Password Management

According to the Verizon Data Breach Investigations Report (DBIR) 2017, more than 80% of the hacking
activities related to data theft are caused by either stolen passwords or very weak passwords.

When an army of cyber bots equipped with the stolen passwords attempt to login and request for
accessing on any particular website from multiple locations with multiple attempts, the system becomes
fully overwhelmed with the malicious traffic and succumbs to the pressure of traffic. Thus, the denial-of-
service (DoS) attack on a particular website becomes successful and outage of the service occurs. The
password management is very critical in avoiding password theft and subsequently the DoS attacks as
well as other cybercrimes.

1.Basics of Passwords:
The basic objective of using a password is to authenticate your authority to access certain resources. The
technique of code word to verify a certain authenticity of person, event, or any other activity was used
between two communicators in the old ages.

The modern passwords are used for restricting unauthorized access to the computing machines such as
PCs, tablets, mobiles, routers, switches, and many other configurable devices. Moreover, passwords are
also used to access the online digital services connected through Internet.

There are different types and forms of passwords used in the modern world. The following are a few
among them.
• Conventional password
• Biometric passwords
• Two-factor authentication
• Multi-factor authentication
• Social media logins
• Email logins
• One-time password (OTP)
• Smart keys and physical tokens

The modern passwords consist of minimum length of 8 characters and maximum of 64 characters in
certain cases. The strength of password increases with the number of characters because the possibility
of guessing and decoding the hash through computer power will be near to impossible in case of strong
64-character passwords.

1.1Threats to passwords

The major threat to your password is the user sluggishness, which often discourages the user from
following the password management guidelines. The password theft is one of the major reasons of the
DDoS attacks and many other data theft, and financial frauds. According to the latest research
conducted in 2018, it was found that a large number of the people use very generic passwords such as
123456, 12345678, and abc123. These passwords are very easy to guess and snoop while you input the
password.

All these passwords are the most unreliable and easy-to-guess passwords in the world. Many
organizations and security companies have already blacklisted these passwords to be used. The use of
weak passwords is highly prone to the risk of being stolen easily. So, easy passwords should never be
used. The plain text passwords are even more prone to theft.

The major threats to the password theft include the following:

• Eavesdropping
• Guessing of password
• Cracking passwords through computing software
Offline cracking of hashes
• Password recovery or reset cyberattack techniques
• Same password use on multiple accounts
• Using default passwords of the system
• Malicious software on your computer such as sniffers and keyloggers
• Backdoor exploit
• Malicious plugins
• Phishing
1.2.Good and bad about password:

After having discussed the suspected threats to the passwords, let us now talk about what is good and
what is bad about a password. People are more careless and lazy about remembering hard and strong
passwords; so they prefer to use simple and easyto-remember passwords. That is not a good idea about
a good password. A good password should have the following features:

• Should be longer in a range of 10–15 characters.

• Should not include any plain text, which is easy to guess.
• Should include the combination of lowercase and uppercase characters.
• Should include at least one or more special symbols/characters at random place.
• Should include at least one or more numbers at different places.
• Never use your personal information, which is easy to guess.
• Do not ever share your password with others.
• Always change the password pattern.
• Always change your password regularly.
If you follow these instructions, you will remain more protected and secure in this highly risky
environment of Internet. Now,

The main points of a bad password could be as follows:

• Plain text passwords

• Short passwords
• No combination of different types of characters
• No use of upper and lower cases randomly
• Reusing of the same password
• Using meaningful words
• Using meaningful word and adding just one digit like “mango1”
• Reusing the same word twice in the password like “fishfish1”
• Using a word in reverse order like “elppa” for apple

1.3 How to hack passwords?

The cybercriminals are highly skilled and qualified people with negative thinking, so they are very
creative thinkers in devising strategies and methods to steal the usernames and passwords of the
genuine users. They can use any new and innovative technology to get hold on your password, but a few
very important techniques are explained below:

1. Over-the-Shoulder Technique: This is a traditional way to steal any critical information like password.
The bad guys try to steal your password when you enter it into the system or online service. This
technique is also useful when you write your password on some diary or paper. The hackers try to peep
over to see your passwords in different forms in this method.

