CETM30 ASSIGNMENT 1
Name: Istvan Franko
Programme: MSc Cybersecurity
Project Title:
Password in CyberSecurity
2. Rationale for Subject Choice
4. Importance of Issue to Cybersecurity – key issues
The word "PASSWORD" is by definition a combination of letters and numbers that allows people to communicate with each other or with computers. According to records, mankind has begun to use passwords in the Roman Empire, where it provided for joining groups or entering territories. Since then, the use of passwords has become increasingly important in combat activities. One of the most quoted principles in this regard, the 'Kerckhoff's Principle', was described in 1883 at nearly one hundred and fifty years ago, but these are still valid today.
For the first time in the development of computers, MIT began operating a password-protected access system in 1961 (Bonneau, et al. 2015). Then, in computers evolution, more and more methods evolved. In the early 1980s, we transmitted and stored our passwords by encryption, using hashing and salting methods. A decade later, with the advent of the World Wide Web and e-commerce, it became necessary to communicate between a secure (SSL) client and server. We continued to protect our data with new methods, but the user side was only very slow to develop because of the inaccessible, inexpensive, and easy-to-use sensors. Only significant changes have taken place in recent years, when usable tools have become available to the general public.
Significant changes are expected in the coming years, but in the meantime, our existing systems need to be kept safe and passwords are essential. In this report, we look at the dangers of our current password usage habits, the ways we try to protect your data, and the possible solutions to building a more secure system.
2. Rationale for Subject Choice
The main purpose of cybersecurity is to protect our information systems and data that ensure our peaceful daily lives. People and users need to have access to data and systems. Users need to be identified and authenticated using passwords in IT. Any data in the world can be accessed with the right password, so it's very important to use secure passwords. But while we can use passwords of any complexity to identify between IT devices, human capabilities impose significant constraints. The most important principle in building a system is its ease of use, which should also be considered when building a security system.
In advanced, modern Western societies, there is no person or only a very small proportion of whom no electronic data is stored. In underdeveloped societies, there are still a large number of people who are not directly connected to an IT network, but their lives are also directly determined by the administration that already uses IT systems everywhere in the world. Therefore, the security of passwords affects all mankind, even if they are unaware of it.
4. Importance of Issue to Cybersecurity – key issues
End users have to memorize countless increasingly complex passwords in their daily lives, and compared to them, IT professionals would have to use multiple of these in their daily work. Therefore, these passwords must be stored in some form. The stored data must be mobilizable so that it can be accessed from all over the world. Usually, our passwords are protected by additional master passwords, but at the end of the chain there will always be a password to access any stored or just transmitted data. Numerous studies and recommendations have been made on how users can create passwords with sufficient security, but with the advancement of computing power, any of these can be deciphered in the short term.
The vast majority of hacker attacks also attack or exploit the human factor at its weakest point. Users are always looking for convenience, so they tend to use simple passwords to access the content and services they use, and thus easily attack the information they want to protect (Hiscott, 2013).
From the above derivation, it is easy to see how important it is to use and protect our passwords, which is actually one of the most difficult tasks of cybersecurity due to the difficulty to control the human factor.
5. Impact on Society – critical discussion of the threats to either individuals in society or to organisations
Password threats can cause significant damage to companies and individuals alike, but it is advisable to examine them individually.
Organizational password threats are very much the same as threats to individuals, as the human factor is the weakest link in the chain, but the extent of damage and penalties for non-compliance with applicable laws also vary, so other rules must be followed.
One of the most recent publications on the attack is 'On the Top Threats to Cyber Systems', in connection with the 2019 IEEE 2nd International Conference on Information and Computer Technologies. The study outlined the 15 most common attack methods below. Not all of these are closely linked to the use of passwords, but they play an important role, directly or indirectly.
1. Malware (is a software to destroy a computer, server or network.)
2. Web-Based Attacks (usually uses CMS systems such as WordPress)
3. Web Application Attacks (API attacks, SQL injection)
4. Phishing (Every month around 1 million phishing websites are created)
5. Denial of Service Attacks (DoS, overload or disable)
6. Spam (almost half of daily email messages, spam)
7. Botnets (internet-connected devices that run codes or repeat tasks in large numbers)
8. Data Breach (usually uses only detectable, stolen or hacked passwords)
9. Insider Threat (internal attacks that allow authorized users to take advantage of opportunities, generally top managers)
10. Physical Damage and Loss (encryption could be a solution, but only 43% of organizations protected their devices in 2018)
11. Information Leakage (direct attack to unsecured data)
12. Identity Theft (in 2017, there were 500 cases a day in the UK, and you can already buy someone's credit card information on the Black market for $10)
13. Crypto jacking (use machine resources for crypto currency mining without the owner's knowledge)
14. Ransomware (encrypts files and ask money to unlock files or system)
15. Cyber Espionage (long-term monitoring of network traffic)
Organizations typically have large numbers of different software and hardware systems (Renaud and Mackenzie 2013). Some of these systems are visible to the outside world, but some are only accessible inside firewalls.
