Implementation
of passwords for user security
Terrell
McClain
We Will Write a Custom Essay about Implementation authentication that are far superior to the
For You For Only $13.90/page!
order now
Ec-Council
University
Abstract
The purpose of this
research is to identify the reason way alpha-numeric passwords are still being
used when technology has improved the types of authentication methods exist.
Alpha-numeric passwords are easily targeted by attacks a problem that exist for
every portal that is accessible. Another major component of this is to make
managing authentication easier and more secure. We then examine how effective
passwords are and the security level it provides. Then passwords can compare it
to the other authentication methods. We can then begin to identifying where
these authentication methods are being used and if replacement over the
alpha-numeric is possible. These implications show that while the technology
for these methods are beginning to be adopted the traditional password will not
be phased out so soon. There are ways to suppress attacks on password by using
password management software for accountability. The findings are that for as
long as the access portals exist there will be a need for password authentication
will be there for a backdoor into the system. These findings may be useful to
those who plan on purchasing new devices to consider how secure they system
need to be.
PASSWORD
MANAGEMENT AND PASSWORD SECURITY
You,
me, everyone has multiple accounts, both personal and private and it is hard to
manage those account given that through each resource that the user accesses,
has its own variation of what a complexed password should be. Most site except
a password that is eight to twelve characters long and consisting of a
combination the requires upper and lower case, numerals, and special characters
but not all sites require all of these. So to cope with the numerous accounts
that the user has it is seen that they will create one simple easy to remember
password across multiple access portals. This password can typically range from
a name of someone followed by a birthday or other significant number to a
favorite sports team and player number and is very insecure. In doing so it
makes that user an easy target for account hijacking. using todays techniques
obtaining a person’s password would take less than 5 minutes. now mobile have
engineered new forms of authentication that are far superior to the password
that has been integrated in phones
computer and laptop. It’s been
proven that the Basic alpha-numeric passwords are an archaic form of
authentication and other methods have been introduced but as authentication has
become easier for the user, does managing these newer methods of authentication
increase in difficulty and security.
For
the most part, as the organization see growth there will be a more desperate
need to manage that growth. today individuals have so many devices at their
disposal sometime is hard to keep track of. These individuals also access a
ride range of resources both in their personal live and within the organization
in which they work. Email, banking, mobile games, corporate site, etc. we all
spend or time longing into some system at one point but how we do it varies.
Because we have so many portals we access daily there is the issue that
remembering the password becomes problematic. To curry or woes from contacting
support the thought that assigning each portal the same password seems like a
good idea. The fact is that this is one of the major problems facing all
organizations toady. Users take what they have learned in their personal life
and apply it to their professional career.
If
the organizations network administrators aren’t on par with current security
practices…Other password issues come from network administrators themselves.
Sometime due to lack of attention devices can be placed on the network and the
default password has not been configured on the device. Network administrators
are also prone to being careless and apply passwords to the devices they use
daily by giving them a less than standard password complexity. An even bigger
issue arises when the passwords use to authenticate traverse the network
unencrypted.
Not
every issue concerning attack on the network can by directed towards the
network administrators. C level executives want to bend the rules themselves
and this is a difficult task for administrators. Even with polices in place C
level executives demand have next to no password or streamlining security
measures for them to make access faster and easier. All administrators can do
is remind them of policy and attempt to convince them to follow them.
In essence the truth is
that humans will always be the weakest link in any security measures.
So long as these conditions continue to exist there
leaves an uneasy feeling about the organizations network. This lease a
tremendous amount of work for network administrators to attempt to solve given
that their workload isn’t inconvenienced by other projects.
The biggest concern is that users are not create
lengthy and complicated passwords
You may begin to suspect where does this come into
play when that user enters into the work environment you may ask. Well a large
majority of user are used to only using the one password of their choosing to
authenticate into their personal accounts and to make it easier for them there
is a probability that they will use the same password for login at work. When a
user if forced to change their password through policies or because they have
changed their personal passwords they user does multiple thing to remember
their password, create a word file on the computer or on their phone, write it
down….
current passwords for user are in the form of alpha
numeric with special characters. Yet a lot of users are using a combination is
dictionary words with numerical values
The issue of weak authentications is a concern for
everyone, we all have multiple accounts. If we aren’t careful in the way we
think about creating passwords otherwise attackers could gain … this could lead
to breaches in the personal accounts of millions of people everywhere.
With
that in mind This world is progressing more and more into the online space and
news about organizations being attacked and breached are becoming more and more
frequent. These attacks range from Phishing, social engineering, Password
attacks, and proxy’s that are aimed at retrieving personal information about
the user. Most of this information can be obtained before anybody every
realizes it. Because of the issue of weak passwords breaches have happened.
