“This is my own work, has been done solely by me and is not used for any other purposes other than to show my expertise in the field and inform enthusiasts of the subject. Any other usage is strictly prohibited.” -Omar Chaudhry
Any and all methods of security require a basic understanding of how to encode information for the means of protection. Today, even rudimentary consumer electronic devices all activate with the main priority of unlocking with or creating a password. Network security faces a generally high standard when it comes to cryptography, due to the ever-changing nature of rapidly growing technology. Because of this, authentication (verifying the user’s identity before access) is probably the most important and most valued aspect of security within the matters of technology. However, this also means that many baseline methods of authentication are prone to the same traditional weaknesses and without proper implementation can expose a network to a security breach. Many systems today incorporate the same strategies of security authentication. But despite their stability and sophistication, the same weaknesses in the strategies still remain in their design. In this paper, we discuss the traditional methods of authentication and typical weaknesses that make them prone to attacks.
Keywords: Network Security, Encryption, Passwords, Authentication
The long-standing methods of encryption that are considered commonplace are still tantamount to any other requirements in technology, but depending on the method of security, malware and attacks towards systems appear and reappear with increasing sophistication. No matter how advanced a system’s encryption may be, all it takes is one failure in user authentication to compromise security.
A quick and simple example many users have gone through is a password reset. Resetting a password can be some of the basic building blocks of any general authentication. The password is simply changed from one string of characters to a completely different string of characters.
Regularly changing a password is an effective way to instill a stronger level of authentication in basic day-to-day operations within a system. However, all of that becomes a moot point depending on how those passwords are stored within a database.
In an article by Jim Salter in 2018, an unnamed power supply company came under fire when a security research firm learned that the power company’s account recovery process emailed full account details on demand. This included emails, financial information, and most importantly, the passwords associated with the accounts. When a user resets their password, they are given an opportunity to set a new password providing some other form of identification and then create a new password. This is because, in theory, the password was never stored in plain text.
At some point of time in the future, one thing is certain about every system. Literally every website has the ability to get compromised. Given the very realistic possibility of ideal variables, every system will become compromised. In such a situation, any data that a website has gets dumped with the compromise and attackers make off with it. Additionally, if the passwords are stored in an accessible manner on that website, that's one of the things the attackers take with them.
Many businesses don't often think about such a possible situation. Usually, someone who shouldn't have access to confidential data is going to have it. This can happen if the perpetrator an inside employee with malicious intent or an external threat. It doesn't really matter because the data is still compromised.
The easiest option (and the safest and proper option, especially in 2020) is not to store that data at all. In the bare minimum, if those passwords were backed up, they should not have been stored in plain text. It's not just the easiest and the safest option it's the only option that cannot be compromised. Speculatively speaking, one could use strongly hashed and hex passwords, but anything involving storing passwords always has the opportunity to be taken for malicious purposes.
This sounds like a niche scenario, but many companies incorporate this methodology for a password reset on the basis of a fast, user-friendly solution. Tech-illiterate employees and users are able to regain access and security with their passwords without having to go through long common drawn-out processes in order to avoid compromising their data.
Rather than using a password, users can instead utilize an authentication method that stays on their person and is never stored in a plaintext format. Biometrics, or authentication based off the user’s biological properties (Pfleeger, 2015) has been a popularized and user intuitive method for authentication on its own, and in conjunction with two-factor authentication. On a cursory level, biometric authentication seems to cover a lot of qualms and concerns that come with plaintext passwords. Users are less likely to need their password reset and the password is on their person at all times. And with the intricate architecture of biological data, it’s rather difficult to replicate the complexities of the human body in order to fool biometric authentication. Basic tech consumers that fail to protect their passwords can effectively keep their password on their person at all times by using biometric authentication.
However, these caveats can become drastic flaws in which the cons outweigh the pros. First, unlike a traditional password, biometrics only provide digital information from one's biological properties. This isn't always a precise measure and can result in false negatives or false positives. This means that a correct user could not gain access and a foreign threat could.
An additional risk is the inability to change your authentication. We are incapable of changing our biological properties, so when our security is compromised, we can always change and reset passwords. If biometric data is compromised, users will have to change their overall method of authentication.
The first way to strengthen any traditional encryption is to increase the length of it. The longer it takes to decode information, the stronger it is. Many website accounts require a minimum length to their passwords. The reason being, in short, is that each longer passwords are harder to decode. Passwords with more characters are stronger than that of passwords of shorter length.
According to the US National Institute of Standards and Technology (NIST), "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character." With that said, most websites and services have limits on how many characters can be used in a password.
If an account alerts the user that they used too many characters in a password, you can reduce the number until you reach the maximum that is allowed. That constraint on the password makes storing them on a system's back-end manageable, but can still leave an opening for vulnerability depending on the character limit.
