Authentication & Passwords: Staying Safe Online

Authentication is a process that verifies the credentials of a user. The verification may be carried out on basis of previously stored information within the system in the form of passwords, biometrics or challenge response mechanisms. A user here implies someone whse record is already created in the SAI (stored authentication information).  The user presents information to the system for comparison and such information is called comparison information authentication (CAI).

In a password based system the password that the user inputs is served to some cryptographic function which processes it to produce the SAI. In a typical application that requires authentication say an email client, a user has to enter his email id & password to login & check his/her mail. The email server attempts to match the username with a registered user. In case of a successful response, the server then checks password supplied with the one in SAI. If it matches the user is authenticated & viola he/she can check the mails! As you can see the basic flaw, anyone having such information about anyone can login & check the mails. There is no physical check to cross check if the person entering the details is the registered user.

Having explained the basic flaw, let us find what we can do to make ourselves more secure online.  In case you use email, you would in any case give everyone your user-id so that they can contact you. Also, you would send across mails & junk mails to people you know personally. So securing user-id is of no use as anyone can find that out in most circumstances. The real security that you can use is your “PASSWORD”. So what is a password?

Well, a password is a string of characters that you can choose while registering or once you have logged-in using one time passwords (eg. On-line banking). Ideally, you think let me choose something I can remember like my mother’s name, date of birth, car registration details or something EASY! Just think if you choose such passwords, how many people who are around you may know your password & how easy will it be for someone following you on Facebook, Twitter, Orkut etc. to guess them! Virtually by choosing such passwords you have given it away to hundreds & thousands of people, the thing is no-one has tried to break-in yet!

Once a user enters his/her password the same is used to derive some function that is compared to the SAI. Generally, the log-in function computes some cryptographic function using the CAI and compares the result with the SAI. The authentication server never tells a user what went wrong if the user-id or password or both are wrong. Thus it is the responsibility on part of the user to keep his credentials safe at all times.

Password Vulnerability

The easiest way one can compromise such a authentication mechanism is by giving away his/her password. Not many of us realise that writing down passwords & sticking them to out screen or hiding them under or keyboard, are the worst things we can do. It is also surprising that users can give away their passwords to others. In a survey conducted at InfoSecurity 2003 conference in London 90% people revealed their passwords for a cheap pen!

Img: msterminalservices.org

You might have heard about Brute-Force attacks. In such an attack an intruder can try all possible combinations and thus find out the correct one. She/he doesn’t need any information from you about the process. Say there is a door lock which has a 4 digit combination; unless you have the correct combination you can’t enter inside. It would take a burglar, patience & 10000 combinations at max before detecting the correct one! Thus he enters all possible combinations before finding the right one; this is what a brute-force attack is.

Using such attacks on-line isn’t a right way for an intruder because they are time-consuming & also that there is a limit on how many times you can enter a password incorrectly nowadays. Hence nowadays the attacker would perform off-line attacks before trying to cr@ck an account. He may obtain the SAI file or encrypted passwords from network traffic, then automate his process to deduce the password. Assume that a password is built from a set of 70 characters (upper case & lower case alphabets; digits 0-9; common symbols). There are around 24 million possible passwords of length 4 & 576,480,100,000,000 passwords of length 8. If an attacker can encrypt & compare 10,000 password/sec with the SAI, he can check every possible password in 4 minutes. It would however take him 183 years to check every possible password of length 8!

Img: deblaze-tool.appspot.com

We talked earlier about users choosing password which may be their mother’s name, their name, date of birth etc. Such passwords can easily be broken by an attacker using dictionary attacks. As I said previously, brute force attack as a very lengthy process to perform for attacks. However, there are no more than 80,000 and names in common use & an encrypted process can check encrypted forms of these in no time! Even if users try to be a little smart using “JaMe5” instead of “JAMES” such modification is being “taken care of” by the new tools that the attackers use nowadays.

There are many more sophisticated attacks being used to decode passwords & I won’t delve into each of them as they are highly complex.

Being Safe

Img: reputationdefenderblog.com

Why do most of authentication systems use passwords based mechanism then? I would say it is because it is more simple & easy. Having seen the vulnerabilities above it is important to take steps to limit the extent of such vulnerabilities.

Brute-force attack will fail if the password chosen is sufficiently long & the characters entered are a mix of upper-case, lower-case, digits, special characters. They should be at least eight characters long. A dictionary attack will fail if the password is not easy to guess. Never use dictionary words, names or simple number digit substitution to hide recognizable words.

A strong password is one that is long enough & not consisting of easily recognizable words. Yes they will be a little hard to remember, but “DO NOT” write it down as that would rather increase the vulnerability. What can be done is rather generate passwords from last letters of “recognizable catchphrases” or think of a sentence eg: I was supposed to be going to Switzerland on a vacation. Mix and match the words with digits & special characters to build a strong password.

Just to add, never repeat the alphabets or digits in a password, avoid using names, familiar words, dictionary words; do not use same password for all your accounts. Lastly, do not store passwords in mail or anywhere online. Check here (http://bit.ly/x4NgZ) if the chosen password is OK.

You all will hopefully have got a basic knowledge of working of the password based authentication mechanism. You’ve also seen how passwords can be attacked & broken. I am sure after reading this most of you will re-evaluate the strength of your passwords & be safer.