One would think that the days of user names and associated passwords displayed on yellow slips of paper on the edge of the screen are over. But the number of login data to be managed continues to grow. This specialist article describes dos and don’ts, tips and tricks for managing this important data. You don’t leave the front door open on purpose, do you?
The use of login data is an absolutely necessary but annoying obligation to protect against unauthorized access to IT systems. While 10-15 years ago a maximum of one or two passwords had to be remembered, the average user can now easily manage access to two dozen different services. Regular reports of millions of hacked user accounts and stolen passwords on Facebook, Yahoo or Ebay etc. should give food for thought. There are now tables with over 500 million entries (so-called rainbow tables) ready to be downloaded from the internet. With these tables and today’s powerful graphics cards, several million passwords per second can be searched for and cracked in a short time.
Which basic principles of secure administration of user names and passwords should be observed:
1. Sufficiently long passwords
Passwords must be at least 12 characters or more in length. 12 characters is currently a limit value at which the calculation (= brute force attacks) of a password with commercially available computers still takes years.
2. No identical passwords
Do not use the same passwords for different services. If this password has been compromised, it is easy to break into other services.
3. No storage of passwords in browsers
Never save user IDs and passwords in password managers offered by Internet browsers. That is very unsafe. And certainly not save them on mobile phones or tablets, as their operating systems do not offer a sufficient level of security.
4. Use two/multi-factor authentication
All applications with a high financial risk (online banking, payment services, credit card transactions, digital signatures) must be accessed with two/multi-factor authentication.
With this method an SMS with a TAN is sent via an independent channel, a chip card has to be inserted into a reader, the fingerprint, a face or iris scan is necessary or the presence of a token or mobile phone with an NFC / RFID chip is detected. Only then is it possible to log in or make a payment in connection with a password. Single sign-on systems in companies, where one login grants access to all applications, should be equipped with multi/two-factor authentication, as several systems can be accessed at the same time.
5. No banking apps and only absolutely necessary apps on mobile devices
The software on mobile phones and tablets is like a fragile patchwork, as manufacturers only deliver security updates with a delay or not at all. Support updates are usually discontinued after a maximum of 2-3 years. The cheaper the mobile device, the worse the support. If your mobile phone has been hacked, the attacker usually has control over all apps and the associated automatic logins. A set two-factor authentication via SMS has no effect because the attacker reads all the information required for a transfer on the device he already controls. This is the reason why internet banking applications should not run on mobile phones.
6. No use of Facebook or Google logins for other services
Various services offer users the option of using their Facebook or Google accounts as login data. This is not recommended, because these allow the huge data octopus to have unwanted tracking options.
If many services are accessed via one of these providers, compromising a system means access to all systems protected by them, unless two-factor authentication is used.
7. No use of security questions and hints for the password
The use of security questions or password hints is just another way of attacking for skilled hackers. In the case of social engineering or pentesting attacks, commissioned security companies often manage to gain access in this way after researching the person on social media beforehand.
RISK MINIMIZATION – USE A PASSWORD MANAGER
How can you comfortably implement the above principles without making life difficult for yourself or taking too high a risk on the other hand?
The recommendation is to use a password manager.
In order to check whether a used user account has been compromised or the password has been cracked, the following services are recommended. Click on the following 2 buttons and check whether the email addresses or passwords you used were compromised by a data breach. The services mentioned are secure, the data to be checked are scrambled and transmitted in encrypted form and checked against existing tables (a kind of blacklist). If your password or the user ID used are found, they have fallen into unauthorized hands during an attack. It is then time to find a new password for all affected user IDs. Compromised, already known passwords have to be changed and must never be used again.
SUMMARY / CONCLUSION
The aforementioned measures represent good practice in dealing with login data, which greatly reduces risks. They are easy to implement in the private sector as well as in a corporate environment.
For further considerations, please refer to the publication “Digital Identity Guidelines” of the US National Institute of Standards and Technology.
Awareness training and courses for all employees represent the essentials. The factors ignorance, lack of time, habit and inattention are the greatest risk factors in the area of information security.