Account
Please wait, authorizing ...

Don't have an account? Register here today.

×

Use of passwords Trend in extinction? (I)

The use of new security standards means that the passwords we usually use are left aside.  That is why new forms of authentication emerge as new devices enter the market, be they security products, communications or IoT devices.  

By Osvaldo Calegari*

What manufacturers do have in mind is to achieve a common safety standard that avoids investing millions of dollars in product rectifications for these leaks.

In the market several firms with extensive experience and reputation advise us on various methods to secure information.  Currently the use of passwords was gradually losing reliability due to the ease of theft of them through phishing  and hacking tools.  This forces companies that provide various web services such as emails, pages, cloud and others to implement new processes that increase the security of the user in order to be able to retain him over time.

- Publicidad -

Two-step verification.
To strengthen user access to a personal email account, several global mail service providers such as Gmail and Yahoo implemented two-step verification.

To access an email account with a normal security system, simply enter our address and password. But what happens if someone gets our password by any method? This is where the figure of "two-step verification" makes sense, which is very useful to prevent unwanted intrusions.

Two-step verification, as defined by Google, requires two factors: something you know (your password) and something you have in your possession, potentially a code that is sent to your phone. In this way, both are needed to be able to access. It is useless to have only the password. It is something similar to what some banks offer in their online services, which in addition to asking you for an identification code request a key that is on a physical card that we have with coordinates formed by letters and numbers. 

How it works and codes are generated
About the password there is little to add, we are all familiar with this form of identification, but how does the second code that has to be entered work? To receive it, we have two options:

  • Through an SMS or a direct voice call to our phone.
  • Through the Google Authenticator app, available for Android and iOS.

Surely more than one is thinking about how uncomfortable it has to be to request a code every time we are going to access our email account. Well, it is not necessary, since Gmail allows us to remember it on a device for 30 days or even permanently. In this way, if we frequently log in from our computer it will not ask us, while if someone tries to do it from a different one, they will need to enter it.

And what about the rest of the applications? Gtalk, for example, does not allow you to enter a verification code. The same happens if we have configured our account from an application on the phone. For these cases, Gmail allows you to create specific passwords for applications. Each of them is unique and from the main account we can revoke the permission if we wish.

We end this section with another fairly frequent question: what happens if I want to access my account, I do not have the verification code and I do not have the mobile at hand? From Google they know that it can be a possibility, so they offer a card with ten one-time codes to print when setting up the account and that the user can take with him. If someone discovers it, they still need to know the password so it's a relatively secure method.

- Publicidad -

How to activate it in our Gmail account
We've already seen the advantages of two-step verification, and now let's see how to activate it in our Gmail account. Being identified, we select our email at the top right of the window and access Account Settings. From there, in the Security section , we can see if we have this system active. To activate it, let's go to Edit. It will ask us for the password again and then we start the configuration. 

Now it's time to enter on which phone we want to receive the verification code, either by SMS or call. Once received, we introduce it to continue with the configuration. In addition, here it offers us the option of saying that our computer is a trusted computer. It is important to only select this option if it really is, and not to do it for example on a public computer or that more people use. 

If we want not to receive messages or calls and instead want to use the applications we mentioned in the previous paragraphs, again we will edit the Security of our account and the verification in two steps. To activate the application, we have to download it first and then scan the QR code that is displayed on the screen. It will return a code to confirm that the application is correctly installed and configured on our mobile. 

From the same section we can access the printable security codes and also the specific passwords for applications . For the latter we select Manage specific passwords. We can enter a name for each one and thus know what each specific password is being used for. A new box will appear with the new password, which we must enter in the application to which we want to allow access to our email account. From there we can revoke the password permissions at any time.


According to Globalsign
A vital option to keep our accounts more secure

Although it may seem a priori a nuisance to use and configure, the two-step verification is very useful and is really designed to give us one more layer of security without complicating our lives too much. The option to remember the code for 30 days is very useful and also now with the mobile application we do not have to worry about walking pending SMS or calls.

- Publicidad -

Deployment Options
Browser-based flows: A trusted digital credential is issued for an individual or department identity and stored on a device (e.g., a computer or cell phone). The appliance then uses the credential to authenticate its access to the server. The certificate can only be used from a specific browser, machine, computer, laptop or server.

FIPS-based flows
Using a USB device prevents the credential from being linked to a single machine. A trusted digital credential is issued for an individual or department identity and stored securely in:

Server Security Requirements: Different levels of authentication can be established depending on the strength and granularity of the authentication required.

Granularity refers to the ability of certain servers to identify individual users throughout the session or only during the first request. A very granular system is very useful if it is necessary to have authorizations or assignment of specific responsibilities for each user. Less granular systems are more suitable when you want to preserve the anonymity of the user partially.

The device can be connected to a USB port without the need for an expensive reader.

