Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users. The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely. If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.). It comes without surprise to see people using easy to guess passwords, as they were never actually taught how to identify the individual purpose of a password before choosing one. Usually, the only requirement is to create a complex enough password based on some minimum requirements and ensure it can be remembered. A “complex enough” password can be the word “Password1" – it contains one capital letter, a number and is more than eight characters long. In reality, when this word is used as a password, it is considered extremely weak, as it is very common. Some people will add a symbol to this to make it a bit more complicated, such as adding an exclamation mark at the end of the word, but still is this password “complex enough”? Others prefer the sentence trick, which allows them for a far more complex password to be created as it generates a random word. For example, the sentence “The Cloud is not Secure” can be converted into a password by using only the first two letters of each word. Thus, the password ends up to being “ThClisnoSe” – a random set of characters, including lower and upper case letters. This word, in fact, does not exist in any known dictionaries and for that reason users who tend to use such passwords use it across all of their accounts. Unfortunately, when one of the accounts is compromised, because it was stored in a database that did not properly encrypt passwords, all other accounts are open to exploitation. Thus, the ideal use of a password is being able to have a different password for each account being used, which is not only complex enough but easy to remember, as well. My talk at Securi-tay V focuses on educating people how their individual personality, experiences and thought process can be used as a unique input when choosing a password. By following an algorithm based on the individual’s personality during the password generation thought process, it is possible to create not only different and complex passwords for each occasion but also make sure the password can be regenerated inside the individual’s brain on demand, without having to remember it. This password regeneration method might sound a bit complicated when trying to describe just an overview of the thought process in a few lines. Rest assured that during the presentation, the participants will have the chance to see the use of passwords from a different perspective, as well as be trained to use this regeneration method, based their own unique personality.
About the Author: Dr. Grigorios Fragkos (VP CyberSecurity at Sysnet Global Solutions) is responsible for the ensuring the security of mission critical systems offered by Sysnet to a wide range of high profile clients. Grigorios (aka Greg) has the challenging task of looking towards the emerging Cyber Threats and the future challenges of CyberSecurity by contributing his combined hands-on experience from advanced security services, penetration testing and security research. He has a number of publications in the area of Computer Security and Computer Forensics with active research in CyberSecurity and CyberDefence. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
