Passwords - a question of discipline

Apr 07, 2020

In addition to many memories and general knowledge, several passwords are buzzing around in our mind. They now belong to us like our clothes, our mobile phone or our front door key. If it's the e-mail password (e.g. "password1234") or the password for Amazon (e.g. "fdbuo98!4d"), nearly all online services rely on passwords. But why does almost everyone use them, even though you read over and over again how insecure they are?

How insecure are passwords in reality?

It may surprise you, but passwords are one of the most secure methods you can use to secure data or access - theoretically. But why?

In IT-Security, authentication methods are divided into three categories:

1) Secret knowledge means that the valid user is the only one who knows a secret (e.g. a password).

2) Possession means that the valid user is the only one who owns a physical object (e.g. the front door key).

3) Biometrics (Inherent) means that the valid user uses a biometric feature of his (e.g. a fingerprint).

To bypass an authentication, the attacker must get hold of the used feature or a copy it.

This is most obvious for the property category. The attacker must either steal the it or come into possession for a short time to create an exact copy. With over 100,000 pickpockets per year in Germany, you can imagine that with the appropriate energy, it is relatively easy to steal the possession feature. One always thinks that "this will not happen to me". But in reality, it's more likely that no one has ever been interested in you and you've just been lucky with the "random thieves", who might also be more interested in the other valuables in your pockets.

While the theft is usually relatively quickly noticed, a short absence is less noticeable. During this time, however, malware can be installed on the mobile phone or a key copy can be created. This can happen within seconds.

As soon as such an incident is known, the possession item must be exchanged - e.g. a new door lock when the key is gone. With the copies, it is undoubtedly more complicated, because you might not even recognize the connection. After all, the short-term loss of possession might not have been noticed at all.

But biometrics, that's safe. Yes, but also not insurmountable. In times when cameras are becoming more and more high-resolution, you can already copy a fingerprint with a photo from a medium distance. It is even more comfortable if you use drinking glasses . Of course, a certain amount of energy is required as well, but it is challenging to protect yourself against this. Face recognition can also be tricked with photos or figures, but it becomes more complicated from time to time.

The same applies to iris scans, but with the necessary energy, most biometric features can be copied and in such a way that the right user does not even notice it which is again even worse than realizing it.

However, a big problem with biometrics is that it cannot be changed. Once a copy of your fingerprint is in circulation, the biometric feature is "burned", because it is quite challenging to change your fingerprint.

So knowledge is supposed to be the cure-all? Yes, at least in theory. Copying or stealing knowledge is difficult. The easiest way is to record the input. Either it is a program that records the input on the keyboard or a camera at a convenient angle. And otherwise? Well, you can ask for it more or less dearly. And that's the problem with knowledge-based authentication methods. The knowledge has to stay in your head, and since humans are not trained to store unrelated knowledge, they often use logical consequences.

Do you remember the two password examples at the beginning of the article? Even if you have to scroll up again, you would remember one much better than the other, because the first one has an apparent reference and is logically structured. It should also be evident that it is of course also the insecure one, although it is even longer. Not only the right user does remember the logical sequence better, but an attacker can make such logical conclusions. And even if you use your house number, your street, the name of your mother, uncle or pet in the password, believe me, all of this is available online, or perhaps there is something more behind the phrase:

"You have a beautiful dog, what's his name?" When in reality, it is not a small talk between you and another dog owner, but an attack on your company’s network.

Do not make it (too) easy for the attackers to get your passwords!

There are two different attack scenarios: You are deliberately chosen, or you are simply a random victim because you've made it too easy for the attackers. If you assume an attack from outside, then it is very likely that you are  a random victim. There are enough pseudo-hackers who have fun looking for accounts with simple passwords and hacking them.

"Ok, so I'll use random character combinations."
Good idea, but the problem is that you have to remember them.
"Ok, so I'll use the same combination everywhere, I can remember one."
Economical, but do you want to have one central key for all of the doors? Especially if they are secured differently, and you can deduce from the lock of the door every suitable key (also your master key)?
"Ok, well, then I use everywhere another and write them down."
And stick them on your screen... The cleaner, the installer and the visitor will be pleased about it...

The right level of security in your company

Humans are making their life as easy as possible, and they are true masters in bypassing rules. You have to keep the restrictions for the right/valid users as low as possible so that they accept and follow the security measures. In particular, this means that they should not be required to change passwords in a specific cycle, because then "Password2019" will only turn into "Password2020". With this, you bring in a pattern that makes it easier for every employee to remember new data, but it makes it much more insecure at the same time because the attackers can also get hold of the pattern. Alternatively, your employees can start writing down their passwords, and thus the knowledge becomes their property, which is easier to steal or copy.

If you have critical information, you should instead use two-factor authentication ( but please don't do it the way most banks do: on the same device) or biometric security. In both cases, however, it is crucial to implement them correctly and  to use secure systems. Otherwise, you will only feign security, and this is usually even more dangerous. In which Situation would you pay more attention to your mobile phone - at a party with your friends or in a crowded subway? Related to me, I am  more care-free with my friends because I feel safer around them

But make sure that all measures remain within a user-friendly framework, or your employees will undermine the security measures. For example, if you ask for a password every time they perform an action, it will get shorter and shorter, or if they demand a USB-Token to be present, it will still be resting in the computer during the break - if not even after work.

Seven tips for more and accepted security

1) Use passwords that are composed of several random words: e.g. AppleSauceHouseLilaCatCatBanana and which are different for each service. Alternatively, think up a sentence for each service and use its first letters as a password.

2) Change your passwords (only) if necessary (e.g. if an attack on this service becomes known) and not in specific cycles.

3) Be careful not to write down your passwords, e.g. in a notepad or stick them on the screen.

4) Use two-factor authentication at particularly vital features. You should use two variants as factors that are as convenient as possible. Pay special attention to the implementation because many applications are error-prone.

5) Make sure that you are unobserved during password entry.

6) Do not share your password with others (actually, this is a matter of course, but in many companies, the same accounts are used by several employees, who must share their passwords accordingly).

7) Use a password manager, so you only have to remember one password (then please remember a particularly secure one according to tip 1) and can use secure passwords such as "dgso23908fekjbxvp!E=DFHklj2E)f" in all other services.

VIPFY offers an integrated password manager in its business suite. Thanks to a unique feature, the individual employees do not even get to see the service passwords, and the accounts and passwords can be managed centrally by the administrator. Accounts can also be assigned to several users so that even in the case of shared accounts, the access data does not have to be published. By additionally activating two-factor authentication for the VIPFY account, all services can be secured with this technology.

Try the VIPFY Business Suite for free.

VIPFY is supported by the CISPA Helmholtz Centre for Information Security and the Federal Ministry of Education and Research.

Nils Vossebein

Among with Sophie