The Basics of
Data Security:
Account Protection
CC-BY
Fabian M. Suchanek
112
Overview
2
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
Protecting your account
3
Imagine the damage that can be done...
Protecting against hackers
risk = probability of the event × damage
low
high
If a hacker had access to your email, they could
- read all email you have ever written or received (bank, SO, ex,...)
- see all pictures attached to emails that you sent or received
- send emails in your name (e.g., to colleagues or clients)
- post messages in your name on Facebook
- lock you out of your Facebook account (by changing the password)
- lock you out of your email account
- close your email account, close your Facebook account
- mess up your blog
- gain hold of basically all other online accounts.
4
The main protection of your account is your password.
Overview
5
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
Popular passwords are bad
6
Most popular passwords:
123456
password
12345
12345678
football
qwerty
1234567890
1234567
princess
1234
login
welcome
solo
abc123
admin
121212
flower
passw0rd
dragon
sunshine
master
hottie
loveme
zaq1zaq1
password1
Time.com
A hacker can simply try out
all of these passwords!
Popular passwords
The Economist, 2024-03-07
Common words are bad
7
• love
• Love
• love you
• ...
• l0ve
• 1 l0ve y0u
• ...
A hacker can simply try out
all words from a dictionary
(“dictionary attack”)
Replacing letters by numerical counterparts
is a known strategy => not safe
In 2006, 55% of MySpace passwords were crackable in 8 hours [
Wikipedia
]
After the September 11 attacks, the passwords of deceased employees
were commercially cracked to allow using their work.
Def: Password strength
8
The number of possible passwords (
combinations
) of length n over k characters is
.
The
password strength
is often given “in bits” as the binary logarithm
of the number of possible combinations.
Example: 10 letters a-z =
combinations (0.1 quadrillions).
Password strength:
bits
Short passwords are bad
9
A hacker can simply try out all combinations
combinations = characters ^ length
Example: 10 digits = 10 billion combinations.
A PC can do 100m combinations per second
=> we need only 1.5 minutes to break it
Example: Uber sends out a 4 digit code
to verify an account. Generate 1m account
requests, verify 100 of them just by chance.
Try it out!
(But not with your real password!)
But is there not a time‐out?
10
Most services allow only a certain number of password trials per time unit.
However, this barrier might not be in place not for all access paths (Web site, API, App, etc.).
[
Zoom
]
A partial protection is as good as none
But is there not a time‐out?
11
Most services allow only a certain number of password trials per time unit.
However, this barrier might not be in place not for all access paths (Web site, API, App, etc.).
[
Zoom
]
A partial protection is as good as none
But is there not a time‐out?
12
Most services allow only a certain number of password trials per time unit.
However, this barrier might not be in place not for all access paths (Web site, API, App, etc.).
[
Zoom
]
A partial protection is as good as none
Personal information is bad
13
Pet names
A notable date (wedding, birthdate)
A family member’s birthday
Your child’s name
Another family member’s name
Your birthplace
A favorite holiday
Your favorite sports team
Your favorite color
According to Google
A hacker can find this
information on social networks.
Security questions are bad
14
Ron Clausen
A hacker can find this
information in social networks.
40% of users fake the answers
and then forget them. Most secure
questions are also least memorized.
Research by Google
>more
Difficult passwords are bad
15
“Your password must contain at maximum 5 letters,
and must contain a mammal that lives in the sea”
The more annoying passwords restrictions are,
the more likely users are to
- write the passwords down
- forget the passwords
- use simple variations of the same password
The same applies to passwords that have to be changed regularly.
>more
Using the same password is bad
16
If the password is compromised on one site
...it allows access to all the others:
Solution 1: First letter passwords
17
“How much money do I have?” -> “Hm$d1h?”
• easier to remember
• high entropy
•
recommended
strategy
We will also talk about password managers,
but even these need a master password.
Solution 2: Passphrases
18
“How much money do I have?”
Passphrases should be
- Long enough to be hard to guess
- Not a famous quotation from literature, holy books, et cetera
- Hard to guess by intuition—even by someone who knows the user well
- Easy to remember and type accurately
- For better security, any easily memorable encoding at the user's own level can be applied.
- Not reused between sites, applications and other different sources
Use a sentence
as password
[Wikipedia: Passphrase]
Solution 3: Diceware passwords
19
XKCD
20
A
diceware password
of length n is created as follows:
1)
Take a list of
words of some language,
which are indexed <0,0,0,0,1>, <0,0,0,0,2>,...