Features and Benefits 

  • •    Prevents unauthorized access and improves existing security
  • •    Contributes to compliance with corporate email security policies and legislation 
  • •    Is able to cryptographically encapsulate an identity within a digital ID
  • •    Can be used to authenticate identities in an internal browser within VPNs, in smart card technologies, cloud applications, and mobile devices
  • •    Cost-effective solution for businesses of all sizes  
  • Articsoft gives us its vision

Most of today's password security systems for the Internet are wrong. Designs that were almost acceptable 10 and 15 years ago have not been updated. Instead of moving to the integration of authentication services under a cryptographical sound approach, the IT industry has continued to proliferate multiple incompatible systems. Users are increasingly exposed to vendors who don't feel the pressure to do something better. There is a parallel with the situation on the website page of the design methods are increasingly rejected by security software as they represent known security flaws that have been exploited by hackers and viruses.

Introduction to password security
The approach to using a record in the IDENTIFIER and password dates back to the early days of applying security on mainframe systems. This type of password security was introduced as soon as it was possible for people outside the computer room to be able to use the computer resources. Until then, access is controlled by physical security.

While rolling terminals out in user areas, so the concept of ID/password security was put in place as well. Initially these were carried out in a file that was not protected, but after some splendid security flaws in Unix systems in particular, these files are encrypted to make an attacking work harder to get anywhere.

Passwords were short (6 characters). They were low because the ID is disabled if the wrong password is entered three times. They are also cut off, so you don't have much to write and they probably do things right. They were short, as it gave him less to remember.

Initial security password and design considerations
The experience with short passwords soon generated a number of flaws for the user application. In no particular order do these include:

  • Using common words like boss, teacher, pet name
  • Using a word from the dictionary or company name
  • Successive letters or numbers e.g., YYYYAAA, 1111111, repetitively.

They also found six characters to be almost short enough for someone to take care of and remember while the user types in them.

To counter users' attempts to make life easier, password security systems were invented that changed passwords on a regular basis (they say monthly, and even every day for critical passwords), forced the new password to be different, and checked that with a previously used list of passwords. The most sophisticated password security systems to execute rules that require passwords to be structured using letters and digits in patterns that are not repeated.

The names and trademarks mentioned are trademarks and registered names of their respective authors.  Thanks to the companies Globalsign and Articsoft for their extensive concepts.

*If you wish to contact the author of this article write to [email protected] 

Santiago Jaramillo
Author: Santiago Jaramillo
Editor
Comunicador social y periodista con más de 15 años de trayectoria en medios digitales e impresos, Santiago Jaramillo fue Editor de la revista "Ventas de Seguridad" entre 2013 y 2019.

No thoughts on “Use of passwords Trend in extinction? (I)”

• If you're already registered, please log in first. Your email will not be published.

Leave your comment

In reply to Some User
Suscribase Gratis
SUBSCRIBE TO OUR ENGLISH NEWSLETTER
DO YOU NEED A SERVICE OR PRODUCT QUOTE?
LATEST INTERVIEWS

Webinar: NxWitness el VMS rápido fácil y ultra ligero

Webinar: Por qué elegir productos con certificaciones de calidad

Por: Eduardo Cortés Coronado, Representante Comercial - SECO-LARM USA INC La importancia de utilizar productos certificados por varias normas internacionales como UL , Ul294, CE , Rosh , Noms, hacen a tus instalciones mas seguras y confiables además de ser un herramienta más de venta que garantice nuestro trabajo, conociendo qué es lo que certifica cada norma para así dormir tranquilos sabiendo que van a durar muchos años con muy bajo mantenimiento. https://www.ventasdeseguridad.com/2...

Webinar: Anviz ONE - Solución integral para pymes

Por: Rogelio Stelzer, Gerente comercial LATAM - Anviz Presentación de la nueva plataforma Anviz ONE, en donde se integran todas nuestras soluciones de control de acceso y asistencia, video seguridad, cerraduras inteligentes y otros sensores. En Anviz ONE el usuario podrá personalizar las opciones según su necesidad, de forma sencilla y desde cualquier sitio que tenga internet. https://www.ventasdeseguridad.com/2...

Webinar: Aplicaciones del IoT y digitalización en la industria logística

Se presentarán los siguientes temas: • Aplicaciones del IoT y digitalización en la industria logística. • Claves para decidir el socio en telecomunicaciones. • La última milla. • Nuevas estrategias de logística y seguimiento de activos sostenibles https://www.ventasdeseguridad.com/2...

Sesión 5: Milestone, Plataforma Abierta que Potencializa sus Instalaciones Manteniéndolas Protegidas

Genaro Sanchez, Channel Business Manager - MILESTONE https://www.ventasdeseguridad.com/2...
Load more...
SITE SPONSORS










LATEST NEWSLETTER
Latest Newsletter