I agree Utilizamos cookies para mejorar la experiencia de navegación del usuario y para estudiar cómo se utiliza nuestro sitio web. Si navega por nuestro sitio web, estará aceptando el uso de las cookies en las condiciones establecidas en la presente política de cookies. Esta política puede ser actualizada, por lo que le invitamos a revisarla de forma regular.
¡HI! If you want to propose us a project, send a mail to firstname.lastname@example.org
By Bernardo Ramos, IT security expert
Today we are going to talk about passwords, that unpleasant thing that we always remember when we want to access some service on the Web, that we have never been stolen, that is very safe and nobody could guess and, besides, even in that case, I would not care because I change it frequently. Because, of course, we all stick to the safety recommendations that we are reading or listening every day. Or maybe not? On the other hand, are these recommendations really justified? What is the real risk around my passwords?
Keep on reading this entry if you want to find the answer to these questions
A secret known only to one or more users, used to verify the identity of the user or group of users
Usually used to control access to an automated service
Passwords can be:
According to their validity period
According to their content
The password is usually associated with an identifier, which, in turn, is associated with an identity (person or group of people or even abstract entities).
It is one of the components of the authentication process
What is Authentication?
Processs to verify an identity
There are several types
Uses a single element: The identifier (Username or Login).
Used when no verification is necessary to verify identity
Example: When identifying yourself in a phone call
It uses two factors
It uses three factors, so it is sometimes referred to as "three factor authentication" or even "double factor authentication", by omitting the identifier in the account
"Something that I am" - The identifier
"Something that I know" - The password
"Something that I have":
Device that provides a number that changes every certain time-lapse
Each device is unique generating different numbers
The authentication system knows which device is associated with the user and is synchronized with it to know which number will generate at any time
Each number generated has a limited validity, usually one minute
It contains a table of X rows and Y columns and at each intersection there is a number or key of 2 or 3 characters
Each card is different
The authentication system will ask me to enter the code of a certain row and column chosen randomly.
The authentication system will send me a message with a one-time code
With magnetic stripe or RFID
Requires the corresponding reader at the authentication place
Each certificate has a public key and a private key and is associated with a specific identity
The public key is available and is known by anyone
The private key is secret and is known only by the owner of the identity
The authentication system is based on advanced mathematics, specifically on operations with polynomials
There is an algorithm, known by the whole system of authentication that allows to generate a string of characters from the private key and another algorithm that allows, from the public key and the string of characters, to know if to generate the latter the associated private key has been used.
The first component of the authentication system is integrated in the device of the user whose identity is to be verified and consists of the algorithm that will generate the string of characters. It will usually ask the user for a password to access his private key
The string of characters is sent to the authentication system, which checks its validity with the public key
The private key is therefore never transmitted, so if its owner protects it from being physically stolen, the system is inviolable
It is the authentication system considered the most secure, as long as it respects the protocol that guarantees that the private key is always in possession exclusively of its owner
The electronic Identity card in Spain (DNI) contains a certificate that is accepted by many services, public and private, to verify the identity of the user
They are based on the physical characteristics of the individual:
They have the advantage that we always have them available wherever we are and we do not need to remember them
It can be combined with an identifier or even do without it because the authentication system itself can deduce it.
Require the availability of reading devices in the place where the user is
Myths and legends
A password must be complex so that it is not easy to guess or discover with dictionary or brute force attacks.
A password must be changed periodically to prevent the risk in case it has been discovered by another person with the intention to steal our identity .
How a password can be stolen?
Watching while typing
Some user data are needed
They are often associated with "social engineering" attacks to obtain the necessary data
Asking the user
Through computer attacks
Coherence and proportionality
The effort to protect our password must be proportional to the importance of the service it protects.
The risk is not the same when you access your bank to perform operations than when you search in an internet forum how to change brake pads.
In our "digital" life we can have accounts in 50, 100, even 200 different services.
Some of these services are important and we need to protect them, such as online banking, the Fiscal Administration or e-commerce.
