Lecture 0
- Securing Accounts
- Security
- Defending Against Attacks
- National Institute of Standards and Technology (NIST)
- Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
- One-Time Password (OTP)
- Keylogging
- Credential Stuffing
- Social Engineering
- Phishing
- Machine-in-the-Middle Attacks
- Single Sign-On (SSO)
- Password Managers
- Passkeys
- Summing Up
Securing Accounts
- This is CS50’s introduction to cybersecurity.
- Today, we will focus on the security of your accounts.
- Let’s begin by talking about security itself.
Security
- We might imagine security in the real world as a key to a physical lock.
- In the digital world, there are numerous building blocks to security.
- Authorization is the act of verifying that you are, indeed, the person who should have access to this account.
- Usernames are one way that you attest that you should have access to an account.
- Passwords are another way that you attest that you should have access to an account.
- The idea is that, theoretically, only you should be able to provide both a valid username and password.
- Dictionary attacks are one way that bad actors attempt to guess your password. Indeed, hackers may use a “brute-force attack” by trying lengthy lists of possible passwords to attempt to guess your password. Therefore, it’s very important you defend against attacks by having a very good password.
- When considering security, one should consider the tradeoffs between usability and security. A highly secure service may become less usable. Hence, as you consider your options for maintaining security, think about what makes the most sense for your use case.
Defending Against Attacks
-
Consider how many possible number combinations you could have if your password (for your phone or otherwise) was secured by only a four-digit password. There are 10,000 possible digits. Generally, we could consider the possibilities as follows:
10 x 10 x 10 x 10
Notice that, in the worst case, bad actors would need to attempt 10,000 possible passwords.
- We could attempt to represent this in code. VS Code is a development environment whereby we can write and execute code.
-
Consider the following code-based representation of the above problem:
from string import digits for i in digits: for j in digits: for k in digits: for l in digits: print(i, j, k, l)
Notice that this code, written in Python, iterates through each possible combination of numbers
- Executing
crack.py
in a terminal window (where we can issue commands to our computer), we can see that it takes only a few milliseconds for adversaries to produce all the possible passwords. - What would happen if we asked for a password that was four letters?
-
If we allow for both uppercase and lowercase versions of 26 letters, we could represent this mathematically as:
52 x 52 x 52 x 52
Notice we have over 7,000,000 possibilities.
-
We can modify our code as follows:
from string import ascii_letters for i in ascii_letters: for j in ascii_letters: for k in ascii_letters: for l in ascii_letters: print(i, j, k, l)
Notice that we invoke
ascii_letters
, which includes uppercase and lowercase versions of each letter. Similar to our previous program, this program iterates through all possible combinations. - Executing this code, we discover that it still does not take much effort at all for a hacker to discover all possible passwords.
- What would happen if we asked for a password that was four letters, numbers, or punctuations? We would have over 78,000,000 possibilities open to us!
-
We can modify our code as follows:
from string import ascii_letters, digits, punctuation for i in ascii_letters + digits + punctuation: for j in ascii_letters + digits + punctuation: for k in ascii_letters + digits + punctuation: for l in ascii_letters + digits + punctuation: print(i, j, k, l)
- Executing this code, we notice that it takes significantly longer to discover all possible passwords in the worst case.
- The most important takeaway from the above is that as long as we raise the bar for the adversary in terms of time, the less likely the adversary will have the time to crack your password. However, the difficulty for the user is that longer, more complex passwords take longer to type and are more difficult to remember. Therefore, there is a balance between security and usability.
National Institute of Standards and Technology (NIST)
- NIST issues recommendations on how to protect your accounts more effectively.
- You can use their recommendations and best practices in your own work and, perhaps, at your place of employment or business. Some of their recommendations include the following considering passwords (paraphrased for brevity):
- Memorized secrets should be at least eight characters in length.
- Verifiers should allow all printed ASCII characters and Unicode symbols up to 64 characters in length.
- Verifiers should compare prospective secrets against available dictionary words, repeat sequences, breached password lists, and context-specific words.
- Verifiers should not allow unauthenticated claimants to access password hints.
- Verifiers should not require periodic changes to passwords.
- Verifiers should limit the number of failed authentication attempts and lock out potential adversaries.
Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
- There are three components of multi-factor authentication.
- Knowledge: Something only you know.
- Possession: An item or device only possessed by an authorized user.
- Inherence: Only a factor you could obtain, like your fingerprint, face, or other biometrics.
One-Time Password (OTP)
- One could obtain a special key fob or device that provides one-time passwords.
- Frequently, OTPs are obtained from a device or app.
- Some of these OTP methods are more secure than others.
- Text-message-based OTPs can be quite easy to be fooled through SIM swapping, where an adversary obtains and clones a SIM card and gets access to your text messages.
- More secure are OTPs obtained from an app on a secure device, like an authentication app on your phone.
Keylogging
- Usernames, passwords, and OTPs are vulnerable to adversaries logging your keystrokes.
- Keylogging is accomplished by installing malicious software on a computer.
- Best to ensure you are only logging onto devices to which you only have access.
Credential Stuffing
- Another attack, credential stuffing, involves the use of an obtained list of usernames and passwords from a compromised website on another website.
- If you are using the same password on multiple websites, best to change them to unique passwords.
Social Engineering
- Rather than a technological attack, a social engineering attack involves the use of social pressure and trust to compromise your credentials.
- A person may pose as a trusted party to get your credentials or details about your life.
- Furthermore, adversaries may seek to find details about your life, like your pet’s name, etc.
Phishing
- Phishing uses social engineering in a technological way to obtain your credentials and details by posing as a trusted website.
- For example, you may be directed to something that looks like a Google login page but is, in fact, an adversaries page.
- Never blindly trust links provided in emails. Consider going to a web browser and directly typing a trusted URL there.
Machine-in-the-Middle Attacks
- Devices in between you and the source of the data you are downloading, such as routers and switches, can be compromised by very sophisticated attackers.
Single Sign-On (SSO)
- Since so many different services require so many varying password requirements and considering the advice offered earlier about never utilizing the same password for different services, there are many ways you can bolster your security.
- SSO allows you to use Google or Facebook logins to access services not provided by Google or Facebook.
- Therefore, you have the ability to easily access other services with less friction and greater security.
Password Managers
- A password manager is a piece of software that can manage complex passwords and save them for you.
- This allows you to not memorize the password.
- Further, many password managers will recognize phishing websites.
- Different from browser password-saving, which has been available for years, password managers are a separate piece of software that can provide your password in multiple services.
- The downside is that, effectively, you are “putting all your eggs in one basket.” You will need to remember one password to access all the other passwords.
Passkeys
- An emerging technology, passkeys are automatically generated passwords that leverage cryptography.
- Passkeys involve a public key and a private key. The public key is held by a service (such as a website), while the private key is held by your device.
- Passkeys will enable you to log in without the need to type in a password.
- However, to understand more about this technology, we will need to learn more about cryptography.
Summing Up
In this lesson, you learned about the tradeoff between security and convenience. You also learned about various attacks that can make you and others vulnerable. Finally, you learned about some ways by which to protect your login credentials. Specifically, you learned…
- There are tradeoffs between security and convenience.
- Generally, your behaviors and awareness are what make you more secure from digital adversaries.
- NIST provides guidelines relating to security.
- 2FA, MFA, and OTPs are some ways by which you can be more secure.
- Common attacks include keylogging, phishing, credential stuffing, and social engineering.
- You can enjoy further security by utilizing SSO or password managers.
- Passkeys, in the future, will offer even greater security.
See you next time!