Account Security Essentials

Overview

Lecture covers securing digital accounts: threats, defenses, and best practices. Emphasis on passwords, multifactor authentication, phishing, and tools like password managers and SSO.

Authentication vs. Authorization

• Authentication: process of proving identity (e.g., username + password).
• Authorization: permissions granted after authentication; defines what resources you can access.
• Keys in physical world analogous to credentials in digital systems.

Password Strength and Attacks

• Dictionary attack: tries common words to guess weak passwords.
• Brute-force attack: tries all possible combinations; speed depends on password length and character set.
• Credential stuffing: reuses leaked username/password pairs across sites.
• Social engineering: manipulating people to reveal secrets (e.g., “write down a password” scenario).
• Phishing: deceptive emails/websites that mimic legitimate services to steal credentials.
• Machine-in-the-middle: malicious systems intercept traffic between you and a service.

Measuring Password Space

• Four-digit PIN: 10^4 = 10,000 combinations; crackable in milliseconds.
• Four letters (A–Z, a–z): 52^4 ≈ 7 million; seconds to brute force.
• Four characters (letters, digits, punctuation ≈ 94): 94^4 ≈ 78 million; minutes-scale.
• Eight characters (94 set): 94^8 ≈ 6 quadrillion; impractical to brute force.

NIST Password Recommendations

• Minimum length: at least 8 characters.
• Allow long passwords: permit up to 64 characters; accept all printable ASCII, spaces; accept Unicode.
• Block weak choices: reject breached passwords, dictionary words, repetitive/sequential patterns, context-specific words (e.g., service name).
• No hints or “secret questions”: avoid collecting personal trivia; hints expose sensitive cues.
• Don’t force periodic changes: arbitrary rotation leads to weak variants and usability issues.
• Rate limiting: throttle failed attempts; escalating lockouts slow attackers and raise risk.

Usability vs. Security Trade-offs

• Stronger passwords reduce usability; balance needed.
• Arbitrary complexity rules and frequent changes harm memorability, encourage poor practices.
• Rate limiting can lock out legitimate users but significantly impedes attackers.

Two-Factor and Multifactor Authentication (2FA/MFA)

• Factors:
  • Knowledge: something you know (password).
  • Possession: something you have (phone app, key fob).
  • Inherence: something you are (biometrics like fingerprint/face).
• One-Time Passwords (OTP): codes used once; delivered via app, hardware token, or SMS.
• Prefer app-based OTP or hardware tokens over SMS due to SIM swapping risk.
• Be wary of phishing pages that also prompt for 2FA codes.

Malware and Keylogging Threats

• Malware/keyloggers can capture passwords and OTPs.
• Defense: use only your own trusted devices; keep systems clean; run antivirus (for broader malware risks).

Single Sign-On (SSO)

• Use existing accounts (e.g., Google/Facebook) to log in elsewhere.
• Benefits: reduced friction, leverage strong protection on primary accounts, no password sharing with third-party sites.
• Mechanism: third party receives verification of successful login, not your password.

Password Managers

• Generate strong, unique passwords per site; store and auto-fill them on correct domains.
• Help prevent phishing by refusing to fill on spoofed URLs.
• Require one strong master password; protect this “single basket” carefully.
• Built-in options: iCloud Keychain (Apple), Google Password Manager, Microsoft Credential Manager.
• Adoption strategy: migrate high-value accounts first; change others incrementally.

Passkeys (Preview)

• Passwordless authentication using a cryptographic key pair (public/private).
• Generated and stored by your device; synced across devices.
• Uses cryptography; eliminates memorized passwords; more in future session.

Key Terms & Definitions

• Authentication: proving identity to a system.
• Authorization: permitted actions/resources after authentication.
• Dictionary attack: guessing from word lists.
• Brute-force attack: exhaustive search of all combinations.
• Credential stuffing: trying known credential pairs on multiple sites.
• Social engineering: psychological manipulation to obtain secrets.
• Phishing: fraudulent messages/sites to steal data.
• OTP (One-Time Password): single-use authentication code.
• SIM swapping: fraudulently reassigning a phone number to another SIM.
• Keylogging: malware recording keystrokes.
• SSO (Single Sign-On): one account used to access multiple services.
• Password manager: software storing and generating passwords.
• Rate limiting: restricting login attempts to slow attacks.
• Passkeys: cryptographic credentials replacing passwords.

Action Items / Next Steps

• Use unique, strong passwords (prefer long passphrases) for all accounts.
• Enable 2FA; prefer app-based or hardware tokens over SMS.
• Start using a password manager; migrate critical accounts first.
• Avoid password hints and security questions based on personal trivia.
• Don’t reuse passwords; guard against credential stuffing.
• Verify URLs before logging in; manually navigate to sensitive sites.
• Avoid logging in on untrusted/shared devices; maintain antivirus.
• Consider SSO with well-protected primary accounts.
• Disable voice-based authentication where possible due to deepfake risks.

Password Space Examples