Have you ever wondered why do we use "passwords" to gain access to various computing resources such as e-mails, social networking websites and personal computers. Before I answer question about "why password is a convenient choice but are bad choice of authentication", let's look at couple of other examples available for authentication purpose. Bio-metric system (heart-beat and retina scan) and smart cards are few other types of authentication systems. Why don't we use these systems for authentication? Can you imagine logging to your Facebook account through Bio-metric system? Why does it sound implausible? Because, these authentication systems cost money. Unlike passwords, they aren't free!
While it's true that passwords are not so very secure way of authentication, due to convenience over other types of authentication systems they are quite popular. However, care should be taken when forming a password. On the other hand, it's also true that when an extra level of security is required, other type of systems are also used along with password authentication. (PIN plus smart card access) Below mentioned points will help you understand on how passwords are bad for authentication purpose.
Computers are good at remembering a random alphanumeric number while humans are not. This forces humans to choose not-so-random password which makes passwords vulnerable to attacks. It's easy to crack not-so-random password (a variant of brute-force) compared to a randomly generated computer password of the same length.
Often, websites help you reset/recover forgotten password based on the questionnaire. It's fairly obvious that we tend to choose questions whose answers are directly related to our life, study or interest. If attacker can get hold of your personal information, it might help them recover/reset password.
While logging into some website, it's not necessary that your login credentials are sent encrypted over internet to website servers. If an active attacker sniffs packages exchanged between user and server, attacker might get hold of login credentials and thus gaining unauthorized access to user's account.
Social engineering and key-stroke logging are some of the other examples which makes password based authentication vulnerable. While passwords are really bad for authentication, it's most convenient to use as it's free (biggest advantage) unlike other authentication systems we saw above.
Remember below points to ensure a good level of security when it comes to passwords:
1) Do not use password based on English dictionary words. Have a mixture of words, numbers and special characters.
2) Do not have a password based on your personal information such as name, age or birth date. This information can easily be obtained by others, if required.
3) Do not use the same password for all or most of the websites and/or personal computer logins. If your "common password" is compromised, all your accounts gets compromised too!
4) Choose questions wisely during sign-up on a website for password recovery. Have answers for those questions which are not so obvious to others.
5) When it comes to online bank accounts, remember to have a very complex password!
6) Use INCOGNITO window (Chrome only) whenever you access accounts on public computers.
7) Do not get carried away by "Free Wi-Fi" spots unless you trust wi-fi provider!!
Often, websites help you reset/recover forgotten password based on the questionnaire. It's fairly obvious that we tend to choose questions whose answers are directly related to our life, study or interest. If attacker can get hold of your personal information, it might help them recover/reset password.
While logging into some website, it's not necessary that your login credentials are sent encrypted over internet to website servers. If an active attacker sniffs packages exchanged between user and server, attacker might get hold of login credentials and thus gaining unauthorized access to user's account.
Social engineering and key-stroke logging are some of the other examples which makes password based authentication vulnerable. While passwords are really bad for authentication, it's most convenient to use as it's free (biggest advantage) unlike other authentication systems we saw above.
Remember below points to ensure a good level of security when it comes to passwords:
1) Do not use password based on English dictionary words. Have a mixture of words, numbers and special characters.
2) Do not have a password based on your personal information such as name, age or birth date. This information can easily be obtained by others, if required.
3) Do not use the same password for all or most of the websites and/or personal computer logins. If your "common password" is compromised, all your accounts gets compromised too!
4) Choose questions wisely during sign-up on a website for password recovery. Have answers for those questions which are not so obvious to others.
5) When it comes to online bank accounts, remember to have a very complex password!
6) Use INCOGNITO window (Chrome only) whenever you access accounts on public computers.
7) Do not get carried away by "Free Wi-Fi" spots unless you trust wi-fi provider!!
I agree, biometrics would be a more secure way to authenticate a user. I remember when laptops came out with the fingerprint scanner feature; I wanted one because I felt my data would be more secure. You make some valid points on how to strengthen passwords since we are going to continue using them until biometric technology becomes available more cheaply. Some of your sentences sound somewhat awkward, read them after your type them to make sure they sound proper.
ReplyDeleteHi Mehal,
ReplyDeleteGood post and good advice as well! With new biometrics technology, nowadays many companies that make computers include finger print option so that people can log into their computer without enter the password. It can read one's finger print just as one enters the password. I think it's faster to access to computer this way, and one doesn't need to remember the password.
Hello! Your post was very interesting to read! I like the tips you posted on creating passwords. I feel that a lot of people like to keep their passwords simple so it is easier on themselves for recall. My friend played a game and his password was similar to his login name. To no surprise he was hacked and I scolded at him for it. I agree that passwords are not that secure but with the tips you provided, there is higher chance that confidential information is not hacked.
ReplyDeleteHi Mehal,
ReplyDeleteI am a kind of person who always keeps simple passwords so that it is easy to remember them. There are tons of accounts we create and remembering each and every different password would take a lot. But I agree with you about how they play an important role in protecting an account or a system. Probably, I should use the tips that you have mentioned while creating a password or I will be in trouble sooner or later. Overall, I really liked the indepth explanation of the topic and enjoyed reading it. Great Work!
Mr. Patel,
ReplyDeleteI totally agree to your point that setting passwords is not necessarily the best way to secure one's system or data. However, the reason behind using passwords as the most common way of system security is not only that they are free but also the fact that is more user friendly and less technically sophisticated for a common man, totally ignorant of technology, to use this mean of security. Other means of authentication system such as the Bio-metric system as mentioned in your article does not come across as simple to use to the common crowd. Also, the chances of these technologies failing and blocking the access to the system are higher as compared to the conventional password setting method.
Keep up the good work though!
With the new iPhones, bio-metrics security could be probable for things such as websites. the new iPhones have finger print scanners which means that the technology is cheap enough to be readily available to anyone who can buy a smartphone. The problem I see is that bio-metrics might be easily "hacked" by something like a photo because the technology might not be that great yet on a small device.
ReplyDeleteI think using foreign words as passwords is probably a good idea as well. If you are on an English website, use a Chinese password. If you are on a Chinese website, use a Korean password. Not perfect but still more secure.
Hi Mehal,
ReplyDeleteWe need password to protect our accounts just as we need locks to protect our properties.
There are many ways to secure our information in Internet; password is the most easy and cheapest way to do that. Even we know how to make our passwords strong, but it is not easy job to choose one that is easy to remember. And it’s extremely dangerous if we have only one unique password for our all accounts.
Hi Patel, Thank you for very well written and informative post about Communications and Security. Weak password is always one of major vulnerabilities for hacking. Using biometrics technology, many companies making computers and smart phones which takes finger prints as well as passwords. It's a good afford to make our e Communications system more safer.
ReplyDelete