Module VIII: Password (2L)

About Password, Different types of password (Biometric, Pattern based Graphical password, Strong
Password technique, Types of Password attacks

About Password :
A password, sometimes called a passcode,[1] is a memorized secret, typically a string of characters,
usually used to confirm the identity of a user.[2] Using the terminology of the NIST Digital Identity
Guidelines,[3] the secret is memorized by a party called the claimant while the party verifying the
identity of the claimant is called the verifier. When the claimant successfully demonstrates
knowledge of the password to the verifier through an established authentication protocol,[4] the
verifier is able to infer the claimant's identity.
In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If
the permissible characters are constrained to be numeric, the corresponding secret is sometimes
called a personal identification number (PIN).
Despite its name, a password does not need to be an actual word; indeed, a non-word (in the
dictionary sense) may be harder to guess, which is a desirable property of passwords. A memorized
secret consisting of a sequence of words or other text separated by spaces is sometimes called
a passphrase. A passphrase is similar to a password in usage, but the former is generally longer for
added security.[

Different types of password :

Biometric password:

Biometric authentication tools record a unique physical characteristic of the

user, such as a fingerprint, iris scan or facial pattern. Typically the user will
have a user ID and password in addition to a biometric logon. Here is a
textbook example of two-factor authentication: something you know combined
with something you are. Biometrics is then part of a defense-in-depth strategy
that protects system access. If one factor is cracked, the other, hopefully, will
still block malicious access.

But fingerprints can be spoofed, and images of them can be stolen, just like
user IDs and passwords. The same can be said for a system based on facial
recognition. A photograph of the user could be used to fake out the system, if
the machinery is not properly configured.

There are other barriers to the growth of biometric authentication. First, it's
difficult to compare systems equally, particular for analyzing costs and
implementation in an enterprise architecture. A fingerprint reader, for example,
is set up differently than a voice recognition system or an iris scanning
machine. Biometric technology is difficult to implement and requires a heavy
investment in hardware and software, more so than simple password
systems. Third, there is the question of customer acceptance and ease of use.
Many people would be squeamish about looking into a beam that measures
the iris.

Pattern based password :

Android's pattern lockscreen is an alternative to having a password or

PIN; instead of typing something in, you just draw some lines between
nodes. It's easier to remember—and easier to enter—than pecking keys
on a keyboard. But as graduate of the Norwegian University of Science
and Technology  Marte Løge found out, there are lazy patterns just like
there are lazy passwords. They're easy to guess, and you're probably
using one. 
For her masters thesis, Løge examined some 4,000 lock patterns and
discovered a set of common bad practices; the pattern-lock equivalent of
starting your passwords with "123." Nearly half the patterns started on
the node in the upper left corner of the screen and over three quarters
started from one of the four corner nodes. Add to that the fact that many
of the patterns only went through four nodes (out of a maximum of
nine), and the patterns become exceedingly easy to guess. You can
narrow down the pool of options to just a few hundred, easy. She also
found that men and women tend to create patterns in distinct and
predictable ways. 
But if you're using a pattern password, there are ways to make it better.
As Løge toldArs Technica, a few tips are to use a whole bunch of nodes,
try to make the pattern crossover itself a bunch so its hard to read from a
distance, and turn off "show pattern" in your security settings. And
maybe don't start from the top-left node. Now that you know what the
"123password" of pattern locks looks like, you have no excuse to still be
using it. 
Graphical password :
A graphical password or graphical user authentication is a form
of authentication using images rather than letters, digits, or special characters. The type of images
used and the ways in which users interact with them vary between implementations

Image sequence
Graphical passwords frequently require the user to select images in a particular order or respond to
images presented in a particular order

Image-generated text
Another graphical password solution creates a one-time password using a randomly generated grid
of images. Each time the user is required to authenticate, they look for the images that fit their
pre-chosen categories and enter the randomly generated alphanumeric character that appears in the
image to form the one-time password.

Facial recognition
One system requires users to select a series of faces as a password, utilizing the human brain's
ability to recall faces easily.

[note Captcha : A CAPTCHA (/kæp.tʃə/, a contrived acronym for "Completely Automated

Public Turing test to tell Computers and Humans Apart") is a type of challenge–response test used
in computing to determine whether or not the user is human.

