Cybersecurity Best Practices: Passwords, Encryption, and More

Posted on Jan 10, 2025 in Computers

Password Security Best Practices

A password should be difficult for a computer program to guess.

  • Make it long: The longer a password is, the less likely it is that a computer program would be able to guess it in a reasonable amount of time. You should try to create passwords that include ten or more characters.
  • Make it complex: In addition to length, the complexity of a password also helps prevent automatic ‘password cracking’ software from guessing the right combination of characters.
  • Make it practical: If you have to write your password down because you can’t remember it, you may end up facing a whole new category of threats that could leave you vulnerable to anybody with a clear view of your desk or temporary access to your home, your wallet, or even the trash bin outside your office.
  • Don’t make it personal: Your password should not be related to you personally. Don’t choose a word or phrase based on information such as your name, child’s name, pet’s name, birth date, or anything else that a person could learn by doing a little research about you.
  • Keep it secret: Do not share your password with anyone unless it is absolutely necessary. And, if you must share a password with a friend, family member, or colleague, you should change it to a temporary password first.
  • Make it unique: Avoid using the same password for more than one account. Otherwise, anyone who learns that password will gain access to even more of your sensitive information.
  • Keep it fresh: Change your password on a regular basis, preferably at least once every three months.

Using a Password Manager

Remembering a lot of different passwords can be difficult. One solution is to use a dedicated application to manage most of your passwords.

Keepass is a free and open-source password manager with no known vulnerabilities, so long as you choose a sufficiently long and complex “master password” to secure it with. For website passwords only, another option is the built-in password manager of the Firefox browser. Make sure to set a master password, otherwise, this is very insecure!

Admin Enforcing a Better Password

  1. One of the first techniques is to enforce password aging. While this varies from system to system, basically, password aging states that you can “expire” a password. That way you can force a user to have to change his password periodically.
  2. Some systems allow a minimal password length to be specified, certain dictionary words to be disallowed, or even disallow perceived “crackable” passwords.
  3. Another very popular technique is called password “shadowing”. This alters the password file entry slightly.
  4. Note the “!” token in place of the one-way encrypted password. This means that the password is located in a different file, typically called the shadow file.

Trust Models

Techniques that establish how users validate certificates:

  • Single-authority trust (third-party trust)
  • Hierarchical trust
  • Web of Trust (mesh trust)

Web of Trust Model

In the Web of Trust model, the key holders sign each other’s certificates, thereby validating the certificates based on their own knowledge of the key holder. Anyone can sign someone else’s public key, becoming an introducer in the process. If a user knows and trusts the introducer, he or she should be willing to trust the public key through association. This model is used in encryption applications, such as PGP, where no central authority exists. The main vulnerability with the Web of Trust model is the careless or malicious user who signs bad keys. If just one person in the Web of Trust is negligent, the whole group can be affected.

Hierarchical Trust Model

In the hierarchical trust model, a top-level CA, known as the root CA, issues certificates to intermediate (or subordinate) CAs. The intermediate CAs can issue certificates to their subordinate CAs and on down the line. The lowest layer of the CA hierarchy comprises the leaf CAs, which issue certificates to end-users, servers, and other entities that use certificates. The process builds a pyramid of CAs, with the trust path leading back to the root CA. All certificate holders trust the root sufficiently to trust any CAs remotely connected to it.

Certificate Authority (CA)

A Certificate Authority (CA) is a trusted entity that issues Digital Certificates and public-private key pairs. The role of the Certificate Authority (CA) is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.

Private Browsing

Browsing leaves footprints: cache data, browsing history, cookies. However, they reveal browsing habits and compile a record of where was visited and what was done there. This is particularly dangerous if you use a shared computer. Even if the browser is configured to not keep a history record, reject cookies, and delete cached files (or allocate zero MB of space for the cache), a trail of breadcrumbs can still be left on the Internet. The IP address is recorded by default everywhere, and the packets sent are monitored by an increasing number of entities – commercial, governmental, or criminal (not to mention creeps and potential stalkers). Countermeasures: Private mode; Browser security add-ons; VPNs; SSL/TSL HTTPS; TOR – most effective method, more so when combined with HTTPS. The simplest and most direct way to deal with tracking is to delete the cookie files in your browser and install Ghostery into your machine. Ghostery is a plugin that allows a user to block categories or individual services that track users. Ghostery also shows you who is attempting to track you.

