#6. Passwords, cross and delight

By Marcello Fausti

The passwords or keywords, together with the user-id or username form the authentication credentials, that is, the authentication device universally used to access all online services. As we know, the username is usually stable, while the keyword must vary with some frequency. Now, let’s focus on passwords for a moment: why are they a cross and a delight?

Well, because the one against passwords is a war we fight whenever we need to move in the complex digital world. There are two types of people: those who don’t care and use the same password on all the websites they are registered to and then there are those who take this issue damn seriously and unleash in all its glory our natural tendency to complicate our lives. The first case is made by those people who don’t want any hassle and think that using different passwords for different websites is just a waste of time. Generally the passwords they use have to do with their own name or with the birth dates of their children or with a numerical sequence like 12345 or even with a sequence of characters like forzasquadradelcuore. Their practical nature leads them to think that: “anyway, if someone wants to get into my mailbox it won’t be a password to stop him” and so, better to do simple things and avoid hassle.

Then there are those who belong to the second group. These gentlemen are so conscientious that they not only use a different password for each website they are registered to but, whenever possible, they activate the second authentication factor and, dulcis in the end, they neatly record their credentials on a password manager, i.e., one of those tools that protect your passwords using advanced data encryption algorithms. Generally, password managers are reliable and well-protected tools and make it very difficult for credentials to be stolen. They usually require (also) the setting of a rather long and complex password and an additional pin. In short, they are a kind of safe that opens with a very complex combination that makes fraudulent access unlikely but also makes life quite complicated for the rightful owner of the passwords it contains. Usually everything goes smoothly, but if you forget the master key (the key to the safe) the tragedy assumes biblical dimensions. Even the second authentication factor (which greatly increases the level of protection of access to online services) can pose several problems, for example, if you change your smartphone and if you need to reconfigure the mode of generation of numerical codes produced by one of the various authentication apps available on the market (e.g. Google Authenticator and MS Authenticator).

The goal of cyber criminals is to steal credentials for accessing websites or computing systems from their rightful owners, and to do this they try to get targets to download malicious software onto their PCs. This is a crucial fact: credentials are the key to accessing the data that is the digital economy’s most valuable asset, the element that must be protected and valued at the same time, the fuel that makes everything run.

According to the October 2020 report from the Clusit Observatory[1], the increase in attacks made using phishing and social engineering techniques over the past year is up 26%, while the sectors most affected were healthcare along with mass retail and the online services and cloud sector.

Now, let’s get to the crux of the problem. Credentials are essential because applications and systems need to recognize who is trying to connect both to verify the right to access and to possibly authorize them to use a well-defined set of features. We have seen that managing authentication through passwords in a reasonably secure way is indeed complex, and on the other hand, constructing a sufficiently strong password is not at all trivial. The combination of these two facts, makes the topic really difficult to manage.

Let’s come to the construction of a secure password. A password is as secure as it is resilient to brute force attacks, i.e., those attacks that try to guess the content of a password by means of purpose-built automated tools[2] that examine all theoretically possible combinations. The strength of a password depends on its composition, that is the type of characters it is composed of (upper and lower case letters, numbers, special characters) and its length. The longer a password is, the more complex the set of characters it is composed of and the longer it will take to find the right combination. A short password composed of a very limited set of characters can be found in a few milliseconds; a long password composed of a large set of characters can be found in years (even in the order of thousands). We must also consider that the times we have mentioned depend on a third factor: the power of the processing tools used to execute the brute force algorithm which, as we know, is constantly growing. This means that our passwords become less secure as time goes by and that in order to maintain their level of robustness it is necessary to progressively increase their complexity.

A variant of the brute force attack is the “dictionary” attack that allows you to try to decipher a password by examining a finite number of terms present, in fact, in a dictionary that is included in the kit used to carry out the attack. The goal is to reduce research times counting on the fact that most people tend to use passwords that are easy to remember: as we saw, their own name, that of loved ones or dates of birth. There are dictionaries that contain millions of commonly used passwords and it is good practice to include these same dictionaries in the registration systems for websites or in the password change systems to avoid that, in the composition of the new password, sequences of characters are used that are easily detectable with dictionary attacks.

In short, summarizing, we are faced with an authentication device that is inherently weak unless we significantly increase its level of complexity, which significantly increases its management complexity. Di recente, poi, si è assistito all’introduzione in molti ambiti del secondo fattore di autenticazione, sicuramente in ambito bancario dove è divenuto obbligatorio in base alla normativa PSD2[3]. Abbiamo anche visto che la sua gestione non è semplicissima e in alcuni casi comporta anche dei costi aggiuntivi.

Una possibile via d’uscita arriverà dall’evoluzione della tecnologia che consentirà di implementare pienamente il modello classico di autenticazione[4] che prevede tre livelli, di complessità crescente, che sono basati su:

  • “Una cosa che sai”, ovvero, una password o un PIN;
  • “Una cosa che hai”, ad esempio, uno smartphone o le chiavette per generare codici in uso fino a qualche tempo fa per i sistemi di remote banking;
  • “Una cosa che sei”, ad esempio, un qualsiasi dato biometrico (impronta digitale, viso, iride, timbro della voce) processabile all’interno di una procedura di autenticazione.