CAPTCHAs are, by definition, fully automated, requiring little human maintenance or intervention to
administer, producing benefits in cost and reliability.[citation needed]
The algorithm used to create the CAPTCHA must be made public, though it may be covered by a
patent. This is done to demonstrate that breaking it requires the solution to a difficult problem in the
field of artificial intelligence (AI) rather than just the discovery of the (secret) algorithm, which could
be obtained through reverse engineering or other means.[citation needed]
Modern text-based CAPTCHAs are designed such that they require the simultaneous use of three
separate abilities—invariant recognition, segmentation, and parsing—to correctly complete the task
with any consistency.[13]

● Invariant recognition refers to the ability to recognize the large amount of variation in the shapes
of letters. There are nearly an infinite number of versions for each character that a human brain
can successfully identify. The same is not true for a computer, and teaching it to recognize all
those differing formations is an extremely challenging task.[citation needed]
● Segmentation, or the ability to separate one letter from another, is also made difficult in
CAPTCHAs, as characters are crowded together with no white space in between.
● Context is also critical. The CAPTCHA must be understood holistically to correctly identify each
character. For example, in one segment of a CAPTCHA, a letter might look like an "m". Only
when the whole word is taken into context does it become clear that it is a u and an n.[citation needed]
Each of these problems poses a significant challenge for a computer, even in isolation. The
presence of all three at the same time is what makes CAPTCHAs difficult to solve]
Weaknesses
When not used in a private setting, graphical passwords are typically more susceptible than
text-based passwords to "shoulder-surfing attacks", in which an attacker learns the password by
watching the screen as a user gains access.

Strong Password technique, Types of Password attacks:

How does a password get hacked?

Cybercriminals have several password-hacking tactics at their disposal, but
the easiest one is simply to buy your passwords off the dark web. There’s big
money in the buying and selling of login credentials and passwords on the
blackmarket, and if you’ve been using the same password for many
years, chances are it’s been compromised.

But if you’ve been wise enough to keep your passwords off the aggregated
blackmarket lists, cybercriminals have to crack them. And if that’s the case,
they’re bound to use one of the methods below. These attacks can be aimed
at your actual accounts or possibly at a leaked database of hashed
passwords.

Brute force attack

This attack tries to guess every combination in the book until it hits on yours.
The attacker automates software to try as many combinations as possible in
as quick a time as possible, and there has been some unfortunate headway
in the evolution of that tech. In 2012, an industrious hacker unveiled a
25-GPU cluster he had programmed to crack any 8-character Windows
password containing uppercase and lowercase letters, numbers, and
symbols in less than six hours. It has the ability to try 350 billion guesses per
second. Generally, anything under 12 characters is vulnerable to being
cracked. If nothing else, we learn from brute force attacks that password
length is very important. The longer, the better.
Dictionary attack

This attack is exactly what it sounds like — the hacker is essentially attacking
you with a dictionary. Whereas a brute force attack tries every combination of
symbols, numbers, and letters, a dictionary attack tries a prearranged list of
words such as you’d find in a dictionary.

If your password is indeed a regular word, you’ll only survive a dictionary

attack if your word is wildy uncommon or if you use multiple word phrases,
like LaundryZebraTowelBlue. These multiple word phrase passwords
outsmart a dictionary attack, which reduces the possible number of
variations to the number of words we might use to the exponential power of
the number of words we’re using, as explained in the “How to Choose a
Password” video by Computerphile.

Phishing

That most loathsome of tactics — phishing — is when cybercriminals try to

trick, intimidate, or pressure you through social engineering into unwittingly
doing what they want. A phishing email may tell you (falsely) that there’s
something wrong with your credit card account. It will direct you to click a
link, which takes you to a phony website built to resemble your credit card
company. The scammers stand by with bated breath, hoping the ruse is
working and that you’ll now enter your password. Once you do, they have it.

Phishing scams can try to ensnare you through phone calls too. Be leery of
any robocall you get claiming to be about your credit card account. Notice
the recorded greeting doesn’t specify which credit card it’s calling about. It’s
a sort of test to see if you hang up right away or if they’ve got you “hooked.”
If you stay on the line, you will be connected to a real person who will do
what they can to wheedle as much sensitive data out of you as possible,
including your passwords.
The anatomy of a strong password
Now that we know how passwords are hacked, we can create strong
passwords that outsmart each attack (though the way to outsmart a phishing
scam is simply not to fall for it). Your password is on its way to being
uncrackable if it follows these three basic rules.

Don’t be silly

Stay away from the obvious. Never use sequential numbers or letters, and for
the love of all things cyber, do not use “password” as your password. Come
up with unique passwords that do not include any personal info such as your
name or date of birth. If you’re being specifically targeted for a password
hack, the hacker will put everything they know about you in their guess
attempts.
 Avoid these top 10 weak passwords

Can it be brute force attacked?

