Authentication: Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Let's talk about authentication.
00:00
There's a lot of material in authentication
00:00
so we've gotten it broken up into a couple of parts.
00:00
Let's start with Part One.
00:00
Now in this section,
00:00
what we're going to be talking about is
00:00
the specific types of
00:00
authentication with a focus on Type One,
00:00
which is something you know.
00:00
Of course, the most commonly used authentication,
00:00
that's Type One passwords.
00:00
We're going to talk about some of the vulnerabilities
00:00
and threats with passwords as well.
00:00
As I mentioned, there are
00:00
three main types of authentication.
00:00
There's Type One, Type Two, and Type Three.
00:00
Type One is something you know, might be a pen,
00:00
might be a password,
00:00
secret code, whatever,
00:00
but it's something that's knowledge-based.
00:00
Type Two authentication is something
00:00
you have like maybe a key,
00:00
a digital certificate, a passport,
00:00
a driver's license, those are all something you have.
00:00
Then Type Three is something you are,
00:00
something that's bound to your identity.
00:00
In that category, we're talking about biometrics.
00:00
We're talking about things that are physiologically
00:00
or behaviorally linked to your identity.
00:00
Now, the strongest authentication type is multi-factor.
00:00
Any single type of authentication can be broken,
00:00
can be spoofed, can be compromised.
00:00
What we want is a combination of the types.
00:00
Multi-factors are just two things for authentication,
00:00
like a driver's license and a passport.
00:00
That's still single factor authentication
00:00
because they're both something you have.
00:00
But multi-factor authentication is
00:00
going to include maybe Type One and Type Two,
00:00
something you know and something you have,
00:00
or something you have and something you are,
00:00
whatever, but a combination of the types.
00:00
Another consideration with authentication is
00:00
it's often desirable to have mutual authentication.
00:00
I don't just authenticate,
00:00
for instance, to a server,
00:00
but that server provides authentication back to me.
00:00
Getting a little deeper into Type One,
00:00
let's talk about something you know.
00:00
Most common form of
00:00
authentication in use today is something you know,
00:00
and it's through passwords.
00:00
Now, the traditional logic on passwords,
00:00
you can see here over on
00:00
our list, traditional best practices.
00:00
Previously we've said okay, eight character password,
00:00
change them every 30 days, every 60 days.
00:00
Have upper and lowercase,
00:00
alphanumerics and non-alphanumerics,
00:00
enforce password history so
00:00
people aren't using the same password again.
00:00
We've had all of these rules about passwords.
00:00
The problem with that is though,
00:00
that we've made passwords harder to remember for
00:00
our users and easier for attackers to guess.
00:00
As a matter of fact, the folks
00:00
at NIST actually came out,
00:00
and look this up if you get a chance.
00:00
But the folks from NIST came out in
00:00
2018 and said, ''Look,
00:00
when we created these password policies,
00:00
when we released NIST standards for passwords.
00:00
At that point in time,
00:00
those passwords were good based on
00:00
the tools that attackers have.
00:00
But based on today's environment,
00:00
they essentially said these no longer apply.''
00:00
As matter of fact, NIST said,
00:00
''Get rid of requiring upper and lower numbers,
00:00
alphanumeric and non-alphanumeric,
00:00
get rid of forcing users to
00:00
change their password every so often.''
00:00
Because you know what that leads to,
00:00
that leads to users writing their passwords down.
00:00
Users choosing easy to remember passwords
00:00
and just using the same password
00:00
over and over with variations,
00:00
a user gets locked out, they get frustrated.
00:00
They find shortcuts to bypass security.
00:00
It just doesn't work in today's environment.
00:00
Let me give you an example.
00:00
For instance, let's say I
00:00
have alphanumeric and non-alphanumeric.
00:00
I require upper and lowercase,
00:00
if I forced you to have an uppercase character,
00:00
where is that uppercase character going to go?
00:00
It's going to go at the beginning of your password,
00:00
there is your uppercase.
00:00
Now I'm going to make you have a number.
00:00
Where's that number going to go?
00:00
It's going to go at the end.
00:00
What's that number?
00:00
You know that number's one,
00:00
or if you're really fancy one, two, three.
00:00
Also if I have complexity alphanumeric,
00:00
non-alphanumeric characters,
00:00
you're going to replace the letter A with the @
00:00
or the letter S with dollar signs or O with zeroes.
00:00
They're just really predictable patterns.
00:00
What we're creating is
00:00
an environment where an attacker can
00:00
make reasonable assumptions about
00:00
what characters are where,
00:00
and yet the poor user can't
00:00
remember their password day in and day out.
00:00
Also the fact that they
00:00
frequently write down their passwords.
00:00
I have a friend of mine that worked with
00:00
the FBI for awhile and he said
00:00
90 plus percent of
00:00
users passwords are located within
00:00
an arm's length of their computer system.
00:00
Well, of course. Every time I need a password,
00:00
I'm not going to get up and schlep across the office.
00:00
I'm going to be really clever
00:00
and put my password list under
00:00
my keyboard or in the top right-hand drawer.
00:00
We're forcing users essentially to
00:00
create more complex passwords that they can't remember,
00:00
causing problems of guessability
00:00
and problems of
00:00
just physical security concerns with passwords.
00:00
The new wisdom on passwords says,
00:00
make passwords be long rather than complex.
00:00
Length adds more entropy.
00:00
Entropy essentially is how
00:00
difficult it is for the password to be compromised.
00:00
Rather than having an eight character password
00:00
with all these complexities, remember,
00:00
attackers are using brute force software,
00:00
which means they're already trying
00:00
every possible character combination.
00:00
The fact that I use the @ instead
00:00
of an A isn't really going to matter based on today,
00:00
so have a longer password.
00:00
As matter of fact, users in
00:00
general can remember an eight character password.
00:00
But have your users pick out four words,
00:00
for instance, rock, butterfly, wrench, engine.
00:00
They can remember those four words.
00:00
But look at how long
00:00
that password would be by comparing those four words.
00:00
Or you might say word number, word number.
00:00
Elevator 575, Shoelace 93.
00:00
I can remember that within reason,
00:00
there's nothing that's really tipping
00:00
my hand to an attacker there because
00:00
those words are unrelated
00:00
and I wind up having a very long password.
00:00
There are ways we can make our passwords more secure.
00:00
But what I find is companies get
00:00
sold on something and they stick with it.
00:00
Ninety percent of the places you go
00:00
today are still enforcing
00:00
based on NIST's password policy
00:00
that not only is over 10 years old,
00:00
but has been fully discredited and upgraded by NIST.
00:00
But it was beaten into our heads.
00:00
Complexity, complexity, complexity,
00:00
and places still do that.
00:00
Your job, once you're
00:00
the CIO of the company you work for,
00:00
make sure your users have
00:00
long passwords and get away from the complexity.
00:00
That's our first section on authentication.
00:00
We talked about Type One, Type Two,
00:00
Type Three, authentication at a very high level.
00:00
But then we specifically focused in on Type One,
00:00
which is something you know.
00:00
We looked at passwords as well as
00:00
the problems and ways to have better passwords.
Up Next
Instructed By
Similar Content