Surprisingly
there are many repercussions for organizations that have had breeches where the
case was due to negligence. For organizations it may cost the most the term
“you can pay now or you can pay later” refers to you polices you either pay to
comply with a network issue now or you wait until you have an issue and pay
then. During the investigation process the organizations practices and policies
will be scrutinized. If at any point the it is found that you did not comply
with regulatory update or fix common network issues the organization could be
facing fines on top of pay to comply to regulatory standards. Other financial
issues will occur below the surface in the form of insurance premium increase….
The data obtained is usually worth far more to the attacker because that
information could be sold and used for cyber-enabled fraud. The organization
would then have to go public with the breach. If no statement is made or no
information is given to the customers and stakeholders this could ruin the
reputation of the organization.
Provided
The worst thing is hiding crucial information about a breach. If a breach does
occur the organization has an obligation to informs its continuants. If the
breach is not handled correctly this may lead to negative coverage by press. If
the press is unrelenting the organization customers and stakeholders may choose
to use to do business with another provider. If that continues the organization
may never bounce back. This may also lead to downsizing or layoffs in and
attempt to save organization funds to pay fines and solve the issue. So to, may
the organizations employees may seek employment elsewhere. Although this may
not have a negative impact on the organization they may be brought out by another
organization.
The
breach may come to a close, all the parties have been notified, law enforcement
apprehended the attacker, and the organization may have dealt with the press in
a calm and organized fashion but where does that leave the organization itself?
Although this issue has been resolved what happens with the employees. There is
no way that any organization will not want to solve the issue but continued
negligence if this were to happen again. This could bring to the table a chance
to restructure the organizations continuity, security policies, add
consequences to those not following polices…
Types of Authentication Technologies
Smart cards
are credit card-sized devices that hold a small computer chip, which is used to
store public and private keys and other personal information used to identify a
person and authenticate him or her to the system. authentication card requires
that you physically insert, swipe, or tap the card to the reader
A
hardware token
also known as key fob is a small, programmable hardware device that provides
access to a physical object. hardware tokens can be used to generate one-time
passwords to authenticate to objects such as doors, automobiles, or computers.
The code usually lasting 30 to 60 seconds it grants access to the next stage of
authentication.
These
small devices known as USB keys
or flash drives now play a role in granting access to resources for users.
Using software can provide authentication security that protects access to
enterprise user accounts for websites, software, systems, and networks. The USB
hold files that are read by the system.
Types of Biometric Authentication
Technologies
http://searchsecurity.techtarget.com/definition/biometric-authentication
Retina scans produce an image of the blood vessel
pattern in the light-sensitive surface lining the individual’s inner eye.
Iris recognition is used to identify individuals based
on unique patterns within the ring-shaped region surrounding the pupil of the
eye.
Finger scanning, the digital version of the
ink-and-paper fingerprinting process, works with details in the pattern of
raised areas and branches in a human finger image.
Finger vein ID is based on the unique vascular pattern
in an individual’s finger.
Facial recognition systems work with numeric codes
called face prints, which identify 80 nodal points on a human face.
Human voice identification systems that is based
identifying unique characteristics of the human voice the speaker voice is
recorded and preforms a function to match their voice.
Where
have these technologies been applied, Ross, A., & Jain, A. (2003) informs
us that these systems have been used in a wide variety of places such as on
access to buildings, smartphones, tablets, computers systems, ATM. Primarily
focusing on phone and tablets there are a few security measures mobile
operators have included, swipe, which is no more than sliding your finger to
access the phone, Pin number, a four to sixteen-digit number provides medium to
high level in security, Password, which is the highest form of security on
older smartphones and cell phones. For added security Mobile operating system
providers are now integrated biometrics which would include fingerprint
scanning and facial recognition. These techniques will help reduce unauthorized
access in in case lost or stolen mobile device.
Furthermore,
unless government issued computers and laptops for the longest time without the
edition of extra equipment have only been using the basic password to
authenticate into it. So to like the smartphones, for business purposes laptops
have adopted the use of fingerprint scanning and facial recognition. On the
market we are starting to see keyboards and mice that support fingerprint
scanning. In lieu of other
technology biometric that both smart phones and tablets make use of TPM chip
was developed to due authentication and encryption.
Managing
how to secure users passwords to comply with the rules and regulation of the
organization should be the goal of network administrators. Training should mandatory for all employee’s and network admins
should create password policies and force users to follow the policies. setup
mandated training for protecting their passwords from hoax emails, phishing,
shoulder surfing,
One
of the easier solution to utilize throughout the organizations it Lightweight
Directory Access Protocol(LDAP). LDAP is a centralized system usually used as
an authentication database for usernames and passwords but also functions to
manage user data, security, and other resources. This allows many different
applications and services to connect to the LDAP server to validate users. LDAP
and be used in conjunction with Active Director and Novell eDirectory making it
a lot more versatile for multiple protocols.
