This article explaining how to use passwords strategy in organizations.
A password is part of the authentication mechanism that many of us use every day in order to log in to our private accounts. Those accounts can be Bank account, Social Networks, Forums and many more. The use of password probably wouldn’t pass in the near feature, but it’s sure going to place that they no longer needed.
Researchers are developing a better authentication mechanism for users, so they don’t need to remember so many passwords and don’t require their mobile to receive SMS or some other authentication methods. Behavior authentication is the new approach to the problem the keep us occupied to these days. With this approach, the researcher declares that all you need to do is to be you.
Behavioral Authentication focuses on the “How” a user types and interacts with their device as opposed to the “What” they type. It does this by continually monitoring and analyzing keystrokes, mouse movements, finger pressure, swipe patterns and more, comparing this activity with a unique user model to score a match. A low score, reflecting significant changes in the user behavior, serves as a red flag that some security policy action may be required. However, the world is still not prepared for this type of authentication, because there are numerous difficulties with this method and you need to invest in other methods as well.
So, what we should do to implement an authentication mechanism in our organization? Before we design and implement password policy in the organization, let’s understand a few concepts which lead us to design better and more secure the organization’s authentication mechanism.
Authentication mechanism types are divided into 3 parts:
- Something You Know
- Something You Have
- Something You Are
Something You Know
The something you know factor is the most common factor used and can be a password or a simple personal identification number (PIN). However, it is also the easiest to beat by using a brute force or dictionary attack. Another risk is the implementation of password encryption in the databases, if an organization had a breach and the data inside the database has stolen, the hacker can recover the encrypted password by using rainbow table technic.
When organizations implement passwords mechanism on DC or developing an app, it’s essential to define the policy that the user is using strong passwords. A strong password has a mixture of upper case, lower case, numbers, and special characters. In the past, security professionals recommended that passwords should be at least eight characters long. However, with the increasing strength of password crackers, it’s common to hear professionals recommending longer passwords. For example, many organizations require that administrator passwords be at least 15 characters long.
Users share one common problem when they using long passwords.it’s harder to remember them unless they’re put into some meaningful order. For example, a phrase like “This is my protected password” can become a password of “Thi$I$MyPr073c73dP@$w0rd”.
- Each word starts with a capital letter
- Each lower case “a” is changed to a @
- Each lower case “s” is changed to $
- Each lower case “e” is changed to 3
- Each lower case “t” is changed to 7
- Each lower case “o” is changed to 0
- The spaces are removed.
To read more about this, you can search leet writing (1337) for understand the concept of the letters and numbers above.
When using this way the password is more comfortable to remember, yet they are very complex. However, if a user is required to remember a long password without any meaning, such as “t5H*&WQfew4#”, they are much more likely to write the password down and become the low hanging fruit.
Something You Have it should be something that we carry on you such as smart cards, phones, token devices and more.
Something You Are Biometric methods provides the something you are the factor of authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, handwriting, and voice analysis. Fingerprints and handprints are the most widely used biometric method in use today. Recently researchers develop behavior analysis which consider as something you are.
The use of 2 types out of 3 is called 2FA (two-factor authentication), certain people think that design a system to use PIN and passwords to log in, is called 2FA, but it’s wrong to think that.
“2FA is the use of 2 authentication methods out of 3.“
The implementation of an authentication mechanism Is not simple. Each organization should consider the initial cost, the budget for maintenance and the impact on the organization for a long term. Therefore, Not everything is black and white, and while some organization can use 1FA for a system, others can use 2 or 3-factor authentication for the same system.