025.1 Lesson 1

Over the centuries, many forms of authentication have been developed. In speakeasies (the illegal outlets for alcohol that existed in the U.S. during the Prohibition era), people would authenticate themselves by saying a password known to the staff (famously, “Joe sent me”) and thus gain entrance. Passwords — or more generally, secret keys — are now central to computer authentication.

Security experts divide types of authentication into a few categories: “something you know” (a password), “something you have” (an ID, an ATM card), and “something you are” (a fingerprint, a retinal scan).

Identity and authentication are critical to computerized interactions. We need to identify ourselves and be authenticated by schools, businesses, banks, retailers, government offices, social media accounts, and more.

Making a mistake in authentication can have grievous consequences. People have lost their life savings through identity fraud, or through scams caused by attackers who falsely identified themselves as trusted institutions.

When you use a service, your identity is used in the following basic ways.

Authentication, as we have seen, just validates that Julie is Julie, and not George or Ahmed.

Authorization uses the authenticated identity to determine whether you have the right to gain access to some resource. For instance, you might be authorized to read and write files on your computer, but not to change its security settings.

Accounting (also known as logging) keeps a record of what you’ve done, so that an administrator can check for suspicious things that happened in the past. For instance, if data seems to have been stolen, the administrator might be interested to know that one of the staff was recorded to have logged into the system at 3:00 AM. That login could well have been a malicious intruder who stole the staff person’s credentials.

Passwords are central to identity and security in computing. Although there’s a lot of talk about alternatives to passwords, these alternatives are still based on the same concept of “something you know” and require the choice of a text string that’s hard to guess.

When physical IDs and biometrics are in use, they are generally used together with a password or other secure key of some kind.

We have outlined some detailed rules for password management. Fortunately, there are tools available to assist with this process.

Many people keep a paper list of passwords, and in some circumstances that’s a reasonable way to maintain them. If you are working from home and nobody goes in your office, a paper list might be safe. (However, a thief might find it.)

And if you have a paper list, you still have to type in each password, which is cumbersome and error-prone. Many sites shut you out after a few login attempts, in order to thwart brute force attacks. So a paper list is never ideal.

A plain-text list on your computer is even less secure, because malware might install a tool that finds the list.

For best security, therefore, use a password manager. This program can run either on your personal computer (desktop, laptop, or mobile device) or in the cloud. Start by entering into the password manager any relevant login information for each service or program you use: your email address or user name, your password, and answers to security questions.

A password manager encrypts your login information so that an intruder can’t use it if the data file is stolen. If a password manager runs in the cloud, it also uses encryption when transmitting your data between your computer and the server in the cloud.

You need remember only one password, called the master password, to let you into the password manager. You can then instruct the password manager to log you into all the programs and services you have stored there. Changing passwords is also simple.

There are trade-offs between using a offline password manager on your computer and using a cloud-based password manager. You can’t use the local password manager when you want to log into a family member’s or friend’s computer in case your system goes down or you’re visiting someone. The cloud password manager is available everywhere, and is clearly helpful when you’re on the move.

Offline password managers store password data locally on a user’s device, providing a higher level of security because the data is not stored in the cloud and is not vulnerable to online attacks. This type of manager is ideal for users who prioritize security over convenience and do not need access to their passwords across multiple devices. Offline managers, such as KeePass2, offer robust security features, including local encryption and the ability to manage passwords without an internet connection. The main drawback is that users are responsible for backing up their data and may find it less convenient to synchronize passwords across devices manually.

Online password managers store encrypted password data in the cloud, allowing users to access their passwords from any device connected to the internet. This synchronization feature is particularly useful for users who need access to their passwords across multiple devices, such as smartphones, tablets, and computers. Popular examples include LastPass, 1Password, and Dashlane. However, storing passwords in the cloud introduces some security risks, as the data could potentially be accessed if the service is compromised or the cloud password manager might go down itself, or you might lose internet access. The business might also raise its prices, go out of business, or abandon you in other ways.

Some web browsers also have password managers. These are convenient so long as you are doing all your work on the same browser, but the password manager on one browser isn’t accessible from another browser.

KeePass 2 is a popular, free password manager that runs on all popular operating systems. The web site offers downloads for a wide range of systems — Windows, macOS, GNU/Linux, popular mobile devices — and distributes its open source code under the GNU General Public License.

Single sign-on (SSO) allows you to log in to one service and then use other services without having to log into them individually. For instance, suppose you keep Facebook open on your computer all the time. When you visit some other service, you might see a dialog box pop up that allows you to log in using your Facebook account. Google is another popular service that is often used for single sign-on.