Keeping in mind the nature of a brute force attack, you can take specific
steps to keep the brutes at bay:

● Make it long. This is the most critical factor. Choose nothing shorter than
15 characters, more if possible.
● Use a mix of characters. The more you mix up letters (upper-case and
lower-case), numbers, and symbols, the more potent your password is, and
the harder it is for a brute force attack to crack it.
● Avoid common substitutions. Password crackers are hip to the usual
substitutions. Whether you use DOORBELL or D00R8377, the brute force
attacker will crack it with equal ease. These days, random character
placement is much more effective than
common leetspeak* substitutions. (*leetspeak definition: an informal
language or code used on the Internet, in which standard letters are often
replaced by numerals or special characters.)
● Don’t use memorable keyboard paths. Much like the advice above not to
use sequential letters and numbers, do not use sequential keyboard paths
either (like qwerty). These are among the first to be guessed.

Can it be dictionary attacked?

The key to staving off this type of attack is to ensure the password is not just
a single word. Multiple words will confuse this tactic — remember, these
attacks reduce the possible number of guesses to the number of words we
might use to the exponential power of the number of words we are using, as
explained in the popular XKCD post on this topic.

The best password methods (and great password

examples)
At Avast, we know a thing or two about cybersecurity. We know what makes
a solid password, and we have our favorite methods to create them. The
methods below give you some good password ideas to create your own
strong, memorable passwords.  Follow one of these handy tips, and you’ll be
doubling down on protecting your digital world.

The revised passphrase method

This is the multiple word phrase method with a twist — choose bizarre and
uncommon words. Use proper nouns, the names of local businesses,
historical figures, any words you know in another language, etc. A hacker
might guess Quagmire, but he or she would find it ridiculously challenging to
try to guess a good password example like this:

QuagmireHancockMerciDeNada

While the words should be uncommon, try to compose a phrase that gives
you a mental image. This will help you remember.

To crank it up another notch in complexity, you can add random characters in

the middle of your words or between the words. Just avoid underscores
between words and any common leetspeak* substitutions. (*leetspeak: an
informal language or code used on the Internet, in which standard letters are
often replaced by numerals or special characters.)

The sentence method

This method is also described as the "Bruce Schneier Method." The idea is to
think of a random sentence and transform it into a password using a rule. For
example, taking the first two letters of every word in “The Old Duke is my
favorite pub in South London” would give you:

ThOlDuismyfapuinSoLo

To anyone else, it’s gobbledygook, but to you it makes perfect sense. Make
sure the sentence you choose is as personal and unguessable as possible.

Recommended ways to improve your password

portfolio
All of the above methods help to strengthen your passwords but aren’t very
workable, given that the average person uses dozens of them. Let’s review a
few ways we recommend: use new complex passwords and a password
manager, install an authenticator app on your smartphone, and purchase new
hardware. Each of these can help with better and more secure
authentications. 

Use a password manager and a random password generator 

A password manager keeps track of all of your passwords and does all the
remembering for you, except for one thing — the master password which
grants you access to your password manager. For that big kahuna, we
encourage you to use every tip and trick listed above.The programs also
come with generators, such as the Avast Random Password
Generator shown below, so you can create super-complicated, extra-long
passwords that are infinitely more difficult to crack than any passwords a
human might come up with. PC Magazine has a series of
recommendations of password managers here. 

Test your email address, too

Be careful who you trust

Security-conscious websites will hash its users’ passwords so that even if the
data gets out, the actual passwords are encrypted. But other websites don’t
bother with that step. Before starting up accounts, creating passwords, and
entrusting a website with sensitive info, take a moment to assess the site.
Does it have https in the address bar, ensuring a secure connection? Do you
get the sense it is up on the newest security standards of the day? If not,
think twice about sharing any personal data with it.

Use multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of protection (which

becomes your first layer of protection should your account details ever get
leaked). These have become the new industry standard for effective
security. In our blog post here, we explain how they are used and how you
can add MFA to common social accounts such as Twitter and Facebook.
They require something in addition to a password, such as biometrics
(fingerprint, eye scan, etc.), or a physical token. This way, as simple or
complex as your password is, it’s only half of the puzzle.  
 Further reading: How to use multi-factor authentication for safer apps

Note: given the 2018 Reddit hack caused by SMS-intercepts, we do not

recommend using SMS as your second factor of authentication. This is a
well-trod path by many hackers in the past few years. 

THE USE OF TWO-FACTOR AUTHENTICATION

Security experts always recommend using two-factor authentication where

possible, providing an added layer of security and a roadblock for would-be attackers
attempting to crack your password.
Essentially, two-factor authentication involves two distinct steps (or factors) to
verify a user’s identity; typically some combination of the following:
● Something you know (e.g., your password or your username)

● Something you have (e.g., your ATM card, mobile phone, or an access token/badge)

● Something you are (typically verified with biometrics, such as iris scans, fingerprints, or
facial recognition)

Use an authenticator smartphone app

The best MFA method is to use a specialized app for your smartphone.
Google’s Authenticator (for Apple here, for Android here) and Authy are two
examples and both are free. The app generates a one-time PIN that you enter
as the additional factor during your login process. The PINs automatically
change every 30 seconds. You’ll need to follow the instructions to set up MFA
for your particular application and some applications don’t yet support this
MFA method.

