The Basics of
Data Security:
Account Protection
CC-BY
Fabian M. Suchanek
based on “
A practical guide to Internet security
”
112
Overview
2
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
Damage by cybercrime
3
In 2017, 978 million people in 20 countries were affected by cybercrime.
• Having a device infected by a virus or other security threat (53%)
• Experiencing debit or credit card fraud (38%)
• Having an account password compromised (34%)
• Encountering unauthorized access to or hacking of an email
or social media account (34%)
• Making a purchase online that turned out to be a scam (33%)
• Clicking on a fraudulent email or providing sensitive (personal/financial)
information in response to a fraudulent email (32%)
=> Cybercrime victims globally lost $172 billion
[
Norton Cyber Security Insights Report 2017 Global Results
]
Damage by account hacking
4
In 2017, 978 million people in 20 countries were affected by cybercrime.
• Having a device infected by a virus or other security threat (53%)
• Experiencing debit or credit card fraud (38%)
• Having an account password compromised (34%)
• Encountering unauthorized access to or hacking of an email
or social media account (34%)
• Making a purchase online that turned out to be a scam (33%)
• Clicking on a fraudulent email or providing sensitive (personal/financial)
information in response to a fraudulent email (32%)
Here, we concentrate on hacking email/social media accounts.
Protecting your account
5
Imagine the damage that can be done...
Protecting against hackers
risk = probability of the event × damage
low
high
If a hacker had access to your email, they could
• read all email you have ever written or received (bank, SO, ex,...)
• see all pictures attached to emails that you sent or received
• send emails in your name (e.g., to colleagues or clients)
• post messages in your name on Facebook
• lock you out of your Facebook account (by changing the password)
• lock you out of your email account
• close your email account, close your Facebook account
• mess up your blog
• gain hold of basically all other online accounts.
6
The main protection is your password.
Overview
7
•
Account Hacking
•
Secure Passwords
•
Two Factor Authentication
•
Summary
Popular passwords are bad
8
Most popular passwords:
123456
password
12345
12345678
football
qwerty
1234567890
1234567
princess
1234
login
welcome
solo
abc123
admin
121212
flower
passw0rd
dragon
sunshine
master
hottie
loveme
zaq1zaq1
password1
Time.com
A hacker can
simply try out
all of these
passwords
Popular passwords
Common words are bad
9
• love
• Love
• love you
• ...
• l0ve
• 1 l0ve y0u
• ...
A hacker can
simply try out
all words from
a dictionary
(“dictionary attack”)
Replacing letters by numerical counterparts
is a known strategy => not safe
In 2006, 55% of MySpace passwords were crackable in 8 hours [
Wikipedia
]
After the September 11 attacks, the passwords of deceased employees
were commercially cracked to allow using their work.
Def: Password strength
10
The number of possible passwords (
combinations
) of length n
over k characters is
.
The
password strength
is often given “in bits” as the binary logarithm
of the number of possible combinations.
Example: 10 letters a-z =
combinations (0.1 quadrillions).
Password strength:
bits
Short passwords are bad
11
A hacker can simply try out all combinations
combinations = characters ^ length
Example: 10 digits = 10 billion combinations.
A PC can do 100m combinations per second
=> we need only 1.5 minutes to break it
Example: Uber sends out a 4 digit code
to verify an account. Generate 1m account
requests, verify 100 of them just by chance.
Try it out!
(But not with your real password!)
But is there not a time limit?
Yes, but maybe not for all access paths (
Zoom
).
Personal information is bad
12
Pet names
A notable date (wedding, b’date)
A family member’s birthday
Your child’s name
Another family member’s name
Your birthplace
A favorite holiday
Your favorite sports team
According to Google
A hacker can find this
information in social networks.
Personal information is bad
13
A hacker can find this
information in social networks.