Complicated data exchanges are going on behind the scenes to enable single sign-on. The basic idea is that, after you click on the icon presented by the second service, it sends a message to Facebook and gets back a token (a random, encrypted message) authenticating you.

When you want to use single sign-on, the service you want to use might not be running in the same browser. You might be logged out of Facebook, for instance, or have left it running in a different browser. In such case, the second service causes Facebook to open a dialog box and ask you to log in to Facebook. In this case, it takes just as much trouble to use single sign-on the first time as to log in using a different account, but further uses of single sign-on will be easy because Facebook keeps running.

As with an online password manager, depending on a service for single sign-on has a risk: If you lose access to your account or the service closes down, you lose access to all the other services that queried it for your login information.

Furthermore, when a new service asks another one for access, the new service might ask for a lot of data on you that isn’t required for logging in: location and date of birth, for instance. If you’re asked to approve the transfer of data from one service to another, think carefully about whether you want the new service to have that data.

We’ve discussed how you should manage your passwords securely. But what about the server? It has to recognize your password. But if it contains a database of users and passwords, it’s highly vulnerable to malicious intrusion.

The two main ways to protect your password are hashing and salting. These techniques have been known for many decades, and all servers should use them.

Hashing means running the characters of your password through some simple mathematical function, often consisting of additions, multiplications, and divisions. A good hash produces a fixed-length string of random characters. Because information is lost during the hashing, no one can reconstruct the original password from the hash.

When you log in and submit the password, the server hashes it and makes sure the result matches what’s in its database.

Determined and well-funded attackers have found a way to attack hashes: They create a huge database of strings and their associated hashes (which assumes they can determine what hash function is in use). This database is called a rainbow table. If the attacker breaks into a server and obtains the hashes, they look up each hash in the rainbow table and try the various strings that match.

Therefore, hashing should be supplemented by salting. This means adding a short unique string — called a salt or nonce — to the user’s password. Then the combination of password and salt is hashed.

Email accounts are often the gateway to our digital identities, serving as a central hub for managing access to various online services, including social media, e-commerce, banking, and even work-related platforms. Because of this, securing email accounts is one of the most critical aspects of IT security. A compromised email account can lead to a cascade of security breaches, as attackers can use it to reset passwords and gain unauthorized access to other connected services.

To safeguard email accounts, it is essential to implement strong security measures. One of the most effective strategies is to use multi-factor authentication.

Regular monitoring of your email account activity is also an important practice. Look out for any unusual login attempts or changes in settings, such as forwarding rules that you did not set up. These could be indicators that someone is trying to gain unauthorized access to your account.

Monitoring personal accounts for password leaks is an essential practice in maintaining digital security and protecting your online identity. Password leaks occur when hackers gain unauthorized access to databases containing user credentials, which can then be exposed or sold on the dark web.

To mitigate the risks associated with password leaks, it is crucial to be proactive in monitoring your accounts for signs of compromise. One effective method is to set up search engine alerts for your usernames or email addresses.

Additionally, password leak checkers are an invaluable tool for identifying compromised credentials. Websites and services such as Have I Been Pwned and Google’s Password Checkup can scan your email address or password against databases of known breaches to determine whether your information has been leaked.

If you receive an alert that your password has been compromised, it is important to act quickly. Change your password immediately on the affected site and any other site where you may have used the same password.

Modern web browsers such as Google Chrome, Firefox and Safari have integrated security features that alert users if their passwords have been compromised in a data breach. These browsers can detect when saved passwords are no longer secure and notify users about which accounts are affected, prompting them to take action to protect their information.

When you use a browser’s built-in password manager, it securely stores your login credentials for various websites. If any of these stored passwords match a known data breach, the browser will issue a security alert.

Online banking and the use of credit cards offer convenience and accessibility for users to manage their finances from anywhere. However, this convenience comes with significant security risks, as these services are prime targets for cybercriminals looking to steal personal information and financial assets.

One of the foundations for online banking security is the use of secure connections, typically indicated by a URL that begins with https:// and a padlock icon in the browser’s address bar. Always ensure that you are on the bank’s legitimate website before entering any personal information. Phishing attacks, where fraudulent websites mimic legitimate ones, are a common threat. Another critical security aspect is multi-factor authentication (MFA), which most banks now require or offer as an option.

Avoid using public or shared computers, as they may be infected with malware that can capture your keystrokes or steal your login credentials. Similarly, public Wi-Fi networks are often insecure and can be used by attackers to intercept your data. If you must use public Wi-Fi, consider using a Virtual Private Network (VPN) to encrypt your connection and protect your information.