize random letters, which is why most users use easy to memorize passwords and also re-use them across accounts. Now, I feel pretty comfortable with Google safeguarding my password using proper salting etc., (should I?) But what about that questionable eCommerce website I signed up to, using the same password? It just so happens that they did not properly configure their cloud's security settings and forgot to "spice" up their passwords. You get the picture. In other cases, people use easy to remember passwords, the three most common passwords are: “qwerty”, “password” and “111111”. This opens them up to dictionary attacks, which is essentially a database containing a predetermined set of commonly used passwords.

So, what can you? Don't re-use passwords, require your users to generate complex passwords and don't forget to turn on 2FA!


Setting aside security, passwords also fall short in user-experience and can lead to lost business and transaction abandonment by frustrated users that are required to manage numerous accounts. Eventually these users will have to go through the tedious "account recovery" process that is also extremely insecure. As the cherry on top, add the high operating costs of managing and resetting passwords -  a Forrester research estimates that the average cost of a single password reset done by help desk is about $70, while Gartner estimates that 20% to 50% of all help desk calls are for password resets.


The ugly

A recent phishing campaign targeting Apple, redirected users to a phony website that mimics Apple's account management platform, in an attempt to harvest credentials. Another recent phishing campaign is targeting the UK, in an attempt to execute mass credential harvesting.

In 2012, reports stated that 6.46 million hashed passwords of LinkedIn accounts leaked online, and you guessed it, they were "unsalted".

Another notable data leakage was 7 million compromised Minecraft accounts, that were also "unsalted". Before you start thinking, "What's the worst thing that can happen with hijacked Minecraft accounts?", consider the fact that some of these passwords may have been re-used in additional accounts.


To sum it up, according to the Verizon Data Breach Investigations Report, 81% of breaches are related to weak or compromised passwords.


How can Verifyoo help you?

Verifyoo's DrawID solution "eats the cake and keeps it whole" by keeping the main benefit of passwords without the weaknesses – enabling users to safely verify themselves from any device, without memorizing passwords. Aside from providing organizations and consumers a much more secure method of verification, Verifyoo also reduces the friction caused by forgotten passwords. Password friction not only leads to massive transaction abandonment by frustrated users, but also incurs high operating costs of resetting these passwords using frequent help-desk calls, knowledge-based questions and other means that have proven to be inefficient and insecure.

Read the next article in the series here: https://verifyoo.blogspot.com/2020/02/one-time-passwords.html

For more information visit: https://www.verifyoo.com
To schedule a demo: https://www.verifyoo.com/Verifyoo/#contact-section

9 comments:

  1. God bless Dr. Omolowa for his marvelous work in my life, I was diagnosed of HERPES since 2018 and I was taking my medications, I wasn't satisfied i needed to get the HERPES out of my system, I searched out some possible cure for HERPES i saw a comment about Dr. Omolowa, how he cured HERPES,DIABETES,HIV,and CANCER with his herbal medicine, I contacted him and he guided me. I asked for solutions, he started the remedy for my health, he sent me the medicine I took the medicine as prescribed by him and 14 days later i was cured from HERPES, Dr. Omolowa truly you are great, do you need his help also? Why don’t you contact him through his EMAIL: dr.omolowa@gmail.com call or whatsApp him on +2347014035034

    ReplyDelete
  2. Once again I want to appreciate Dr owobu for helping me with his herbal medicine to cure my herpes. virus completely, I really suffered from this virus for the past 2yrs, Right now I'm herpes negative after using the herbal medicine Dr owobu sent to me .I give all thanks to God for leading me to Dr owobu who was able to cure me completely from herpes virus , Dr owobu you are the best traditional doctor in the world God bless you sir, conctact Dr owobu for cure if you have been passing through similar diseases or virus like. herpes.HIV.gastritis.fibroids.etc via.his WhatsApp contact +2348114477270.or you can call him. or email him at drowobuherbalhome1133@gmail.com god bless you all https://drowobuherbalhome1.wixsite.com/drowobuherbalhome