Increasing the complexity of a password is another method that can strengthen encryption, To make a password more complex, one would increase the variety of the characters used in the password. A password would use all the character classes, such as uppercase letters, lowercase letters, numbers and special characters. According to Steve Gibson on his podcast Security Now, "The larger the space, that is, the greater the number of combinations of wrong passwords the attacker has to try during a brute-force, try-everything attack, the greater the security we have. So the first thing that says, the most obvious thing that says is longer is better. The longer it is, the better it is. Because length is one way we know - for example, say that we just had all lowercase. Don't do that, but say that we did because it makes the math easy for a second. Then every time we add one lowercase letter to lengthen our password, we've made it 26 times harder to attack us because, as we all know from the way binary works and even decimal, it's like, if it's easier to think of it in terms of decimal, we just imagine passwords as digits zero through nine. Every time you add a digit, it's 10 times more of them. We understand well how that works in decimal. The same thing works with alphabets and passwords. This so longer clearly extends the password search space. And since the attacker doesn't, has no feedback as to the length of our particular password, and they're hoping we've done something dumb and used a small one, they start at the low end."
Gibson reinforces the necessity to expand the scope of characters (the “alphabet” of the password) to as large as possible. A numeric password with characters ranging from 0 to 9 would be “the worst you could possible do would be a digits-only password because each character only makes it 10 times stronger. Whereas, for example, if it was lowercase, each character makes it 26 times stronger because you've got an alphabet of 26. But if you put in even just one uppercase character, suddenly now that's radically stronger because the alphabet is lowercase 26 plus uppercase 26, which is to say, by putting in an uppercase character, you have made the attacker use brute forcing that includes uppercase.”
Let's broaden the scope of authentication from just one password to the multitude of passwords a user might store. According to the Center of Internet Security, between 31% and 55% of the people use the same password at multiple sites. No matter how strong a password is, if it's one that is used for multiple accounts, a user is at risk.
There is only one way to keep that one vulnerability from compromising that user's identity. A user must make passwords unique. It is imperative to use a different password for every account.
In order to do this, a user would need to consider any one of the following options: memorize multiple passwords, a secret unpredictable password scheme, or the most likely strategy, a password manager. Most organizations incorporate the use of a password manager, typically executives or employees ranking at the higher level. In password managers, a user creates long, complex and unique passwords with the help of a password generator built into the password manager. The passwords are then stored under one master password that the user has to know. This would be the only password that is important to the user, as the password manager has saved all the stronger passwords and can access them at any time when authentication is needed.
This solves a lot of the key points discussed earlier regarding what to implement in strong password authentication. In fact, when managed correctly, there are very few downsides to using password managers. The few qualms to consider are based off of the user's ability to protect that one master password. In a comparative analysis by Michael Fagan, 248 users were interviewed on their thoughts regarding the use of password managers in a professional setting. Users that supported the use of password managers felt a stronger sense of security and positivity when browsing the internet.
Overall, many factors of authentication have their own advantages. There is a reason why they are all used and different systems on a regular basis. And a recurring theme around weaknesses in authentication can be traced back to any potential negligence on the users themselves. User intuitiveness is a key contributing factor in such negligence, in spite of its popularity in creating methods of authentication.
Combining characteristics of inconvenience within password authentication is a tried and tested strategy that has been successful in many systems and enterprises. Any real effort required on the hackers' behalf is the best practice to developing strong authentication. And when paired with competent responsibility, a user can rest assured knowing that their information is secure, thanks to proper practices in strong password authentication.
Salter, J. (2019, February 25). Plain wrong: Millions of utility customers' passwords stored in plain text. Retrieved October 14, 2020, from https://arstechnica.com/tech-policy/2019/02/plain-wrong-millions-of-utility-customers-passwords-stored-in-plain-text
Satzinger, J. W., Jackson, R. B., & Burd, S. D. (2012). Systems analysis and design in a changing world. Boston, MA: Course Technology, Cengage Learning.
Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing. Upper Saddle River, NJ: Pearson Education.
National Institute of Science & Technology (2017). Digital Identity Guidelines Authentication and Lifecycle Management (800-63B). Retrieved from https://pages.nist.gov/800-63-3/sp800-63b.html
Gibson, Steve. (2011, June 1). Security Now 303 - Password Haystacks. Retrieved from https://www.grc.com/sn/past/2011.htm
Fagan, M., Albayram, Y., Khan, M.M.H. et al. An investigation into users’ considerations towards using password managers. Hum. Cent. Comput. Inf. Sci. 7, 12 (2017). https://doi.org/10.1186/s13673-017-0093-6