The above-mentioned study divided the potential threats into two groups.
• Insider (Malicious) Threats, most common when users leave their devices logged in and colleagues use it. If the password is available on that device, they will try to use it on other devices and systems later, as passwords are regularly reused by owners.
• Outsider (Hacker) Threats, typically random users are hacked repeatedly on a daily basis. The daily number of attempts is usually low so that it does not appear in front of administrators.
Recently, at an international conference with Apura A. 2017, he analysed the re-interpretation of cyber security by examining big data. In their publication, 'Redefining cyber security with big data analytics', Cyber Security is divided into the following groups:
· Information Security
· Network Security
· Application Security
· Operational Security
Each of these areas is developing rapidly. It is projected that by 2020 more than 200 billion devices will be connected to the Internet. The threat increases with the number of these devices. Threats can also be directed against economic operators such as banks, factories, administrations or health, but the main target of online attacks is on individuals. However, this trend is also changing and the rate of attacks on financial institutions in India has risen from 15% to 34%, while in the administration it has jumped from 19% to 43%.
At the global level, the cost of cybercrime has increased significantly, reaching 2.1 billion dollars, according to IBM. According to the Identity Theft Resource Centre, 858 attacks have so far affected the data of 29 million people. Global costs in the fight against cybercrime reached 80 billion dollars in 2017. Another significant cost is the theft of security devices.
“Generally, password-based user authentication can resist brute force and dictionary attacks if users select strong passwords to provide sufficient entropy” (Kumari and Rani 2013).
However, experience does not justify that users pay close attention to creating and using passwords. Most users set up their passwords by names, birthdates or phone numbers, so variations are greatly reduced. Users do not take the importance of passwords seriously till the first attack. For convenience, too simple passwords are used. Shen C. , (2016) and his colleagues examined this phenomenon in their study. Of the nearly six and a half million passwords examined, about two percent were shorter than 8 characters. About 75% of users used an 8-10 character password and only about 20% used more than 10 characters. Another important feature is that 45% of the passwords examined consisted of numbers only. Another surprising finding is that 95% used only lowercase letters. If you were expected to use symbols then this symbol was 34.7% of the dots. With these considerations in mind, an attacker is likely to hit most of our passwords in a short space of time.
The user's native language also determines how passwords are structured, such as the order of the dates or the most commonly used words. However, these features only make it easier for malicious attackers. For example, an important consideration is who the users will be demographically. AlSabah,, Oliger, and Riley discuss their detailed analysis in a 2018 study. The study concludes that the composition of user-generated passwords is highly dependent on age, ethnicity, and location.
User-friendly passwords fall into three groups (Burnett & Kleiman, 2005, p. 131).
· Something you know
· Something you have
· Something you are
The human mind sets the complexity of the first group of passwords. On the other hand, the second group of devices can be lost, transferred or even reproduced. Therefore, today's devices are trying to exploit the potential of the third group. Fingerprint scanners, retina scanners and facial features are appearing in more and more devices. Neither of these provides perfect security, as news of what can be deceived by a simple method is regularly published.
One of the most used login methods nowadays is using another social network account, Khorev (2018). The advantage of this is that there is no need to store passwords in our database but to identify the user by calling APIs and thus transferring responsibility to multinational companies. However, these companies gain access to our browsing habits and additional personal information. And another danger is that if they get the password on the social network they use, they will give you access to additional protected content.
With a high-traffic service, it is no longer enough to verify that your password matches. Care should be taken to ensure that the login conditions do not differ significantly from the user's habits. Artificial intelligence and machine learning are already used to study user habits, but this does not mean that the task is easy to solve (Bonneau, et al. 2015). An important issue to decide is what happens if the system detects unusual activity.
