Today’s organized criminals are focused on cybercrimes. For them, it’s pretty easy to download a program and start up a nice crypto-ransomware business or send out a few million phishing emails to crack a user’s credentials (account ID and password) and begin their nefarious activities. It’s pretty simple to find the tools for these endeavors. See for yourself. Go to Google and type in “Top 10 password crackers.” You can download such tools for free and get started attacking private accounts right away.
Passwords are how businesses ensure that only authorized users are accessing critical systems, apps or sites. It’s the first line of defense to keep the bad guys out. In our modern business environment most users have more than a dozen or so systems which they routinely need to access. An excess of 50 or more is not uncommon. It’s also common for workers to use their email address as their account ID. To keep things easy, your users may also use the same password for numerous accounts. This is not a good idea. If you use the same ID and password across multiple systems, once a hacker gets one of your passwords they can use it on all of the systems with the same ID. Even if your business systems are secure, what if an employee is using the same password for personal use as they do for work? I know I’ve done this before. It’s not uncommon for users to work from home using their own computer to access company resources. What if their personal computer is hacked? To really understand how important passwords are let’s go over how they work.
Hash Out the Problems
Passwords use hashing algorithms to generate a unique number. Think of a hashing algorithm as a machine. In one end you input any text or binary data. Out the other end you get a number, which is a certain length – let’s say 32 digits long for our example. The data you feed in can be any size, from a few bytes to many terabytes or larger. No matter what data you feed in, you get a 32 digit number (in this example) that uniquely represents the data.
What is amazing about a hashing algorithm machine is that if you feed something identical in you get the same 32 digit number. If you provide a four character password you get a 32 digit number. If you feed in a novel, you get a 32-digit number. But, if you change a single character in the novel you will get a completely different number. Hashing algorithms differ in the way they work and the most notable difference is the length of the number each one spits out. This is what makes reverse engineering impossible and why hackers need to guess what combination of characters are needed to get that 32-digit number.
Build a Better Password
A good approach to creating strong passwords is as follows. Each of your passwords should be 16 or more characters (I’ve noticed a lot of sites limit you to 20 characters) and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces (some sites also limit the characters you can use). The password should be free of repetition, any word you would find in the dictionary, usernames, pronouns, IDs, and any other predefined letter sequences. If that seems too complicated, there are tools out there to help you generate random and strong passwords.
If your password meets the above standard of 16 characters, it would take a hacker approximately 4trillion years to find your password.
This Complicates Things
Hackers use a number of techniques to guess or crack your password, according to Veracode, a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. “They use special programs armed with dictionaries or known information about you to try combinations such as hobbies, pet names, date of birth, loved ones, birthplace and other associated words. As a last resort, they can use “brute force” automated programs that try every possible combination,” reports Veracdode.com.
A hacker using these tools can almost instantly decode any password less than eight characters as long as they somehow sniff or capture your encoded password being passed or stored at the host/client (i.e. your device). Today hackers have provisioned cloud servers to generate over 350 billion password guesses per second and that number will simply go up. Super computers have the capability to do over 90 trillion guesses per minute.
What Does This Mean?
The average hacker can still get several million guesses per minute but when groups organize and work together they might eventually reach trillions of guesses per minute. There is a mind boggling difference between a million and a trillion. As an example, the height of a stack of one million, one dollar bills would measure 358 feet – about the height of a 35 story building. The height of a stack of one trillion one dollar bills would measure 67,866 miles. This would reach more than one quarter the way to the moon. Try not to think about the fact that the national debt is over $19 trillion.
Regain Total Recall
Unfortunately, having a different password that meets the above standards for each application you access is not easy. Very few of us can come up with one, let alone remember 25 plus passwords that meet the requirements above. Also, some experts say that forcing users change their passwords frequently leads to weaker passwords. Users simply can’t remember all the passwords they need so they make all their passwords simple, or just as bad, they use the same password for everything.
So what can a company do to assure that their users are creating and using strong passwords? This is where single sign on (SSO) providers come in. SSO is a high-level term used to describe a scenario in which a user applies one set of credentials to access multiple domains. Simply put, you sign in one time with a single high-strength password and gain access to all the applications you are authorized to use. You no longer need to remember different passwords for each application you access.
SSO uses the Security Assertion Markup Language (SAML) protocol which is an Extensible Markup Language (XML) standard that allows a user to log on once for affiliated but separate Web sites. Or in plain English, instead of using passwords to access systems, it uses highly complex encrypted keys, which the end user has no access to view or change. SAML is designed for business-to-business (B2B) and business-to-consumer (B2C) transactions.
Secure the Premises
With the increased use of Software as a Service (SaaS) applications, SSO can help manage ‘access to’ as well as ‘denial of’ these SaaS solutions.
Some benefits of using single sign-on include:
- Forgotten passwords – Users only have one password to remember.
- Reduced helpdesk calls – With only one password, help desk calls will drop since most SSO providers provide self-password reset capabilities.
- Centralized management – A single registry of user identities with a centralized management interface allows quick and easy provisioning and deactivating of users.
- Increased security – An enterprise-wide infrastructure with common password and security policies which can be centrally managed and secured. Users are less likely to write down their passwords if they only have one to remember.
- Improved reporting and monitoring – A single repository for auditing and logging access to resources provides streamlined regulatory compliance.
- Improved productivity – Users save time not needing to log in to different applications.
Get Singled Out
SSO is provided by several of today’s Identity Access Management (IAM) providers as part of an overall access management policy. Centrify, OneLogin and Okta are just a few of the IAM providers available. Microsoft can also perform SSO services via their Azure Active Directory Federated Services (ADFS).
There are additional steps you can take to improve your authentication process. Using multifactor authentication (MFA) for instance, which requires more than one method of verification from independent categories of credentials, adds another layer of security to the login process when trying to confirm a user’s identify for a login or transaction. MFA can also be integrated with most SSO solutions.
Check out the latest in security trends – and threats – at BizTech Magazine.
Also, don’t forget to sign up for the monthly CDW Solutions Blog e-newsletter to stay on the cutting edge of tech.
As always, feel free to leave a comment below with any questions.