Authentication is the process of who the user claims to be. There are three factors of authentication:
Something you know – such as a password, PIN, personal information like mothers maiden name etc.
Something you have – a physical item, such as a cellphone or card.
Something you are – biometric data such as fingerprint or facial recognition.
Password authentication falls into the “something you know” category and is the most common form of authentication.
Every time you have signed up for a website, you have been asked to create a username and password. This has become almost second nature for some users to set up their accounts without much thought about the credentials they choose.
Registering with Username and Password
When a user first signs in to a website, they are asked for their username and password to identify themselves. If they don’t have an account, then they are prompted to make one and ultimately have to choose their username and password.
In a perfect world, a user would always pick a strong and unique username and password however, that is not the case and most times, people pick something simple so they can remember it easily.
Enforcing Password Rules
In terms of security, the longer and more complex a user’s password is, the better.
It’s recommended that you enforce good practice behaviours when forming a new password. There should be certain minimum requirements for the users however, there also needs to be a happy medium with the requirements and how complex they are.
To enforce a strong password, here are some rules you should consider for your users:
Storing the Users Credentials
Once the user chooses their username and password and clicks submit, there needs to be somewhere that the information is stored.
Your first move is to check that the user doesn’t already exist in the database. Once they cleared that, you should check that the password meets your minimum requirements, but confirming the server side.
Now that the user’s credentials have cleared that, you can store the information into your database but there is one more step that needs to happen: password hashing.
Password hashing involves using a one-way cryptographic function that takes an input of any size and outputs a different string of a fixed size.
So essentially, before you store any passwords in your database, you should always hash them. The hashed password will be totally unrecognizable from the plain text password and will be next to impossible to regenerate the plaintext password based on the hashed one.
Most programming languages have either a built-in functionality for password hashing or an external library you can use. Make sure you use a secure and vetted hashing algorithm when implementing password hashing.
Handling Returning Users
After a user registers, they’re likely going to come back to your site and when they do, you’ll have to verify their identity using their credentials. Once they submit their credentials through the login form, you’ll search your database for the username they’re signing in with (normally done through your server automatically). If there’s a match, then the hashed password they typed in should be identical to the one in the system.
Now what happens when a user forgets their login credentials? Let’s say the username that’s required to sign in is an email address. You’ll have to generate a password reset link, email it to that user, and allow them to make a new password. Because you have the user’s hashed password stored in the database, there’s no way to let the user know what their old password was, therefore, prompting them to make a new password.
Even with maximum safety, password authentication still has its vulnerabilities.
User Generated Credentials
How do user-generated credentials pose a threat? Since users have to create their own passwords, there’s always a chance that they won’t create secure credentials. The majority of user generated passwords are considered weak and easily vulnerable to hacking. It’s usually because users want to have a password that’s easy to remember but aren’t up to date on password security best practices, or subconsciously use patterns to generate their passwords.
Even if your website is equipped with a password strength-checking tool, the results can be inconsistent and inaccurate, leading users into a false sense of security.
Creating a complex password can be difficult because our minds are drawn towards patterns. If you think about all the passwords you create, they all likely follow a similar pattern or formula such as, using a word with numbers and a special character at the end.
As a user, these patterns make it easier for us to remember our credentials; however, cybercriminals are also aware of said passwords and as a result, can use this knowledge to adjust how they crack password combinations.
Brute Force Attacks
How do brute force attacks pose a threat? Well, a brute force attack occurs when a computer program runs through every password combination until they find a match. The system will run through all one-digit combinations, two-digit combinations, and so forth until your password is finally cracked. Some programs will specifically focus on combing through the most commonly used dictionary words, while other programs will target popular passwords against a list of possible usernames.
Aside from simply guessing your password, a brute-force attack is the most common technique hackers use. They are able to run through thousands of combinations in less than a second, which means that shorter passwords can be cracked in a very short time.
How do recycled passwords pose a threat? It’s suggested that users create passwords that are at least 8 characters in length, and use a combination of uppercase and lowercase letters, numbers and symbols. Each password should be unique to each account, meaning no repeats.
This may be possible if users only had maybe one or two personal accounts, but the average user has about over 90 online accounts and it’s predicted to increase in the coming years.