With the spread of mobile phones, security systems based on it have appeared (Kumari and Rani 2013). Most operators use multiple loop access systems, one step of which is to use a mobile device attached to the user. The most commonly used solutions are, for example, sending an SMS or generating a one-time password or code. „One-time passwords are generated by a secure one-way hash function.” However, depending on the environment, this should only be used to an extent that does not unduly complicate the application. Keep in mind that mobile devices are not always available and that, even if they are available, you may not have a secure online connection at the location, so you should also find solutions to offline situations.
1. Professional and ethical issues
Building an online security system is a very complex task. The size of the organization should be adapted to the number of professionals involved. You need to develop a strategy that spells out the requirements for the passwords you want to use. There are many aspects to consider.
The most general criterion (Shen et al. 2016) that can be used is:
• Require password length
• Use letters and numbers together
• Use symbols
• Swap for a specific period of time
• Disable previous passwords used
Services and content must be made accessible to all sections of society. It is not expected that only highly intelligent users will be able to use the system. For persons with disabilities, the solution may be visual or audio identification. Dr. Lulu (2018) investigated solutions in hospital settings that did not require passwords to be memorized, but developed single-use image or voice identification coupled with various electronic solutions such as: a combination of NFC chips, fingerprint readers, or phone calls. The study succeeded in developing a system that was easy to handle for older people and people with disabilities.
Human capabilities cannot be massively developed in a short period of time and end-user identification should be modernized and possibly automated (Dantra and Spafford, 2018). Hackers are constantly searching for flaws and vulnerabilities in their operating systems, so this publicity is not over in the foreseeable future and is a constant challenge for research, operation and development engineers.
AlSabah, M., Oligeri, G. and Riley, R. (2018) ‘Your culture is in your password: An analysis of a demographically-diverse password dataset’, Computers & Security, 77, pp. 427–441. doi: 10.1016/j.cose.2018.03.014.
BONNEAU, J. et al. (2015) ‘Passwords and the Evolution of Imperfect Authentication’, Communications of the ACM, 58(7), pp. 78–87. doi: 10.1145/2699390
Burnett, M & Kleiman, D (2005). Perfect Passwords. (1st ed.). Canada: O’Reilly Media,Inc. (Burnett & Kleiman, 2005)
Dykstra, J. and Spafford, E. H. (2018) ‘The Case for Disappearing Cyber Security’, Communications of the ACM, 61(7), pp. 40–42. doi: 10.1145/3213764.
Hiscott, R. 2013. The Evolution of the Password — And Why It's Still Far From Safe. [Online]. [1 November 2019]. Available from: https://mashable.com/2013/12/30/history-of-the-password/?europe=true
Khorev, P. B. (2018), ‘Authenticate Users with Their Work on the Internet’ (2018) 2018 IV International Conference on Information Technologies in Engineering Education (Inforino), Information Technologies in Engineering Education (Inforino), 2018 IV International Conference on, p. 1. doi: 10.1109/INFORINO.2018.8581731.
Kumari, C.S. and Rani, M.D. (2013), ‘Hacking resistance protocol for securing passwords using personal device’ (2013) 2013 7th International Conference on Intelligent Systems and Control (ISCO), Intelligent Systems and Control (ISCO), 2013 7th International Conference on, p. 458. doi: 10.1109/ISCO.2013.6481198.
Lupu V. (2019), ‘Securing Web Accounts by Graphical Password and Voice Notification’ (2018) 2018 IEEE International Conference on Engineering, Technology and Innovation (ICE/ITMC), Engineering, Technology and Innovation (ICE/ITMC), 2018 IEEE International Conference on, p. 1. doi: 10.1109/ICE.2018.8436303.
‘On the Top Threats to Cyber Systems’ (2019) 2019 IEEE 2nd International Conference on Information and Computer Technologies (ICICT), Information and Computer Technologies (ICICT), 2019 IEEE 2nd International Conference on, p. 175. doi: 10.1109/INFOCT.2019.8711324.
Shen, C. et al. (2016) ‘User practice in password security: An empirical study of real-life passwords in the wild’, Computers & Security, 61, pp. 130–141. doi: 10.1016/j.cose.2016.05.007.
‘Redefining cyber security with big data analytics’ (2017) 2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN), Computing and Communication Technologies for Smart Nation (IC3TSN), 2017 International Conference on, p. 199. doi: 10.1109/IC3TSN.2017.8284476.
Renaud, K. and Mackenzie, L. (2013) ‘SimPass: Quantifying the Impact of Password Behaviours and Policy Directives on an Organisation’s Systems’, Journal of Artificial Societies & Social Simulation, 16(3), p. 13. doi: 10.18564/jasss.2181.