2. Dictionary Hacking Technique: In this form of exploitation, the hackers try to use the words available
in the dictionaries of different major languages. They use different combinations and roots with the help
of certain software tools to crack the passwords of the users. This is more sophisticated and effective
method to hack the passwords.

3. Password Guessing Technique: This is one of the traditional forms of password guessing. The hackers
make guesses to crack the passwords. Those guesses are influenced by psychology, gender, mental
approach, background, and other factors of the user. Many studies suggest that a majority of the
passwords used by the female users include the names of their children, husband, or boyfriends. The
hackers take advantage of this trend in women to hack their passwords.

4. Brute-Force Attack Technique: This basically means trying all possibilities to break a system. You have
already read about the cryptocurrency mining by using the computer processor to decrypt the
transaction and verify it. Similar type of technique can also be employed by the hackers to guess your
password through a password guessing software. This software uses the combinations of different
options and words to guess the password.

The modern hackers are very creative, experienced, and skilled. They can use an out-ofthe-box idea to
crack the passwords at any time. So, always take care of your passwords to maintain their sanctity and
integrity.

2. Effective Password management:

An effective password management plays a vital role in maintaining higher level of security at work as
well as at home. Password management is the combination of the procedures and activities that should
be accomplished on a regular basis as set forth by the security manager, security management agencies,
and industry guidelines.

After creating a strong password, a user has to take different steps to maintain the power and
effectiveness of the password. That means, creating a strong password is not sufficient for maintaining a
strong cybersecurity. You will have to keep a close look at the security and effectiveness of the password
after you created a strong password. You should consider the below-mentioned steps and follow the
guidelines set forth by the security experts and industry standards to

Maintain the effectiveness of your system and online accounts.

• Always choose longer passwords ranging from 12 to 20 or even more characters.

• Password is a completely private property; so, do not share it with anybody.
• Never create same password for multiple accounts or services.
• Never write down your password on paper or copy.
• Never save your password on your computer.
• Change your password after 3–4 months.
• Always use different patterns for every password so that it cannot be easily cracked.
• Never use single number at the end of the password.
• Try to use biometric password if available.
• Consider using the two-factor authentication.
• Always enable multi-factor authentication on your account if supported.
• Encrypt the files and data that contain password-related information.
• Do not save your critical passwords on browsers.
• Always try to use a good password manager for managing your password more effectively and
efficiently.
• Always type your password fast so that no one can guess it.
• Always remember password so that you do not refer to any paper or file for the same.
• Try to generate strong passwords with the help of password-generating software.
• Never reuse the password over and over again after changing it.
• Never send or save your password in emails because they are not fully secure.
• Always take note of surroundings when you input your password.
• Always choose the strong passwords, but those passwords should be easy to remember for you.

3. Creating and Managing Secure passwords

Passwords are very critical and valuable for every online user because our personal, business, social, and
many other types of data and information are directly linked with the online services and the Internet.

The hackers and cybercriminals are becoming very advanced, and they use the latest, high-tech, and
sophisticated techniques to carry out cyberattacks. The password theft is one of the major objectives of
the cybercriminals to inflict serious damage to the common users as well as to the businesses and
government organizations.

3.1 Strong Passwords:

The first step towards having a secure and reliable password is to create a very strong password. The
qualities and features of a strong password include the following:

• Non-guessable
• Longer length
• Complex pattern of characters
• Complex combination of characters
• Based on the out-of-the-box ideas
• Not influenced with the personal behaviours and information
• Better password management
All of the above features should be taken into consideration while creating a strong password.
For example, you think that working in a government organization is so boring. Then, you can make an
expression like I get bored with a government job.