Threats and Countermeasures (STRIDE)

Spoofing identity: An example of identity spoofing is illegally accessing and then using another user’s authentication information, such as username and password.

  • Use strong authentication.
  • Do not store secrets (for example, passwords) in plaintext.
  • Do not pass credentials in plaintext over the wire.
  • Protect authentication cookies with Secure Sockets Layer (SSL).

Tampering with data: Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over a network, such as the Internet or a LAN.

  • Use data hashing and signing. Use digital signatures.
  • Use strong authorization.
  • Use tamper-resistant protocols across communication links.
  • Secure communication links with protocols that provide message integrity.

Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise.

  • Create secure audit trails.
  • Use digital signatures.

Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it.

  • Use strong authorization. Use strong encryption.
  • Secure communication links with protocols that provide message confidentiality.
  • Do not store secrets (for example, passwords) in plaintext.

Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability.

  • Use resource and bandwidth throttling techniques.
  • Validate and filter input.

Elevation of privilege: In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.

  • Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

Cryptography Basics

Cipher = Pair of encryption and decryption algorithms; Plaintext = is the original, unencrypted information; Encrypted plaintext is known as ciphertext; There are many ciphers. The most basic varieties are substitution and transposition ciphers. Substitution cipher, characters are replaced with other characters or with symbols. Transposition ciphers, the characters of the plaintext are rearranged. A key is a piece of information that determines the result of an encryption algorithm. A hash, also called a digest, is a unique fixed-length mathematical derivation of a plaintext message. No two plaintext messages should generate the same digest.

Hash Algorithms

  • MD5 (Message Digest version 5) MD5 creates a 128-bit digest from variable-length plaintext.
  • SHA-1 (Secure Hash Algorithm version 1). creates a 160-bit digest, using principles similar to those used to create an MD5 digest.

Wireless Network Security

There are four components to security on a wireless network:

  1. Access control: The simplest, and least effective, method is to simply turn off SSID (service set identifier) broadcasts. Doing this hides the presence of the Access Point.
  2. Encryption: In theory, encryption blocks unapproved connections to your Access Point. Additionally, as long as the encryption scheme is sufficiently strong, data streams are kept private from eavesdroppers.
  3. Authentication: Through RADIUS (Remote Authentication Dial-In User Service) or other systems, you can enable client authentication over your wireless network. Using a system essentially like the username and password you use when you log on, an Access Point can authenticate the identity of wireless networking clients. Authentication typically requires the use of additional software or hardware devices, such as a RADIUS server.
  4. Isolation: Wireless clients are put onto individual VLANs (virtual LANs) so that they cannot access each other. This method is commonly used in public wireless networks to prevent one user from accessing another user’s computer.

Securing an Access Point

  • Change default administrator accounts and passwords for the access point.
  • Change the default SSIDs.
  • Disable SSID broadcasts.
  • Enable MAC address filtering on access points.
  • A network administrator should periodically survey the site.

Cryptographic Hash Function Properties

  1. Data verification
  2. Secure password storage
  3. Secure password transmission
  4. Document signing
  5. Message authentication

Symmetric and Asymmetric Encryption

Symmetric uses the same key for encryption and decryption. A symmetric cipher uses the same key for encrypting and decrypting a message and is therefore vulnerable. In fact, the cipher is only as secure as the method used to share the key. If the key is lost or stolen, the ciphertext can easily be decrypted, no matter how strong the cipher is. Examples are Blowfish, TwoFish, One-time pad, IDEA, and Triple DES (3DES).

Asymmetric uses different keys for encryption and decryption. Asymmetric ciphers use different encryption and decryption keys; in fact, the encryption key can’t be used to decrypt and vice versa.