Traveling
presents its own problems for network administrators. They should be using some
secure form of encrypted data transfer over an untrusted network. The best
solution the organization can use would be a VPN.
In
addition to a solution like using LDAP or Active Directory a new solution had
arisen. Most of the newer systems now support an embedded microchip known as the
Trusted Platform Module(TPM). The chip can do multiple things protect your
passwords by encrypting them, offer USB authentication on startup, and encrypt the
hard drive.
In
fact, on the market today there are several alternative solutions to solving
the issue of password management but these do not come without a cost.
Scarfone, K., & Souppaya, M. (2009) third alternative solution for
protecting the user’s password in order to be able to manage password
efficiently. there are third party program that offer solution: here are just a
few of the options available that could potential help with the ongoing issue
of password management.
Password Safe
is a program Designed by renowned security technologist Bruce Schneier that can
be downloaded and installed on multiple systems since it is free open source. This
software is and offline manager that carries little risk of being exposed by
using a master password to access it. this could also make it a single point of
failure because if the master password is forgotten the user/s can no longer
authenticate into any of their resources.
On the other hand, the
organization can choose to roll out an internet based solution like Lastpass.
“When passwords cause 81% of
breaches, they need to be your #1 security priority.” Lastpass
With that quote Lastpass
is absolutely correct and their solution isn’t a bad one. Lastpass operates for
individuals on browser and mobile device and can operate I the corporate
environment. With Lastpass you create a mater password that you then use to log
in to. Once in an individual should add all the sites that they access daily.
From the Lastpass interface you can launch into your site without having to
remember a password.
yubico
However,
if the organization wishes not to invest into any of those solutions, another
option is to use several types of authentication method consecutively, combining
them to what is known as two-factor authentication. With the growing number
of…. An organization could use two-factor authentication on computer system.
separate these systems may not work with today’s security standards but
organization should take advantage of using two-faction authentication if it’s
well within their budget.
What
will not work is depend on these technologies to replace using a password. Even
though these solutions work well they are not without their own issues. In the
… of the magnetic access cards they can be lost, stolen, and easily forgot.
They do wear after some time and will need to be replaced. Some of these card
can become demagnetized wiping all information from them. If lost or stolen
they would have to get replaced and that could cost the organization more in
the long run. These hardware tokens also expire every three to four years and
require that they be placed. Managing these become complicated because if
someone get their hands on one and it is not deactivated anyone can use it the
is no accountability for who is using it. While with USB administration runs
the Similar problem with how quick and convenient these have become however,
there is the risk that users could potentially save corporate data to the
device. Furthermore, these devices can’t be stripped of their information
remotely but they are cost effective and can easily be replace. to magnetic
access cards, hardware tokens (key fobs) and RFID can suffer under the same
issues. The cost per hardware token is higher. The same rules apply the
hardware token may generate a random access code but as an administrator there
is no way of knowing who is using it.
Finally,
what left is the organization need to recover from the attack. The organization
will have to interview all parties involved, review protocols, perform network
forensics, and inform law enforcement of the breach. They will need to provide
training for users about password consolidation and the negative impact it can
have on their personal information as well as the corporate information. Any
user who is using the same password to access multiple resources administrators
should follow policy and force users to utilize different passwords for the
resources they need access to. As well as helping users create complexed and
using techniques to properly remember their passwords. For now, the idea of
completely using a method other than a password is still far away as passwords
are will continue to be an issue within any organization, however obsolete
passwords may be. As we have seen regular alpha numeric password even with the
addition of the six special characters are outdated and needs to be replaced
with something far more secure. Using biometric systems on existing hardware
could become an expensive project to take on however it could make managing who
is logged onto a system easier to manage. One of the best solutions for those
with new computer system is to utilize the TPM chip of encrypt password,
encrypt data on the hard drive and that extra step for authentication. Remember
all these passwords can be hard, I know many of us have multiple accounts
throughout out our entire history online. Think of how many web sites you
access on a daily, then ask yourself if every access portal has a different
password. Think of how many times you have forgotten a password for an account.
Even managing you’re on passwords become difficult while applying the same
password or variant passwords over several account. Now imagine the trouble
your organizations network administrators have when trying to lock down
resources for every user while trying to protect the network from outside
threats. It’s not that simple is it?
