The Basics of
Data Security:
Account Protection
CC-BY
Fabian M. Suchanek
112
Overview
2
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
Protecting your account
3
Imagine the damage that can be done...
Protecting against hackers
risk = probability of the event × damage
low
high
If a hacker had access to your email, they could
- read all email you have ever written or received (bank, SO, ex,...)
- see all pictures attached to emails that you sent or received
- send emails in your name (e.g., to colleagues or clients)
- post messages in your name on Facebook
- lock you out of your Facebook account (by changing the password)
- lock you out of your email account
- close your email account, close your Facebook account
- mess up your blog
- gain hold of basically all other online accounts.
4
The main protection is your password.
Overview
5
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
Popular passwords are bad
6
Most popular passwords:
123456
password
12345
12345678
football
qwerty
1234567890
1234567
princess
1234
login
welcome
solo
abc123
admin
121212
flower
passw0rd
dragon
sunshine
master
hottie
loveme
zaq1zaq1
password1
Time.com
A hacker can
simply try out
all of these
passwords
Popular passwords
Common words are bad
7
• love
• Love
• love you
• ...
• l0ve
• 1 l0ve y0u
• ...
A hacker can
simply try out
all words from
a dictionary
(“dictionary attack”)
Replacing letters by numerical counterparts
is a known strategy => not safe
In 2006, 55% of MySpace passwords were crackable in 8 hours [
Wikipedia
]
After the September 11 attacks, the passwords of deceased employees
were commercially cracked to allow using their work.
Def: Password strength
8
The number of possible passwords (
combinations
) of length n
over k characters is
.
The
password strength
is often given “in bits” as the binary logarithm
of the number of possible combinations.
Example: 10 letters a-z =
combinations (0.1 quadrillions).
Password strength:
bits
Short passwords are bad
9
A hacker can simply try out all combinations
combinations = characters ^ length
Example: 10 digits = 10 billion combinations.
A PC can do 100m combinations per second
=> we need only 1.5 minutes to break it
Example: Uber sends out a 4 digit code
to verify an account. Generate 1m account
requests, verify 100 of them just by chance.
Try it out!
(But not with your real password!)
But is there not a time‐out?
10
Most services allow only a certain number of password trials per time unit.
However, this barrier might not be in place not for all access paths (Web site, API, App, etc.).
[
Zoom
]
A partial protection is as good as none
But is there not a time‐out?
11
Most services allow only a certain number of password trials per time unit.
However, this barrier might not be in place not for all access paths (Web site, API, App, etc.).
[
Zoom
]
A partial protection is as good as none
But is there not a time‐out?
12
Most services allow only a certain number of password trials per time unit.
However, this barrier might not be in place not for all access paths (Web site, API, App, etc.).
[
Zoom
]
A partial protection is as good as none
Personal information is bad
13
Pet names
A notable date (wedding, b’date)
A family member’s birthday
Your child’s name
Another family member’s name
Your birthplace
A favorite holiday
Your favorite sports team
According to Google