W9: Flashcards
Credentials:
Identification
Association
Authentication:
Verifying the identity implies valid association
Authorization is…
giving someone permission to do or to access something
ex. access to a system/network, a directory/folder, to read and/or write a file
“least privilege” principle:
grant only the minimum authority needed
Where high level authority is needed, e.g. to reset a password, wrap it inside a program/script which inherits the needed authority but restricts action and effects.
Minimum THREE UserIDs:
- one for development system (all authorities)
- one for production server (read only authority)
- one used only for admin and security
What is authorization?
4 points
Permission = access rights = authorization
Windows: object, right click, select Properties, click on Security tab
*nix: chmod command
OS security controls the ability of users to view, change, navigate, and execute the contents of a file system
Browser security:
HTTPS needed for sign on
Domain Validation (DV) certificate
DNS privacy security, block malware, botnets, malicious domains
EFF’s Privacy Badger blocks inivisible trackers
EFF’S Panopticlick online tracking test
What are the most common methods of cracking?
Social engineering, weak paswords
Social Engineering
You are your own security hole by posting your life on the internet
Spear Phishing has 35% success rate
Social media makes it easier to guess credentials, answer security questions, pretend to be you when calling the help-desk, and perform identity theft
Weak passwords
Weak passwords are not unique Commonly used and/or reused 25 passwords used in 10% accounts 10,000 passwords used by 30% users Humans do not create random values: brute-force cracking is unnecessary
Forget/Recover your password
“I forgot my password” relies on the strength of your email account’s security and its password
Security questions recovery: not recommended
- Easy to hack by Googling you and reading social media
Security Questions Defence:
Use diceware phrase regardless of security question
Bad password rules:
Length: min-max -> both too short
Strength: alphA + digits + 5?#80!$ (symbols) -> too cryptic
Not in dictionary -> too cryptic
Expiry: periodic change -> too often
Password defense
long length bets cryptic strength
Password managers
unique, long, strong, random char passwords, per account
Must remember one loss passphrase
ex. 1Password, LastPass
Diceware Passphrase
long memorable password of random words
Generates a 5 digit random number using dice. Look up the word on the list. Do it six times. Good for password managers and security questions
Third party authentication:
Not recommended to use your google/facebook account.
Site will ask for access to accounts. Read authorization permission requested
2FA
Two factor Authentication
used to verify password sign on and guard against phishing and cracking
1. Something I know (user id, password, pin)
2. Something I have (phone, bank access card)
PIN stands for
Probably Insecure Number
4 digit pin = 10,000 posibilities
dates are commonly used
3FA
Three Factor Authentication
Most secure and most expensive
- Something I know (id, password, pin)
- Something I have (phone, dongle, bank/credit/access card)
- Something I am (iris scan, fingerprint, face)
Better password policies
User ID: not email address or user’s name
Passphrase is 14-64 characters in length
No complexity rules: allow all characters including space
Better password policies
Storage:
Just say no:
Storage: In a salted and hashed format using a standard library with Argon2id or Scrypt
Just say no to passwords:
Web Authentication API
Authenticator device/phone app + fingerprint
Security Approaches
Authentication: 2FA minimum
Authorization: Least Privilege principle
Systems: Zero trust architecture
Weak password stats:
25 passwords used in 10% accounts
10,000 passwords used by 30% users