2)
Repeat n times
a)
Roll a (physical) dice 5 times,
obtaining numbers
b)
Add to your password the word at index
43136 mulct
43141 mule
43142 mull
43143 multi
43144 mum
43145 mummy
43146 munch
Or use a service:
Mira Modi’s Diceware Service
combinations =
EFF Diceware list
Def: Diceware password
>2FA
Solution 4: Password managers
21
Password managers
contain one password per online service,
and copy/paste it automatically into the login field.
Caveats:
• such services are a target for hackers.
• what if the service gets
hacked
?
• what if the service
leaks
data?
• what if you forget your master password/lose access to the service?
Use the password manager of your browser. It’s bound to the physical device.
>2FA
Overview
22
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
VectorPortal
©
Ethan Hill
23
When a password is not enough
Mat Honan
CC by-sa
VectorPortal
©
Ethan Hill
24
Mat Honan
CC by-sa
When a password is not enough
VectorPortal
©
Ethan Hill
reset
password
by credit card
25
Mat Honan
CC by-sa
When a password is not enough
VectorPortal
©
Ethan Hill
reset
password
by credit card
reset
password
by backup email
26
Mat Honan
CC by-sa
When a password is not enough
VectorPortal
©
Ethan Hill
reset
password
by credit card
reset
password
by backup email
reset
password
by backup email
27
Mat Honan
CC by-sa
Mat’s story
When a password is not enough
VectorPortal
©
Ethan Hill
reset
password
by credit card
reset
password
by backup email
reset
password
by backup email
Owen’s story
Two‐factor
authentication
28
Mat Honan
CC by-sa
Mat’s story
When a password is not enough
>2FA
There should be at least 2 independent hurdles to access your data!
29
Def: Two-Factor Authentication
Two Factor Authentication
(2FA) method of access control that
allows access only if twon independent codes (“factors”) are entered.
The first factor is usually a password. The second factor can come
• from an app on your phone
• from a phone call
• from an SMS
• from a passkey (see later)
• from a
security key
e.g., FreeOTP or Google Authenticator
FIDO security key
>2FA
30
Caveats with two factor authentication
•
Not all services
support
2FA
•
SMS can be intercepted
•
With Apple’s two factor authentication,
any linked device can generate
codes => obtaining one device allows
messing around with the others
>2FA
Public awareness campaign in Singapore
31
Enable fall-back options!
Google
Poor man’s fall-back:
scan the 2FA barcode with the phone
of a friend!
Never enable 2FA without a fallback.
You risk getting locked out.
>2FA
32
Def: Passkeys
Passkeys
are a method of authentication that does not require passwords, and that offers the
same security as a password+2FA: The server sends an encrypted message (a “challenge”)
that the client sends back decrypted.
1. server sends
encrypted challenge
2. user provides
biometrics/passcode
3. client sends
decrypted challenge
Website (“server”)
Laptop (“client”)
User
No passwords are involved. Two factors are: possession of laptop + biometrics.
Passkey is bound to a specific device
33
Def: Passkeys
Passkeys
are a method of authentication that does not require passwords, and that offers the
same security as a password+2FA: The server sends an encrypted message (a “challenge”)
that the client sends back decrypted.
See websites that support passkeys
1. server sends
encrypted challenge
2. user provides
biometrics/passcode
3. client sends
decrypted challenge
Website (“server”)
Phone (“client”)
User
User scans QR code with phone
34
Protect your devices
Add the two hurdles also to your devices: Possession + passcode
•
Disable notifications on the lock screen.
•
Enable passcodes on your laptop
Consider hard drive encryption, because otherwise the code is useless.
Macs
and Linux can encrypt the drive natively. Windows has Bitlocker.
•
Enable passcodes on your phone
- passcode (cumbersome)
- lock pattern (easy to copy)
- fingerprint (great)
- face id (
can be tricked
by a picture)
Apple
60% of people can
reproduce
the pattern after seeing it
once in 1m distance
Consider encrypting highly sensitive data additionally (e.g., with
1
,
2
).
can be
extracted from photo
35
Never give away your phone
Wall Street Journal, 2023-12-20
If you give away your phone and
show someone the code to unlock it,
that person can
• steal the phone
• unlock it
• remove Find-My-Phone
• change FaceId to his face
• unlock banking apps etc.
• wire‐transfer money
• access your passwords stored on the phone
• access your pictures etc. and blackmail you
• erase the phone
• sell the phone
Main messages
36
•
Your online accounts are your main gateway to online services, so they have to be protected
•
Choose strong passwords
•
Use the password manager of your browser
•
Enable two factor authentication (but never without a fallback)
•
Use passkeys wherever possible
Today is a good day to start!
->Security