/ Computer Security

Authentication And Access Control

One of the foundational principles of computer security is Access Control and that means that the person or a system is authorized to do different actions in a system.

Advantage

The system know who is the exactly person that makes changes in the system or have interaction with it.

Failure

The paradigm fails when the attacker make a unreal profile for the system, it is very difficult to be sure that the person is who say he is. Some closed system have Unique Identifiers but this required a difficult and slow process to Authentication.

Authentication

Authentication is the act of establishing that the person is who he or she claims to be.
Screenshot-from-2017-09-24-17-37-40

Authentication failures

  • False Negatives: A system refuses to authenticate a valid user
  • False Positives: A system authenticate an invalid user

Passwords

Is an array of characters that only know the user and the system, it would be the perfect solution of Access Control, but...

  • It can lost or forgotten by the user (we are humans) and this needs a recovery system, that is the problem.
  • Common words or a simple password, to avoid the problem above users use an easy password and this mean in the most of the cases a weak password.
  • It can be share, user can use the same password in different sites or systems, if one of them are unsecured we can know the password of everything for that user.

We have Vault Passwords Tools like LastPass or One Password the problem with these is that they required a little of complexity for the user, it is more easy have the same password that configure a Vault of Passwords and change one per one of your passwords.

A correct and secure login

First is important that the communication will be secure and encrypt, with this we prevent that the password and user are accessible.

It is important that we don't provide any kind of extra information to attackers, for example. If we put in the login, must contain 8 characters it is more easy for the attacker forced.

A Brute-forced Attack

Is having every possible combination of characters until the correct is found.
The time to get a password depends of the lengths of it. For example, if password is between 1 and 8 characters long, and it have lowercase and uppercase letters (26 x 2 = 56 possibilities), numbers (10 possibilities), or special characters ( 32 possibilities on an English keyboard) then there are 94¹+94²+94³+...+94⁸ = 6.1 x 10¹⁵ possible passwords, the password will be cracked after trying half of these possibilities.

It is important that your passwords will be extensive, longer and have upper and lowercase and special characters.

Biometrics

pexels-photo-min
Involves the use of physical part of human body to authenticate a user.

Positive

  • Unique per person
  • Required the person *
  • Combined with other authenticator is more secure

Problems

  • Government can obligates you to unblock your system, cellphone or the access.
  • They are not 100% accurate
  • The hardware can fail.
  • Fair to lose privacity

Conclusion

Authentication is not 100% secure, and the most of the systems have not implemented a process to be sure that the user is who he/she/it says is. Is important to have one different password for each system or login, and we have tools like LastPass or One Password that can help us with this. Is important to change our password in a short time and never share confident information in a system.