Password security and authentication systems

The challenge in coming up with strong passwords is creating something memorable but which is not obvious. On top of this, unique passwords are usually defined by a mixture of uppercase and lowercase letters, numbers, and symbols that help improve password strength. So, the chances of remembering them at the time you actually need to use passwords are low. How many times have you had to carry out a password reset after several login attempts because you thought you’d remember a particular password, or you thought Google Password Manager had stored it? As infuriating as it is to keep coming up with new and more complex passwords using special characters in line with password policy, it’s key to protecting your user accounts and personal information.

With security breaches of major websites and social media platforms on the increase, it’s also important not to re-use passwords even though many of us do. If you re-use passwords, all it takes is one phishing incident when you inadvertently click on a malicious link and all your online accounts could be at risk, You can check whether your go-to password has been exposed in a data breach on various sites (or check the strength of any potential new password) but really you should never duplicate a password. A duplicated password is already within the ranks of weak passwords.

Passphrases are potentially more memorable than passwords when it comes to authentication. By coming up with a sentence that makes sense to you, you can increase your password security and hopefully remember the sentence more easily than a random string of numbers, letters, and symbols. If the sentence only makes sense to you, it also protects the passphrase from brute force attacks. This is when hackers take a trial-and-error approach at guessing your login info. But if you know that you use similar words or phrases across accounts, this could lead to your accounts being vulnerable to brute force attacks as a pattern will emerge if the passwords and phrases are only slightly different. Keep all passwords and phrases completely different and consider changing them on a fairly regular basis.

The question then arises, “How to keep track of usernames and passwords?” Keeping track of all your usernames and passwords can be as simple as writing them down in a logbook. However, you should never carry a logbook around with you in case you lose it and risk all your accounts being broken into. Most people accept that online password managers provide an easy way to access your security details at any time, anywhere (just make sure you’re using a secure WiFi connection).

You’ve played your part in ensuring you have a secure password but how do the various websites and platforms you use establish authentication processes that are protected?

Transport Layer Security (TLS) is the successor of Secure Sockets Layer (SSL), a cryptographic protocol which provides communications security over a computer network. It’s mainly used in applications such as email, instant messaging, and voice over IP, but its use as the security layer in HTTPS is the most publicly visible. This is when you see the padlock icon displayed in the web browser when carrying out a transaction or accessing confidential material.

Encryption is good enough for protecting information communicated between a browser and a server, but hashing is a basic requirement of strong and secure password storage. This creates what are known as hashed passwords instead of a password database storing the actual passwords themselves which can be hacked. Passwords stored in a readable form are referred to as cleartext – obviously this is the least secure format and is to be avoided completely.

What exactly is hashing?

A truly secure authentication process for an online account requires the hashing of a password. When a password is typed in by a user, a hashing algorithm creates an output which is known as the password hash. It’s easy for the authentication system to compute the hash but near impossible to revert to the original input if only the hash value is known. You also can’t create an initial input with the aim of attaining a specific output. This is where hashing differs from and is more secure than encryption as it is a one-way mechanism. 

Hashed passwords cannot be unhashed but encrypted data can be unencrypted. Commonly used hashing algorithms include Secure Hash Algorithms (SHA) like SHA-256, which is the mining algorithm of the Bitcoin protocol.    

Why is SSO popular?

Single sign-on (SSO) is an authentication protocol which provides a hassle-free user experience as less time is spent re-entering passwords for the same identity. SSO means apps can integrate with PayPal for example. When SSO is set up between multiple identity providers, it’s referred to as federation. 

Although SSO has had its detractors over the years, an SSO implementation based on federation protocols generally improves security, reliability, implementation, and end-user experiences.  

What is multi-factor authentication?

Multi-factor authentication (MFA) means that even if hackers have your passwords, they will still have hurdles to jump to get into an account. 

The authentication protocol for MFA requires the presentation of two or more pieces of evidence. This could be something only the user knows (knowledge), something only the user has (possession), or something only the user is (inherence). 

MFA includes two-factor authentication which requires a second factor to be confirmed. Usually this comes in the form of a randomly generated one-time passcode (OTP) being sent to a mobile phone or email account depending on what your primary device is. The code is then only usable for a short period of time. This is commonly used in financial services alongside authenticating tools like card readers.

What authentication protocols do Microsoft and Apple use?

Biometrics are increasingly used as authentication methods in access control, including the use of fingerprints, iris recognition, voice recognition, and even typing speed. The functionality of devices like Macbooks and iPhones have been updated in recent years to include Touch ID and Face ID allowing users quicker access without typing passwords.

Microsoft has recently completely removed the need for a password to log on to its apps and services. Instead, an authenticator app called Windows Hello provides a multi-factor device unlock that uses a combination of PIN and facial recognition or fingerprint. It can also use what is known as the “trusted signal” as a second unlock factor by authenticating your Bluetooth, IP configuration, or WiFi connection.

Careers in cyber security

Our lives have become ever more reliant on our online connection to work, family, and the wider world. With that, our need for robust cybersecurity and authentication methods several steps ahead of hackers has become more pressing. 

An MBA Cyber Security from North Wales Management School will equip you with all the latest cryptography knowledge and help keep you at the cutting edge of access control. Find out more about applying now to future-proof your career.