Computer security: passwords, a major problem on the Internet
Nowadays, we experience daily websites that require convoluted passwords consisting of upper and lower case letters, numbers, of a minimum number of characters. Some require you to change them every time, when they do not save your old passwords to compare them to the new ones to make sure you do not put the same ones back! We walk on the head. Of course, securing data on the Internet must be taken very seriously. But by doing so, it is the end consumer that is unwelcome. In the coming years, we must focus on a safer world that is also easier to use. Decryption.
The historicity of a perversion announced
Since the world is a world, or rather, since the Internet is Internet, it has always been necessary to secure certain data in order to privatize them, and on the other hand to be able to transform, analyze and then operate individually. From this observation and from a need related to privacy was born the need to have a password for almost everything. What began as a banal security system turned into a deformed creature where everyone does a little everything he wants in his corner, ignoring some rules of common sense yet crucial. Here are some examples that can be found everywhere on the Web:
In the end, the one who gets fucked is always the same: the consumer. Tired of providing passwords like a cash cow, he does the worst thing, he uses one and the same password for all the websites where he is registered. By doing so, and while he believes himself safe, he does not understand the evil of the thing. It is not so much the password that is to be called into question as the site on which it is used. Unaware of its management and security procedures, the password may very well be unencrypted in their database. Here is how we come to have a gaping security hole where, with a simple mistake, we can trace the entire thread of your personal data.
Passwords on the Web
Wondering what are the most used passwords on the Internet? Many analysts and computer security companies have done their little investigation. For example, this PDF gives you the 25 most common passwords on a list of 10 million passwords. Worse, this list offers 1.5 billion passwords in self-service! These results demonstrate the ceaseless failure of a system that has reached its peak. One day or the other, it will have to be put back flat and redesigned in the smallest details.
An example of childish hack to have passwords
Let’s start from the postulate that you want to register on the forum of a lambda site. We propose you to choose a username, give your e-mail address and your password. As usual, you give the password you use every day. However, what you do not know is that a person has set up a system to capture the password in clear before it is encrypted. In other words, the site administrator takes your password in plain text and stores it elsewhere for future use. Later, without realizing it, admitting that the password of your e-mail is the same one, it will be able to be introduced in your mail and reassemble all your information. Or, if it is a vicious person, he will find you with your email address on other sites and will reuse your credentials to pretend to you, exploit your data, and so on. As for you, you will see only fire and you will never know which initial site comes the problem, drowned that you are in the vastness of sites where you use each time the same process.
Never – NEVER – trust the Internet
It is often said that the problem occurs between the chair and the keyboard, says otherwise, that in the majority of cases the user is involved. The problem is not so much the lack of information as the naivety to believe oneself immune by submitting a complicated password. When you do not know the protocols used to secure and store your data, you do not have to trust. Whether it’s Mr. Smith, Google or Facebook. No company anywhere in the world can claim to have never had a data leak. Identity theft, theft of credit card numbers, e-mail addresses, passwords, phone numbers, etc. Everything is good to find, trace and exploit your personal data to sell to the highest bidder.
Single sign-on, the wrong good idea
For several years, one can see appearing unique authentication systems such as Facebook Login. They have a definite advantage, that of using a single account for a multitude of Internet sites. In fact, no need to register everywhere, you can now simply click to choose whether or not to deliver information to the site on which you are browsing. If it is a practical solution or relatively secure (let’s always be careful), it poses two major problems: privacy and centralization of information. Indeed, you agree to deliver all your data to a single entity (here Facebook) who will know your every move and the sites and / or applications that you use daily with their system. Finally, you agree to put all your eggs in one basket: by using a single authentication, the disclosure of your identifiers could allow a malicious person to do what he wants and exploit all your personal data. If, from a practical point of view, single sign-on is a revolution, in fact it is more of an ethical or even moral problem and therefore a false good idea. We will never repeat it enough: never trust the Internet, moreover, a company that makes the analysis of personal data its business.