    ReplyDelete
  3. Good news this is to everyone out there with different health challenges, as I know there are still a lot of people suffering from different health issues and are therefore looking for solutions. I bring you Good news. There is a man called Dr ehiaguna a herbal practitioner who helped cure me from HSV (2), i had suffered from this diseases for the past 5 years and i have spent so much money trying to survive from it. I got my healing by taking the herbal medicine Dr ehiaguna sent to me to drink for about 14 days . 3 days after completion of the dosage, I went for a medical checkup and I was tested free from HSV. all thanks to God for leading me to Dr ehiaguna who was able to cure me completely from this deadly diseases, I’m sharing this so that other people can know of this great healer called Dr ehiaguna because I got to know him through elizabeth who he cured from HIV. I was made to understand that he can cure several other deadly diseases and infections. Don’t die in ignorance or silent and don’t let that illness take your life. Contact Dr ehiaguna through his email  drehiaguna@gmail.com You can also whatsapp/call him on:+2348073908953 . Visit his website  https://effectiveherbalcurehome.blogspot.com/   He cure all forms of disease {1}HIV/AIDS {2}DIABETES {3}EPILEPSY {4} BLOOD CANCER {5} HPV {6} BRAIN TUMOR {7} HEPATITIS {8}COPD{9} SICKLE AND ANAEMIA.etc Be kind enough to share as you received.  

    ReplyDelete
  4. Good news this is to everyone out there with different health challenges, as I know there are still a lot of people suffering from different health issues and are therefore looking for solutions. I bring you Good news. There is a man called Dr ehiaguna a herbal practitioner who helped cure me from HSV (2), i had suffered from this diseases for the past 5 years and i have spent so much money trying to survive from it. I got my healing by taking the herbal medicine Dr ehiaguna sent to me to drink for about 14 days . 3 days after completion of the dosage, I went for a medical checkup and I was tested free from HSV. all thanks to God for leading me to Dr ehiaguna who was able to cure me completely from this deadly diseases, I’m sharing this so that other people can know of this great healer called Dr ehiaguna because I got to know him through elizabeth who he cured from HIV. I was made to understand that he can cure several other deadly diseases and infections. Don’t die in ignorance or silent and don’t let that illness take your life. Contact Dr ehiaguna through his email  drehiaguna@gmail.com You can also whatsapp/call him on:+2348073908953 . Visit his website  https://effectiveherbalcurehome.blogspot.com/   He cure all forms of disease {1}HIV/AIDS {2}DIABETES {3}EPILEPSY {4} BLOOD CANCER {5} HPV {6} BRAIN TUMOR {7} HEPATITIS {8}COPD{9} SICKLE AND ANAEMIA.etc Be kind enough to share as you received.  

    ReplyDelete
  5. God bless Dr Ebacol for his marvelous work in my life, I was diagnosed of HERPES since 2018 and I was taking my medications, I wasn't satisfied i needed to get the HERPES out of my system,I searched out some possible cure for HERPES i saw a comment about Dr Ebacol, how he cured HERPES,DIABETES,HIV,and CANCER with his herbal medicine, I contacted him and he guided me. I asked for solutions, he started the remedy for my health, he sent me the medicine I took the medicine as prescribed by him and 14 days later i was cured from HERPES, Dr Ebacol truly you are great, do you need his help also? Why don’t you contact him through his EMAIL:    drebacolherbalhome1@gmail.com  call or whatsApp him on +2348159042641 

