Wednesday 24 February 2016

Teach your brain to regenerate passwords instead of remembering them

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them! 
Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. 

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

It comes without surprise to see people using easy to guess passwords, as they were never actually taught how to identify the individual purpose of a password before choosing one. Usually, the only requirement is to create a complex enough password based on some minimum requirements and ensure it can be remembered.

A “complex enough” password can be the word “Password1″ – it contains one capital letter, a number and is more than eight characters long. In reality, when this word is used as a password, it is considered extremely weak, as it is very common.

Some people will add a symbol to this to make it a bit more complicated, such as adding an exclamation mark at the end of the word, but still is this password “complex enough”?

Others prefer the sentence trick, which allows them for a far more complex password to be created as it generates a random word. For example, the sentence “The Cloud is not Secure” can be converted into a password by using only the first two letters of each word. Thus, the password ends up to being “ThClisnoSe” – a random set of characters, including lower and upper case letters.

This word, in fact, does not exist in any known dictionaries and for that reason users who tend to use such passwords use it across all of their accounts. Unfortunately, when one of the accounts is compromised, because it was stored in a database that did not properly encrypt passwords, all other accounts are open to exploitation.

Thus, the ideal use of a password is being able to have a different password for each account being used, which is not only complex enough but easy to remember, as well.

My talk at Securi-Tay V focuses on educating people how their individual personality, experiences and thought process can be used as a unique input when choosing a password.

By following an algorithm based on the individual’s personality during the password generation thought process, it is possible to create not only different and complex passwords for each occasion but also make sure the password can be regenerated inside the individual’s brain on demand, without having to remember it.

This password regeneration method might sound a bit complicated when trying to describe just an overview of the thought process in a few lines.

Rest assured that during the presentation, the participants will have the chance to see the use of passwords from a different perspective, as well as be trained to use this regeneration method, based their own unique personality.


No comments:

Post a Comment