Double authentication, a safe drift
If absurdity were to have a name, it would be double authentication. Not content to offer you a reliable service, this solution requires you to confirm that you are the sponsor and it is not an intrusion. After having entered your identifiers on your computer, you are obliged to validate all on your mobile. In other words, identifying yourself on two different solutions would be the guarantee of maximum security. It’s wrong. No system is 100% reliable, and if it is not the system that has a breach, it is the consumer and his naivety who will be responsible for completing the work (Apple is witness, more information in this article ). Conclusion: The most developed system in the world will never prevent someone from wanting to infiltrate it and to do it one day or another. It would be really very kind and courteous to stop going upmarket on ever more intrusive systems.
The importance of returning to the fundamentals
As we have just seen, security is shifting towards increasingly complex and abusive protocols and uses. While we must obviously innovate on the management and security of passwords, it seems important to return to the fundamentals of communication and education of Internet users. But then, how to combine security and ease of use?
Tools for users
It is crucial to use different passwords for each website. For this, many random generators exist on the Internet. For example, the Password Generator site gives you the ability to configure a variety of options to create complex and secure passwords of varying length. The official Norton antivirus website also delivers an identical service to generate a random password . Finally, you can turn to the site Strong Random Password which is not outdone as regards the generation options. Of course, once these passwords have been generated, they should be remembered.
For this, several options are available to you:
- Save the passwords in the browser. This is the most common use. This is good for unpretentious sites that do not have information of significant value to you. Never forget that if someone uses your computer without your knowledge, this method will allow them to pretend to be neither known nor seen.
- Write the passwords in a text file (or on a piece of paper). It is to proscribe. In the first case, a simple file can travel through a network and end up in unscrupulous hands. The second case is hardly safer, because you export sensitive information on another medium. What about a person who takes it or makes a simple photocopy?
- Save passwords in software. This solution seems to be the most appropriate at present. Several password backup software exist. For example, Keepass proposes to save all your passwords in an internal and encrypted database. The advantage is twofold: passwords remain on your computer (they do not transit the network or in a cloud). To access the entire list, it will be enough of a main password. You just have to remember a single password to unlock the list of all others. A simple, practical, private and secure solution.
An idea to think about for developers
Here is an idea to increase security without exasperating users. Warning: this solution can be (very, maybe too much?) Complicated to implement! Moreover, it could pose to some a philosophical problem.
- Only require one criterion. A password of minimum 10 characters!
- Use Unicode. It may be the door open to all excesses . But validating the use of Unicode gives many more possibilities with different languages (Arabic, Chinese, etc.) and even emojis. Such a system can be very effective but should not be taken lightly because the use of certain special characters can be abusive.
- Calculate the entropy. At the end of the chain, it will be necessary to calculate the entropy of the password to validate it or not according to well-defined criteria. The entropy of a password is a measure to calculate its predictability. The password must therefore go through several steps: length, uppercase / lowercase / numbers, special characters, if it is an existing or imaginary word, if it contains the same characters as the pseudonym (even in the disorder!), etc.
- Explain, educate and validate. You must be able to communicate on the entropic value of the password and therefore its score (for example on 100). And if, whatever the score, the user still chooses to put this password, so let him do it is his free will. Let’s finish with the habit of imposing everything on others. Here, the explanation and education premium. The system evaluates, the user makes the final decision and assumes the future consequences. Is not this the name of the word Liberté?
In conclusion of this article, it seems to us essential to emphasize our positions in education and not obligation. Password loopholes and computer security as a whole are not a binary problem made of black and white, but rather a multitude of gray where many stakeholders may turn out to be the weakest link. Too often, the user is denigrated as being this failing item. Yet, many companies are victims, each day, theft of personal data while the user, it is not for nothing. In this set of actors, it is important that everyone understands their place and their role. The company must secure its data without harassing its public too abusive procedures. The Internet user, meanwhile, must understand the issues to better act. Only by focusing as much on education as on communication will we create a better web.