    ReplyDelete
  6. HOW I GOT CURED FROM CANCER I was diagnosed of cancer and i have tried all I can to get cured but all to no avail, until I saw a post in a health forum about a herbalist man who prepare hebal medications to cure all kind of diseases including cancer, at first I doubted if it was real but decided to give it a try, when I contacted this Dr Agbafor and he prepared a cancer herbal cure and sent it to me via UPS delivery company service, when I received this herbal medicine, he directed me on how to take the medicine, after taking it the way he instructed me to, l was totally cured of the deadly disease called cancer, all thanks to Dr Agbafor you can email dr.agbaforherbalhome@gmail.com or WhatsApp him now 2347088144078
    He also has a website,
    [this great herbal doctor CAN ALSO CURE SICKNESS LIKE
    HIV / AIDS
    DIABETES
    EPILEPSY
    HSV
    HPV
    Herpes
    HEPATITIS
    LOVE SPELL
    SICKLE AND ANAEMIA .. EBOLA IMMUNITY


    https://www.facebook.com/DrChi-herbal-home-108469790895204

    ReplyDelete
  7. Happiness is all I see now. I never thought that I would be cured from the HERPES virus again. I have been suffering from a deadly disease (HERPES) for the past 3 years now, I have spent a lot of money going from one place to another, from church to church, hospitals have been my home every day. Constant checks up have been my hobby not until this faithful day, I was searching through the internet, I saw a testimony on how DR OLUTA helped someone in curing his HERPES disease, quickly I copied his email which is dr.olutaspellcaster@gmail.com just to give him a test I spoke to him, he asked me to do some certain things which I did, he told me that he is going to provide the herbal cure to me, which he did, then he asked me to go for medical checkup after some days after using the herbal cure, behold I was free from the deadly disease, he only asked me to post the testimony through the whole world, faithfully am doing it now, please brothers and sisters, he is great, I owe him in return. if you are having a similar problem just email him on ( dr.olutaspellcaster@gmail.com ) or you can whatsApp his mobile number on +2349065326267
    You can also contact him if are diagnosed with any the virus below
    {a1}HIV and AIDS
    {2}Diabetes
    {3}Epilepsy
    {4} Blood Cancer
    {5} He Can Make you get Pregnancy
    {6.} HPV
    {7} ALS
    {8} Hepatitis B
    {9} Diabetes
    {10}Love Spell
    (11) Fibroid  
      https://m.facebook.com/pages/category/Product-Service/Drolutaherbalhome-100710878112591/  

    ReplyDelete
  8. Good evening to you all I want to write a shortly message to the world how doctor ehiaguna help with his great herbal medicine to cured me from this horrible virus HSV 1 and 2 I get his email from someone name Olivia mason how she was also cured by doctor ehiaguna I never believe there was cure until I meet her testimony, I contacted doctor ehiaguna I don’t believe there was cure well I am so happy to write this testimony to the world, this man immediately when I sent him email and this man response within 20 minus and give me the necessary process and the herbal was sent to within 4 day I took it according to the instruction so with 2 week I was completely cured and I get my test done I was confirm negative I am so happy if you want to get his contact you can message him with this email drehiaguna@gmail.com or you can also WhatsApp him +2348073908953.visit his website https://effectiveherbalcurehome.blogspot.com/ he can fix this.HIV.HEPATITIS.ANTHRAX.HPV.CANCER.ALSAND ALSO SOLVE YOUR RELATIONSHIP PROBLEM

    ReplyDelete
  9. I’m recommending Dr Godday to everyone who have herpes virus to get the cure from him. I was diagnose of genital herpes in 2015 and i have been searching and asking questions to see if i could get something to cure the disease because i did not believe what the doctors say that no cure is found yet. I came across a comment on Youtube and the person testify how she was cured from herpes and hpv after using Dr Godday herbal medicine. I quickly contact Dr email and explain my problem to him and he prepare the herbs and send it to me through courier and gave me instructions on how to use it and tell me to go for checkup after usage which i did after two weeks of taken the herbal medicine and my result was NEGATIVE. I waited another month and retested the result was still NEGATIVE and my doctor told me that am completely free from herpes. Am so happy and grateful to Dr Godday for what he has done for me and i will continue to share this for people out there to know that there is cure for herpes. You can contact Dr Godday on email and WhatsApp to get the cure from him. Email:goddayspiritualhome@gmail.com Or Call/What’s-app +1{919}4956404

    ReplyDelete