Most of them are not so important and the risk of usurpation of our identity would be of limited value to the usurper and to us.
We can use a simple and easy to remember mechanism for creating passwords for unimportant services.
Instead, we must be very rigorous and devote a significant effort to the design and protection of the passwords of important services.
Instead, we must be very rigorous and devote a significant effort to the design and protection of the passwords of important services .
Latch or lock
Some passwords are used as "latch" to open certain services and their degree of protection should be proportional to what is behind the door.
Other passwords are used as "locks", to keep something protected, usually our information, and, also in this case, the security of the lock should be proportional to the value of what it encloses
Your email is the master key
In terms of computer security you should to be able to abandon everything at any time and start from scratch
Most services have a mechanism that allows you to recover a forgotten password or, better yet, create it again.
To verify the identity of the user requesting the recovery or reset of his password, most services use the user's email.
Upon request to reset a password, the server will send a message to the email address that the user indicated when creating his account. This massage contains a link that will allow him to perform the reset himself.
The link is for one single use and usually has a validity limited in time.
What do we conclude from this?
If someone can steal our e-mail password, he will have the master key to enter all our accounts.
He could just go to the corresponding server and request the reset of the password so that he can change the password himself and access using our identity
The most important password we have is the one of our email.
A good practice would be to use a specific email address only for resetting our passwords, and to use for it a password more complex than usual that we will change periodically.
And let us not forget what was indicated at the beginning of this chapter:
In terms of computer security you should be able to abandon everything and start from scratch.
And in case of doubt, change one or more of your passwords.
The perfect password
It has to be easy to remember and impossible to guess. Probably using sentences with words separated by spaces is one of the best options:
Password Safe: KeePass
Biometric authentication, perhaps combined with public key infrastructure certificates and the generalization of identity federation systems, will likely suppress or at least greatly simplify the use of passwords, but while we wait for that time, here goes a good tip to simplify the handling of the tens, or even hundreds of passwords, that we have to handle today.
A good alternative, used by many computer security professionals, and accessible to all of us, is the use of some tool for secure storage of passwords.
That way we can keep all our passwords protected, avoiding post-its, lists written on a piece of paper or in a notebook or even Excel files or similar, all of them completely unsafe options.
There are different options in the market. From my experience and those of my colleagues in cybersecurity, I recommend the open source tool KeePass, whose security has been certified by public agencies such as the National Agency for Security Information Systems of the French government, among others.
Keepass: Advanced System for Password Management
It is a password safe
Preserve and protect all passwords and identifiers of your applications and websites in a single database
Available on all PC and smartphone operating systems
Easy to synchronize across all your devices (PC, smartphones, tablets, etc.) using Dropbox
All your passwords will be securely stored
Never again forgotten passwords
Never again stolen passwords
You do not even have to type your passwords, Keepass does it automatically
The addresses of your websites can be saved and opened directly from Keepass in your browser
Keepass Password (your master password)
It must be solid and easy to remember (Recommendation: complexity 90 bits or more, length 12 characters)
One sentence, with spaces in-between words, will make a very good password by respecting all the security requirements and is easy to remember.
Example: Wash the car today.
It has uppercase, lowercase, spaces and a dot at the end, more than 12 characters and 95 bit complexity ...
There is no way to recover the Keepass password if you lose it
Manage all your passwords
Structured in Groups
Each group can have sub-groups and entries
Función Auto-type function to fill id and password automatically without typing
This allows us to use very complex passwords comfortably
Ability to copy and paste the user and password manually
Like the previous function, since you do not need to type them, passwords can be very complex
Ability to directly open the web page or application directly from Keepass
Precautions, good practices
Remember to lock the session of your device when you are not using it by protecting its opening with a password
As your passwords expire or change, remember to update them in KeePass
by 4 July 9, 2017
by 4 May 9, 2017
by Albatian March 27, 2017
by Albatian March 27, 2017
by Albatian Jan. 10, 2017
by Albatian Aug. 24, 2012