References
“5
Workforce Management Issues Biometrics Solution Can Fix!” FINGERTEC OFFICIAL
BLOGSITE, 2 June 2016,
www.fingertecblog.com/2016/06/5-workforce-management-issues.html.
AlFayyadh,
B., Thorsheim, P., Jøsang, A., & Klevjer, H. (2012, May). Improving
usability of password management with standardized password policies. In 7eme
Conférence sur la Sécurité des Architectures Réseaux et Systemes d’Information
(7th Conference on Network and Information Systems Security)(SAR-SSI 2012).
Bhattacharyya,
D., Ranjan, R., Alisherov, F., & Choi, M. (2009). Biometric authentication:
A review. International Journal of u-and e-Service, Science and Technology,
2(3), 13-28.
Biometrics:
Frequently Asked Questions. (2017, May 19). Retrieved October 26, 2017, from
https://www.eff.org/sls/tech/biometrics/faq
Consumers
Lose Faith in Passwords. (2015, June). Retrieved November 28, 2017, from
https://www.telesign.com/wp-content/uploads/2015/06/TeleSign-Consumer-Account-Security-Report-2015-FINAL.pdf
TeleSign
Consumer Account Security Report
Jain,
A. K., Ross, A., & Prabhakar, S. (2004). An introduction to biometric
recognition. IEEE Transactions on circuits and systems for video technology,
14(1), 4-20.
Künnemann,
R., & Steel, G. (2012, September). YubiSecure? Formal security analysis
results for the Yubikey and YubiHSM. In International Workshop on Security and
Trust Management (pp. 257-272). Springer, Berlin, Heidelberg.
Küken,
A. (2017). Using Secure Login with Yubikey.
Lewis,
N. (n.d.). How do facial recognition systems get bypassed by attackers?
Retrieved December 01, 2017, from
http://searchsecurity.techtarget.com/answer/How-do-facial-recognition-systems-get-bypassed-by-attackers
Li,
Z., He, W., Akhawe, D., & Song, D. (2014, July). The Emperor’s New Password
Manager: Security Analysis of Web-based Password Managers. In USENIX Security
Symposium (pp. 465-479).
O’Gorman,
L. (2003). Comparing passwords, tokens, and biometrics for user authentication.
Proceedings of the IEEE, 91(12), 2021-2040.
P.
J. Phillips and J. R. Beveridge, “An introduction to
biometric-completeness: The equivalence of matching and quality,” 2009
IEEE 3rd International Conference on Biometrics: Theory, Applications, and
Systems, Washington, DC, 2009, pp. 1-5.
Rouse,
Margaret. “What Is Active Directory? – Definition from WhatIs.com.”
SearchWindowsServer, Oct. 2008,
searchwindowsserver.techtarget.com/definition/Active-Directory.
Ross,
A., & Jain, A. (2003). Information fusion in biometrics. Pattern
recognition letters, 24(13), 2115-2125.
Scarfone,
K., & Souppaya, M. (2009). Guide to enterprise password management (draft).
NIST Special Publication, 800(118), 800-118.
Standridge,
S. (2016, February 15). © 201 6 The SANS Institute Author retains full rights.
Password Management Applications and Practices. Retrieved October 28, 2017,
from
https://www.sans.org/reading-room/whitepapers/bestprac/password-management-applications-practices-36755
Schneier,
B. (1999). Biometrics: uses and abuses. Communications of the ACM, 42(8), 58.
Summers,
W. C., & Bosworth, E. (2004, January). Password policy: the good, the bad,
and the ugly. In Proceedings of the winter international synposium on
Information and communication technologies (pp. 1-6). Trinity College Dublin.
Tam,
L., Glassman, M., & Vandenwauven, M. (2011). The psychology of password
management: a tradeoff between security and convenience. Behaviour &
Information Technology, 30(6), 233-244. doi:10.1080/0144929x.2011.633354
Appendix
One in 14 Consumers (7
percent) report using at least one of the 25 most common passwords.
The most commonly used password in 2014 were 123456,
password, 12345, 12345678, qwerty, 123456789, 1234, baseball, dragon, football,
1234567, monkey, letmein, abc123, 111111, mustang, access, shadow, master,
michael, superman, 696969, 123123, batman, and trustno1. One in 14 consumers
say they have used one or more of them for their online accounts
(http://gizmodo.com/the-25-most-popular-passwords-of-2014-were-all-doomed-1680596951).
·
US consumers have used these easily
guessed passwords more than UK consumers: 12 percent vs. 3 percent.
·
Eleven percent of Millennials and 9
percent of Gen Xers have used one of these commonly stolen passwords, compared
with 2 percent of Boomers and 3 percent of Silent Generation online consumers.
·
More men (10 percent) than women (5
percent) have used the most
·
Common passwords