[extra:

Security keys and the FIDO alliance

Security keys take security to the next level.  A security key like
the YubiKey (named for “ubiquitous key”) gives you the most state-of-the-art
protection available today. It serves as your MFA, granting you file access
only if you physically have the key. Security keys are available in USB, NFC,
or Bluetooth versions, and they are generally about the size of a thumb drive.
In 2017, Google mandated all of its employees to begin using security keys, and the
company claims it has not experienced a single data breach among its
85,000 workers since. They have their own product called the Titan Security Key,
designed specifically to protect people against phishing attacks.

For MFA and security keys: check out the FIDO alliance, which is working on
creating strong authentication standards for desktop and mobile apps. If
you’re as concerned about online security as we are, you want only to
use FIDO-compliant services such as Microsoft, Google, PayPal, Bank of
America, NTTDocomo, and DropBox, to name a few. When a certain security
key, website, mobile app, etc. is “FIDO® Certified,” it satisfies the alliance’s
high standard of authentication and protection.

In the early days of practical thought, Socrates doled out the sophisticated
advice: Know thyself. We’re going to borrow from his book, upgrade the
advice by a couple thousand years, and encourage all of you to do that which
is absolutely essential today: Secure thyself.]

Additional security tips surrounding passwords

Protect your login information further with these common sense,
high-security tips:

● Use a VPN when on public Wi-Fi. That way, when you log into accounts, no
one is intercepting your username and password.

● Never text or email anyone your password.

● When selecting security questions while creating an account, choose
hard-to-guess options to which only you know the answer.  Many
questions have easy-to-find answers in social channels with a simple
search, so beware and choose carefully.  

● When you’re done, take the time to tell your family and friends to protect
themselves too. Breaches continue to happen, so just by sharing this blog
post with friends and family, you will be helping your inner circle to protect
themselves.

● Make sure your antivirus is up-to-date.If a threat somehow gets past your

strong defenses and into your system, a good antivirus will detect and
neutralize it.

What are the different types of password

managers?
There are different types of password managers available in the market based on their
storage, encryption technique used, features offered, etc. Let's take a look at them one by
one, along with their advantages and disadvantages, and find which one might be the
perfect choice for you. 

● Desktop-Based

● Cloud-Based

● Browser-Based

● Portable

● Token-Based

● Stateless

1. Desktop-Based
This is one of the oldest and most popular types of password manager category.
Usernames and passwords are encrypted and stored on the user's desktop machine locally.

Advantages

● User data gets encrypted and stored directly on their machine where no one else can
access them

Disadvantages

● Passwords cannot be accessed from other machines and devices 

● Not suitable for users who share their desktops with friends, family, or colleagues

2. Cloud-Based
With this password manager type, usernames and passwords are stored on the service
provider's server and data gets transmitted from the user's web-browser over the Internet
using highly secure communication channel.
Advantages

● Users can access their passwords from anywhere

Disadvantages

● Security of the user data is directly in the hands of their service provider

3. Browser-Based 
Browsers like Chrome, Firefox, and Internet Explorer have a built-in option to store and
manage users' login credentials. 

Advantages

● Easy-to-use and no additional cost involved

Disadvantages

● No sync option across multiple devices

● Less secure when compared to other types of password managers

● Lack of advanced features 

4. Portable
Here, the usernames and passwords are stored on the user's mobile device or other
portable storage devices, such as a USB stick or HDD. 

Advantages
● More secure and reliable than the desktop-based password manager category.

Disadvantages

● Loss of confidential data if the portable device is lost or stolen. 

5. Token-Based
Here, the usernames and passwords are protected with an additional layer of security.
Users must provide their login credentials and a security token delivered to their device.

Advantages

● A higher level of security is ensured by using multiple levels of authentication 

Disadvantages

● More expensive than other types of password managers

● Highly complex and less likely to be recommended for non-technical users

6. Stateless
Here, passwords are generated randomly using the user's master passphrase and a tag
using a key derivation function. 

Advantages

● Passwords are not stored in a database, thereby ensuring enhanced security.

● Passwords are usually generated using a combination of username, the site that the

password is for, and a master password

Disadvantages

● No sync option

● They are more vulnerable to brute-force attacks than many other types of password
managers