InfoSec Essentials: Passwords

Posted by Theodore on Τρίτη, Σεπτεμβρίου 09, 2014 with No comments
Passwords: Who needs them?
How many keys do you carry with you every day? Personally, I hold about 5-7 regularly, home, office, car not counting any remote controls such as garage or car alarm. Why is this? Why don’t we have a single key to have access in all locations? I believe that all of you can deduce the answer. The same is true about passwords. Passwords are the digital keys that allow us to access what is ours, our e-mail, our bank account, our files in the cloud.
Would you ever give the keys of your house to a stranger. If the obvious answer is no, then why write your password in your journal or even on a post-it on your monitor, it's like hidding your keys under the door carpet.

P4s$w0rd-c()Mp1exiTy
Why on Earth should I create a 10 characters long alphanumeric password? The key example also works here. How would you feel if the lock of your home could be picked with a screwdriver or even a hair pin? The key complexity is analogous to the password length and charachter composition, so stop whining when you read the password rules and build some strong passwords for your accounts.
Earlier this year SplashData, published a list of the 25 worst passwords of 2013. You should notice that out of the 25 entries, none fulfills the basic requirements of a strong password. I whould say that most of them don't even classify as weak.
Trivia: Back in the 90s the four most common passwords where sex, God, love and secret.

Multi Factor Authentication
Multi-factor authentication (MFA) is an approach to authentication which requires the presentation of two or more of the three independent authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur. The most common implementation of MFA, is two-factor authentication used by various services through the web, such as google services, apple services, ebay, evernote etc. There are various tutorials in the web to assist you enabling this feature, just use your favorite search engine.

Never take candies from strangers or “fear the Danaans, even those bearing gifts”
Do you remember your parents advise you not to take gifts from strangers? The same applies to cyberspace and is not restricted to children. Fake emails is the most common way of a type of attack called social engineering in order to collect information or an easy way to spread malware. The attacker sends bulk emails to the victims, commonly with an attachment that hides the true nature of the message. Most companies try to train their users not to trust emails that pretend to be from legit source and ask them to share personal/private information or PIN numbers but despite the awareness campaign, many users still fall victims of this malicious practice. So please stop opening these funny video links from unknown senders, the “!!!FREE GIFT!!!” that you have never asked for and stop providing your account number and e-banking password to the bank via email, no one but the attacker cares for this info. Sometimes, all the attacker seeks is just email addresses in order to lunch a spam campaign. By forwarding e-mails like "..mail this to all your friends to reach total happiness..." or "unless you forward this message bad luck will fall upon you..", collectively known as chain letters, you just help the attacker, so please stop forwarding these emails to your entire contact list.