Asymmetric cryptography uses two keys to eliminate the troubles associated with sharing the encryption key. What one encrypts, only the other can decrypt: One kept private, One shared (public). Examples are Diffie-Hellman, RSA, Elliptic curve, ElGamal, and DSA.

IEEE 802.11 defines:

  • Ad hoc mode – wireless clients communicate directly with each other without the use of a wireless access point.
  • Infrastructure mode – clients communicate through AP.

Rainbow Tables

Rainbow tables are one tool that has been developed in an effort to derive a password by looking only at a hashed value, usually for cracking password hashes. To address this issue of scale, reverse lookup tables were generated that stored only a smaller selection of hashes that when reversed could generate long chains of passwords. Although the reverse lookup of a hash in a chained table takes more computational time, the lookup table itself can be much smaller, so hashes of longer passwords can be stored. Rainbow tables are a refinement of this chaining technique and provide a solution to a problem called chain collisions.

What is a Salt?

To increase the overhead in cracking passwords, some algorithms employ salts to add further complexity and difficulty to the cracking of passwords. These salts are typically 2 to 8 bytes in length.

Adding a Salt

  • The benefit provided by using a salted password is making a lookup table assisted dictionary attack against the stored values impractical, provided the salt is large enough.
  • A simple dictionary attack is still very possible, although much slower since it cannot be pre-computed.

Password Cracking Techniques

Brute-force attack password cracking is simply trying a password of A with the given salt, following by B, C, and on and on until every possible character combination is tried. It is very time-consuming, but given enough time brute force cracking WILL get the password.

Dictionary attack password cracking is the most popular method for cracking Unix passwords. The cracking program will take a word list, and one at a time try to crack one or all of the passwords listed in the password file. Some password crackers will filter and/or mutate the words as they try them, such as substitute numbers.

CIA Security Model

Confidentiality: Confidentiality of a message, voice, or data is assured by encryption with a secret key.

Integrity: Messages and files need to be protected against modification; the solution is digital certificates and MACs or some other redundancy scheme in the plain text and then use encryption.

Availability: Basic but essential, fundamentals in communication security is the control of availability and of access to the medium, sensitive data, and ciphering.

Extra Element

Authentication: Is the message coming from the purported source? This can be overcome by encryption and suitable key management.

Encoding vs. Encryption

Encoding: Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it – secrecy is not required, example, ASCII, Base64. Encryption: Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. As such, the ciphertext, algorithm, and key are all required to return to the plaintext. E.g. sending someone a secret letter that only they should be able to read, or securely sending a password over the Internet.

Algorithms for Creating Digital Signatures

RSA: The RSA digital signature algorithm was developed by Ron Rivest, Adi Shamir, and Leonard Adleman at Massachusetts Institute of Technology (MIT) in 1977. RSA can also be used to encrypt and decrypt the data being signed. RSA does not mandate the use of a particular hash function, so the security of the signature and encryption are partly dependent on the choice of hash function used to compute the signature.

DSA: The DSA (Digital Signature Algorithm) is defined by the Digital Security Standard (DSS) and was developed by the National Institute of Standards and Technology (NIST) in 1991. The algorithm requires a SHA-1 digest to compute its digital signature. The DSA algorithm does not encrypt the data being signed, it purely produces a signature that allows the recipient to verify the authenticity and provenance of the data. DSA signatures can be created as quickly as RSA signatures, but their verification can take much longer.

Threats to Wireless Network Security

  1. Rogue access point: Unknown and unmanaged devices inside the network connect to rogue access points thus they become wide-open back doors, providing easy routes for malware to come in and information to leave the network.
  2. Misconfiguration: E.g., leaving switches and routers with default username and password.
  3. Unmanaged use of wireless outside of enterprise: Employees connecting to open and unsafe wireless networks outside of the enterprise, thus leaving them open for attack.
  4. Hackers: Active attacks on wireless links are a growing problem as mobile and wireless computing offers increasingly attractive targets to hackers. After a device becomes powerful enough and the information they contain becomes valuable enough, they attract the attention of bad guys and are likely to fall victim to exploits.