In particular, today, on some smartphones it is possible to replace the first and second levels of the model just described, directly with an implementation of the third level: facial recognition. Perhaps you have already seen it or used it: with the latest generation and high-end smartphones, it is possible to replace the traditional type 1) and 2) access with a type 3) access based on recognition of the visus. It’s a measure enabled on almost all remote banking apps and many apps that store personal and credit card data. Let’s see how it works and why, at the moment, it’s only usable on high-end smartphones.

First of all, biometric access doesn’t completely replace password access and second factor authentication. Normally, the first authentication is done through these two methods and then, when the user’s identity is established, the app allows you to replace these two methods with a third one, namely face recognition. From now on, in order to access the app or to confirm its most critical functionalities (such as making a transfer in a mobile banking app) you just need to frame your face and that’s it.

Who manages the biometric data? In reality, the code resulting from facial recognition is tied to your smartphone and not to the individual apps that use it. First you have to enable facial recognition on your smartphone and then the apps you have installed can use it. The initial result of the facial scan, i.e., the element that will be used for comparison every time an app requests to verify the lawfulness of an access is contained in a hardware chip inside the smartphone. Thus, our identity is tied to the smartphone, i.e., “a thing you have” and thus type 2), and is based on face recognition, i.e., “a thing you are” and thus type 3). The apps, once the first authentication is done using the procedures of type 1) and 2) can associate that identity with face recognition. From that moment on, every time you need to verify the identity of the user, the app will ask the smartphone to perform the face recognition and in response it will receive an ok (if it’s us) or ko if the face is not recognized.

This mode can be activated only on smartphones that are equipped with a chip that can store the identity safely[5] and have a camera suitable for face recognition and, therefore, only on high-end smartphones. The same reasoning applies to PCs.

All this while waiting for the development of this technology to make available new secure methods to adopt the authentication mode of type 3) also on smartphones and PCs of lower range than those on which it is possible to activate it today.

App authentication. App that allows you to generate codes valid as a second authentication factor for a specific website. It requires a configuration procedure of the website in the app, which is usually done by framing with the smartphone camera a qr-code provided by the website, which contains the key that is used to generate the codes.

Brute force. By brute force method (or also exhaustive search), it indicates an algorithm able to check all theoretically possible solutions until the one actually correct is found. Its main positive factor is that it theoretically always allows to find the correct solution, but on the other hand it is always the slowest or most expensive solution.

User code (user-id). It is the code that allows an application or a website to uniquely recognize the user who is connecting. Usually, authentication systems link to the user-id a series of functional characteristics (profiling) that allow the website to show the user a series of personalized pages.

Authentication credentials. These are composed of a user code and password combination and are the minimum information needed to access a website.

Hash. Hash functions allow any input string A to produce a string B (fingerprint) that has a constant length, regardless of the size of A. Basically, a hash function “fingerprints” a text, but from this fingerprint it is impossible to trace the initial text.

Hashcat. It is, arguably, the “world’s fastest” password recovery software. It had a proprietary code until 2015, but is now released as “free software”. Versions are available for Linux, OS X, and Windows. Its peculiarity lies in the fact that for attacks it allows you to take advantage of the computing power of graphics processors (GPU), in addition to the more classic CPU.

Hydra. It is the tool par excellence when it comes to carrying out brute force attacks, especially if the target is a remote authentication service. It is very powerful and supports over fifty protocols, including telnet, ftp, http, https, and smb.

Digital Identity. In a broad sense, it is the set of information present online in relation to a given subject. In a narrower sense, digital identity is divided into two parts: the actual identity and the credentials that each person possesses (the attributes of that identity). Identity (username) and credentials (passwords or more complex devices) are the key to access all the information about us that is stored online.

Jonny The Ripper (JTR). It is an open source software that enables dictionary or brute force attacks. It also automatically detects from the hash, the type of encryption used. It is available for every operating system, Windows, Linux and Mac Os, and can be downloaded for free from the OpenWall website, although there is a paid pro version.

PSD2 (Payment Services Directive 2). It is a European directive that regulates payment services and payment service providers within the European Union.

Second authentication factor. It is usually composed of a six-digit numeric code that is requested by websites that support this mode after correctly entering your authentication credentials. In this case, the website you are accessing requires you to enter a numeric code to complete the authentication. The numeric code can be sent to the user via SMS or generated by the user himself via an Authenticator APP appropriately configured to generate codes for the specific website. This mode increases security during authentication because, even if the authentication credentials were stolen without the knowledge of the legitimate owner, the second factor (necessary to complete the authentication procedure) would be delivered to the smartphone that is supposed to be still in possession of the legitimate owner.

Trusted Platform Module (TPM). It is a chip contained within the latest generation of smartphones (but also PCs) that can securely maintain the biometric information used for user authentication.

Username. The user’s identifying name that is normally visible, as opposed to a password.

[1] https://clusit.it/rapporto-clusit/

[2] Hydra, Hashcat, Jonny The Ripper (JTR), (see Glossary).

[3] PSD2 è una direttiva europea che regolamenta i servizi di pagamento e i gestori dei servizi di pagamento all’interno dell’Unione europea.

[4] NIST SP 800-63

[5] TPM – Trusted Platform Module (vedi Glossario)

Leggi gli altri articoli del Piccolo glossario dei concetti e dei termini della cybersecurity

#1. Che cos’è il rischio cyber e come si gestisce

#2. Quali sono le principali minacce? E come è possibile proteggersi?

#3. Quali sono i vettori di attacco più pericolosi?

#4. Quali sono le principali tecniche di attacco?

#5. Ancora sulle tecniche di attacco.