Let's talk about how you 'insecurely' manage credentials (part 1)

Authentication principles and best practices for managing your passwords

Posted by Salvo Bertoncini on June 11, 2022 · 4 mins read

80% of the Cyber attacks are related to credentials - Pareto docet -. Credentials are one of the most controversial, misused yet, parts of the security chain which aims to protect services and personal information.

If you're concerned about your passwords, don't panic:

people are always the weakest link.
(LOL)

What exactly do we mean with "credentials"? How many authentication factor we know and how many of them should we combine?

Let's shine the light on credentials.

    Table of Contents

Authentication factors

We refer to an Authentication factor as a group of methods that let a user to prove to an Authentication system that the identity belong to them. As per NIST [1] there are 3 authentication factors:

  1. Something you know (e.g., a password, a passphrase, a PIN);
  2. Something you have (e.g., an One-Time-Password OTP code, an ID badge, a credit card, a cryptographic key);
  3. something you are (e.g., a fingerprint or other biometric data).

Passwords are by far the most common, yet one of the most insecure, Authentication method. Despite their reputation, passwords are very easy to use, but they should be managed cautiously.

Password best practices

Here you are some advices to use passwords, serenely, and securely:

  1. Don't share any password to anyone (including your partner, your colleagues, your dog);
  2. Create passwords which contain at least 8 characters, including:
  3. One uppercase letter;
  4. One lowecase letter;
  5. One number;
  6. One special character (e.g. !, ?, ., ;, #, @).
  7. Use a different password for each account you have (your Facebook password has to be different from your bank account password);
  8. Periodically change all your passwords;
  9. When possible, always use more than a single Authentication factor (Multi Factor Authentication explained here);
  10. Use a password manager (e.g. KeePass).

Multi Factor Authentication (MFA)

MFA is at the core of modern security principles. It's a simple habit that greatly complicates the life of the attackers.

It consists of using more than a single Authentication factor to prove your identity:

  1. Something you know + something you have (e.g. a password + an OTP code);
  2. Something you know + something you are (e.g. a password + fingerprint);
  3. Something you have + something you are (e.g. a cryptographic key + facial recognition).

MFA is a must-have and is strongly recommended for all your accounts, especially the most critical one (e.g. your banking accounts, your accounts related to health services).

Please note: some MFA methods are more secure than others. Indeed, if you generate your OTP via an OTP app (e.g. Authy) this is far more secure than if you receive the OTP via SMS on your mobile phone [2]. This is because of the unsecure nature of SMS: you can be the target for some well-known attacks such as SMS spoofing, SIM swap, social engineering,

Conclusion

We shed some light on credentials and best practices to manage them, encouraging the use of password managers and Multi Factor Authentication (possibly without SMS).

The more you use this combination of notions, the more secure you might feel.

References

  1. [1] NIST SP 800-63-3
  2. [2] So Hey You Should Stop Using Texts for Two-Factor Authentication.

Photo by Yura Fresh on Unsplash.