The challenge is, in order for passwords to be secure, they need to be secure and complex. But that makes it difficult for the user to remember and not user-friendly. Since remembering a unique and complex password is difficult, they have to store their passwords somewhere that they can reference. If the user uses low-tech solutions such as a sticky note, or word doc on their laptop, then it makes those passwords easier to steal and/or lose.
How do large-scale breaches pose a threat? Password breaches are becoming a real concern for businesses and organizations of all sizes. When you store all of your user’s credentials, it puts you at risk for a breach and simply encrypting the information is often not enough. It’s crucial that developers understand that weak internal passwords and improper storage of credentials could make a hacker’s job easier.
Password breaches of other websites could affect your website’s security. If you’re using a service from a company that recently had a password breach, your own employee’s accounts could be compromised which puts your end users at risk.
As we know, two-factor authentication is a form of multi-factor authentication, which builds on top of passwords to create a more robust security solution. Two-factor authentication requires you to authenticate yourself with two identity dimensions – something you know, and something you have.
Two-factor authentication is a great option for MSPs and other businesses because it adds an additional layer of security that is very difficult for hackers to crack. Even if a hacker were able to guess your password, it would be unlikely that they could also simultaneously gain access to the one-time code sent to your device.
Token systems use a purpose-built physical device to deliver two-factor authentication. This could be a dongle that is inserted into your device’s USB port, or even a type of hardware token.
To keep a token system secure, it is crucial that you ensure that your physical authentication device (i.e., USB, or hardware token) does not fall into the wrong hands. Token-based systems are generally more expensive than other password authentication methods because they require you to purchase purpose-built hardware for each of your users. However, they are very secure, and more cost-effective options are entering the market as time goes on.
Biometrics rely on a user’s physical characteristics to identify them. For example, fingerprints, retinal or iris scans, or facial and voice recognition. This is a highly secure form of authentication because no two individuals will have the same physical characteristics. Biometric authentication is an effective way of knowing precisely who is logging into the system.
Another advantage of biometric authentication is that it doesn’t require users to have a USB, hardware token, or cell phone to hand. They don’t really need to remember their password. However, it is worth noting that biometric systems are more secure when paired with a password.
Unfortunately, there are some downsides to biometrics systems. They can be very expensive to install and require specialized equipment like retinal scanners or fingerprint readers. There are also concerns regarding the privacy of biometric systems. Some users dislike the idea of sharing their biometric information with a company. As such, biometric authentication systems are most common in environments that require the highest level of security, like the intelligence and defense sectors.
Computer Recognition Authentication
Computer recognition is a password authentication method that verifies a user’s legitimacy by checking that they are on a particular device. These systems install a small software plug-in on the user’s device the first time they successfully login. This plug-in contains a cryptographic device marker. When the user next logs in, the marker is checked to make sure they are on the same, trusted device.
The disadvantage of this authentication method is that it can be difficult when users switch devices. To maintain a high level of security, computer recognition authentication systems must enable logins from new devices using other forms of verification (i.e., two-factor authentication with a code delivered via SMS).
CAPTCHAs aim to determine whether a user is human, to prevent computer-driven attempts to break into accounts such as brute force attacks. The CAPTCHA system displays a distorted image of letters and numbers, or pictures, and asks the user to type in what they see. Since computers and bots struggle to identify these distortions correctly, CAPTCHAs enhance security by creating an additional barrier to automated hacking systems.
These systems can, however, may not be the most user friendly, as individuals with disabilities, such as blindness, may not be able to pass a CAPTCHA test. Even non-disabled individuals sometimes have trouble with CAPTCHA, which can cause frustration and delays.
When a user creates a password, a copy of that credential is stored by the system or website in a secure password database against which the server can compare any further login attempts. Since all those passwords are stored in a centralized location, it’s important that password-based authentication systems ensure top-notch security for those databases.
Typically, passwords are stored in an encrypted fashion so that even if a hacker is able to access the database, the information they see would be of no use to them.
A password alternative is any sort of authentication protocol that doesn’t need to utilize a typical ID and key to grant users access. Password alternatives fall into possession or inheritance-based methods.
Whether your organization is set on using password authentication or you’re exploring passwordless alternatives, it’s important to be aware of a password’s weaknesses so that you can find a secure way to protect your data.