For example, you take “I”, “ge”, “bo”, “w”, “a”, “gv”, and “j” characters from the above expression. Now
you organize them in such a way that they create a strong password. Let us then reduce this expression
to “Ig3b0W@gV!” to form a strong password. Now what you have to remember is that you used zero (0)
instead of “o”, 3 instead of “e”, @ instead of “a”, and ‘!’ instead of “j”. The capital letters were chosen
randomly to make the password even stronger

3.2 Use of biometrics

The use of biometrics (Figure 7.5) is becoming a new standard for the passwords. There are many
security experts and security companies that advocate the replacement of traditional passwords with
the biometric passwords. The use of biometrics makes your passwords more secure and reliable. As we
know, the fingerprints are unique in the world; therefore, there would be no alternative to the
fingerprints. Meanwhile, the facial recognition is another important aspect of biometric identification.
Again, with the advancement in the artificial intelligence in the software development, the facial
recognition is becoming an important standard for the biometric access to the devices and applications.
Moreover, many research works are already in progress to use the walking patterns, body gestures, body
movement, shapes of body parts, body odors, and even vein patterns of a hand for this purpose . The use
of complete hand scans has become one of the most important identification standards for the
governments in passports, immigration, and other governmental procedures.

Many computers, tablets, mobile devices, and other access control equipment have already been
enabled with the biometric support. A large number of mobile applications, desktop applications, and
online tracking applications have also been developed to use the biometric authentication in a better
way. In mobile devices, the combination of biometric and traditional passwords or even drawing patterns
makes the security of a device more comprehensive and reliable. The improvement in the effectiveness
and accuracy of the biometric scanning system is continuously happening, which may lead to its use in
the more precise and missioncritical applications extensively

3.3Two Factor authentication:

The traditional form of authentication is single-factor authentication in which you enter your password
against your username to access the authorized resources. This method is considered as low secure
nowadays due to many reasons. One of the main reasons for the low security of single-factor
authentication is that it is easy to be compromised if you have to use your password many times a day.
The single layer security is not powered by any additional layer that means if your password is
compromised, you will lose the control over your resources and unauthorized cybercriminals can easily
break into your resources. The solution to this problem is the two-factor authentication and multi-factor
authentication. The two-factor authentication (Figure 7.6) is also known as dual-factor and twostep
authentication. In this process, you get one additional layer of security to access your resources. When
you enter username and password, you will be prompted to enter the passcode. The passcode is
normally sent through a text message or automated call on your mobile phone.

To enable the two-factor authentication, you will need to add phone number to the server for receiving
the passcode. Normally, the following steps are involved in enabling the two-factor authentication:

• Add your mobile number and alternate phone number.

• Choose the way you want to receive the passcode – either automated voice call or text message.
• The test verification code is sent by server to your phone number.
• The code is inserted into the field to verify the same.
• Two-factor authentication is enabled now

3.4 Multifactor Authentication

The two-factor authentication improves the security of resource access, but still the level of security that
a critical data needs is not sufficient yet. Some important issues were found associated with the security
of the two-factor authentication. For example, in 2011, the RAS security company announced that a
huge number of important twofactor accounts have been compromised. In that attack, the secure ID
authentication tokens were hacked by cybercriminals
Multi-factor authentication is based on three or more factors. The major three factors used are known
as:

• What you know

• What you are
• What you have

3.4.1 What you know:

This category of the multi-factor authentication deals with the information or factors that a user knows
about. For example, password, pin code, or other security code either provided by the service provider
company or created by the user. This category of authentication factors is also known as the knowledge
factors in the field of computer security.

3.4.2. What you are:

This category consists of the factors that relate to the personal information such as facial recognition,
biometrics, retina scan, and other factors. These factors are also classified as the inheritance factors in
some books and technical writings. These are very unique biological characteristics or factors for every
individual person. Thus, it makes the multi-factor authentication more robust.

