A password (PWD) is a form of authentication on computer systems that uses confidential information to control access to certain resources.
The Importance of Passwords in Computer Systems
Since the passwords set by the users belong only to them, they should be kept secret from those who are not allowed access. Users who want to access a specific service are granted access to the information if they know the password of the relevant service, and if the required information does not match, the access permission is denied.
The use of passwords dates back to ancient times. The guards guarding a place were asking for the password they wanted to pass and only allowed access to people who knew the password.
A user can use passwords for different purposes, such as connecting to user accounts, accessing e-mails from servers, accessing databases, web pages, and reading news in electronic newspapers.
For full access control to service, security must be provided to prevent an outside person from accessing certain resources. If a service is protected with a password, this increases the security against unauthorized users.
Some password-protected systems, such as a website that offers an online education service, pose little or no risk to users. In this case, users need an e-mail and a password to access the online training website.
The risk ratio here is the probability that the information requested by the user to access the service purchased can be intercepted by others. As a result, although the user’s e-mail address is easily found, if the password is very strong, the security will be maximized.
Many factors must be studied to ensure the security of a password system. The security of a password-protected system should be designed in such a way that detailed investigations can be made.
There are many ways to secure a system, the first being the possibility of an attacker guessing the password. An attacker’s attempt to guess a password is an important factor in determining the security of a system.
Some systems place limits after several unsuccessful attempts to secure PWD entry. In addition, in order to protect the private data of a corporate company, users should be informed that they do not set simple codes such as date of birth, relatives’ names, pet names, license plate numbers, or simple codes such as administrator, 12345, password12345.
Or, hint text entries should be prohibited or blocked so that users can remember a forgotten PWD. Text written as hints can be one of the most effective ways to find users’ keys.
An attacker can speed up the process of finding the PWD by using the guess lists with software that tries to find codes at a high speed based on the hint specified by the user.
How to Store Passwords?
Some systems may store PWDs as text files, making it easier for an attacker to access the file containing the PWDs, and all PWDs are compromised.
If some users use the same PWD for different accounts, if one account’s information is compromised, security will be severely compromised since it will likely be used within the user’s other accounts.
The most secure systems store user PWDs in a form of cryptographic protection, so accessing the PWD will be more difficult for a spy who has gained internal access to the system.
When a user types their PWD in such a system, an equivalent hash is generated for that PWD through an algorithm, and if the resulting code matches the stored value, the user is allowed access.
The encrypted text of the PWD is generated using a code and a cryptographic function. This prevents attackers from creating a list of values for common keys. The most common encryption functions used in this method are MD5 and SHA1.
When the system that stores the PWD is well designed, calculation methods are not possible to find the text directly.
If an attacker gains access to the list of generated values, they can use a number of available tools to compare the encrypted results for each word and try different variations as long lists of possible codes are widely available in many languages.
These tools demonstrate their strength against different code attacks with their assets, and the derivative use of a function for a key can reduce this risk.
Codes can be exposed to eavesdropping attacks while being transmitted to the authentication system or user.
If the code is transmitted as an electrical signal over an unsecured cable connection between the user’s access point and the central system controlling the database, data traffic can be sneaked over by external cabling methods.
If the code is sent over the Internet, it can be obtained by the attacker who examines the information packets containing the access information with little chance of detection.
Since cable modems are more vulnerable to eavesdropping than DSL modems and telephone connections, they may be subject to eavesdropping attacks based on cabling and network equipment.
The risk of interception of codes sent over the Internet due to such attacks is reduced, with a transport security layer integrated into many Internet browsers.
When TLS is active in web browsers, a closed lock icon is displayed so that information transmission is assumed to be more secure.
A system must have the ability to change or renew a code when a user forgets their current code or suspects it could be compromised by others.
Some websites include a remember option that stores a user’s key in the web browser. By activating the remember me an option for the username and key that the user enters while accessing a service containing important data, it will create a great security risk.
To avoid these problems, Identity Management Systems are being used more and more to automate the replacement of lost PWDs.
With these systems, the identity of the user is verified by asking some predefined questions and comparing the answers given by the users.
In addition, forcing users to change their PWDs frequently will result in old PWDs falling into the wrong hands, increasing the guesswork for attackers.
Also, this causes users to forget their current PWD. For this reason, users write their keys in visible places or tend to reuse their previous keys.
Features of a Protected System
The following measures should be taken to increase the security of key-protected software systems or services.
It should be prevented from repeating the PWDs on the display screen while accessing the system.
It must be ensured that PWDs of sufficient length are allowed.
While creating the key, it must be ensured that it is forced to special characters or numbers.
Users should be allowed to re-enter their PWDs after a period of inactivity.
A PWD policy should be in place to secure important PWDs.
It should be ensured that PWDs are assigned in random order.
As an alternative to using the keyboard, another option should be added.
When changing PWDs, check that they do not resemble or contain previously used PWDs.
Avoiding the Possibility of Finding PWDs
As a result of studies conducted in the production of computer systems, it has been revealed that approximately 60% of the keys chosen by the user can be easily guessed.
A list of predetermined keys created by users can be found on the Internet. Therefore, if a user chooses an easy-to-discover personal data as a key, it can be easily found by an attacker.
Most of the personal data about individuals is now available on online platforms. Usually, users’ keys can be obtained by a person pretending to be a social worker conducting surveys.
Techniques for Creating a Strong PWD
A weak key is a predictable text in a range of words that can be found in custom names that contain very short or default words, words based on variations of the username.
A strong key should be long enough, random, contain special or numeric characters, and be generated only by the user.
The most effective method of creating a PWD is to contain enough random characters so that such PWDs will be the hardest to remember.
Some users may set a PWD that contains phrases or compound words with random letters as the initials of multiple words. So the best way to make a PWD more memorable is to use random words or syllables instead of random letters.
Possibility to be Remembered
The most secure PWDs have long random characters and contain upper and lower case letters. However, users may have difficulty remembering such a PWD structure.
Users create a combination of their own so that they can remember their PWD, even if they are warned not to write down the PWD anywhere and never use it for more than one account. Or they can use computer software that stores the PWDs of many accounts in encrypted form.
Other Safety Precautions
Having PWDs that are valid only once increases security by preventing possible attacks.
One-time PWDs can be extremely inconvenient for some users but are widely applied in personal online banking.
Access control with security symbols is similar to one-time PWDs, but the value to be entered appears on a small screen and changes every minute.
Since PWDs created in a security method provided with access controls are too large to be memorized, they should be stored on a computer, a flash drive, or a portable device such as a hard disk.
Additional equipment such as scanning the user’s face or fingerprint features is used in biometric security control and is quite safe than other methods, but the cost can be high.