3.4.3.What you have:

This group of factors is also referred to as possession factors in the field of computer security. In this
category, the major factors of authentication include the components such as key fob, digital key, or
mobile device with the software application to scan. These factors are extensively used in the modern
multi-factor authentication, especially in the industrial and business security systems. To clarify here, a
fob, which is commonly called a key fob, is a small security hardware device with built-in authentication
system which is used to control and secure access to mobile devices, computer systems, and network
services and data. It displays a randomly generated access code, which changes periodically – usually
every 30–60 seconds. In the multi-factor authentication, a new category of authentication factors is
emerging on the marketplace. This is known as the location-based authentication factor. This code is
used for adding another layer of security while accessing the network from the remote locations other
than the specified locations saved on the security servers. When some employee wants to access the
corporate network from the location other the local offices, then a soft token will be required to grant
the access, but in normal conditions, the user can access by using other authentication factors only. In
some conditions, time window is also used as a layer of security for accessing some particular resources.
A user is allowed for a certain time window to access the certain resources. At any time other than the
specified window, the access to the resources will be denied despite the fact that the user has full and
right credentials.

4.One-time password:
One-time password is commonly referred to as OTP in the field of software security. This is extensively
used by the banks and other financial institutes. Normally, passwords can be classified into two
categories:

• Static passwords
• Dynamic passwords
The static passwords are the codes saved on the server and used repeatedly for accessing the desired
resources or getting the physical access. On the other hand, the dynamic passwords are created, used,
and discarded. They are not saved as the valid information for re-login. It is used just for one time to
access the resources. The example of dynamic password is the one-time PIN (also, OTP or OPIN) used in
the modern financial systems for online transactions. One-time PIN is created when you need to
accomplish some online transactions on your bank account or any other online resources. You login to
your bank account, but every transaction regarding the movement of the funds is associated with the
one-time pin or password.

One of the most important benefits of using the OTP is that it cannot be reused for cyberattacks or any
other malicious activities. Hence, tracking the OTP numbers will not be harmful for your account
security. Even if all the past OTP generated by you are exposed to the cyber hackers, that will not make
any difference at all! The attacker would still be clueless. The OTPs are very difficult to be intercepted
during the creation and use of those passwords. Thus, the use of OTPs reduces the amount of attacks.
Due to these advantages, OTPs are extensively used in mission-critical systems and financial accounts in
banks and other financial institutes such as insurance companies, and other similar kinds of institutes.

5.Using Password Manager:

In the present online environment, we use hundreds of websites, web services, applications, and
resources through Internet. The access to the resources is validated through passwords. So, you have to
remember hundreds of passwords for accessing those websites smoothly.
If you use the same password on all websites, that means your data and personal information are at
great danger for sure. The identity theft is one of the major components of the hacking attacks carried
out by the cybercriminals on the Internet.

A password manager is a software application that offers the services to create a strong password and
manage all those passwords in encrypted format so that they are not prone to compromise. A good
password manager allows the user to save the encrypted password either in the cloud or on the local
drives. Online storage of passwords in the cloud is easy to access it from anywhere in the world, but the
passwords saved locally are a bit difficult to access from other locations.

There are password manager-like features in the major browsers such as Chrome, Firefox, and Internet
Explorer, but majority of them save the passwords in plain text format, not in the encrypted format,
which is dangerous for you and your data. These passwords are not usable on the cross platforms like
passwords saved on the Windows are not supported on the Linux. So, using a good password manager
may be a suitable solution for an online user in today’s environment of the Internet.

The major reasons for using a good password manager include the following:

• Generating strong passwords

• No need to remember multiple passwords
• No need to worry about password theft
• Passwords are stored in fully encrypted formats
• Options to save passwords locally and in the cloud
• Easy to access passwords

You can create and save your passwords on password manager software tools. They save your passwords
in an encrypted format and they retrieve in the normal state when requested. The hackers will not be
able to decrypt your passwords saved on the password managers. You can easily access your passwords
saved in the cloud. If you want to save them on your local computer, you can do that very easily. In that
case, the online access of the passwords will be a bit difficult. It is recommended by the security experts
to use good password managers to avert any identity theft and related cyberattacks. It is very important
to note what level of encryption a password manager uses before you decide to use any one of them. A
good password manager should use at least 256-bit or even more level of encryption. Normally, 256-bit
encryption is considered as a suitable format for data files to keep them secure. So, the password data
file should be encrypted with 256-bit or higher level of encryption.

6.Password Managing Tools:

 Dashlane
 Lastpass
 Zoho vault
 Keepass
 Roboform