One code To rule E’m all (1C2R3A)

A person, on average, interacts with 89 different websites per month and has to memorise an average of 191 passwords.  Different design paradigms used by the 1.9 billion websites means that there is no pattern on how tough their password requirements are and how securely they store and safeguard user credentials.  A typical person interacts with the internet through about 4 different devices. Some sites implement different technologies for different devices thereby complicating things in a bad way. Besides surfing activities, people are starting to connect electronic devices to the net. Each IoT (Internet of Things) device has its own credentials to log into its interface and may have addition credentials that allow it to call home. This further contributes to the list of usernames-passwords that need to be managed.

It is humanly impossible to satisfy the good practice security essentials in today’s online digital world. And the real-world cases seem to support this; the 10 most commonly used passwords in 2019 are: 123456, 123456789, qwerty, password, 111111, 12345678, abc123, 1234567, password1 and 12345.

Those who try to memorise all the passwords they use will definitely break one of the golden rules of password hygiene:

Passwords must either consist of a combination of at least 18 letters (lower and upper case letters), digits and symbols, or must be a symbol-separated list of at least 6 non-related words. OQaLygxyhUP0hi7PMB2H and Disliking4-patton9-Roping-proximity-Tiles-Adds are examples; 
Passwords should not by associated with the individual, his pet, hobbies or family. Today hackers have developed solutions that deep dive their target’s profiles in order to increase the success rates of attacks.  They’ve developed algorithms that take in personal details of their targets and generate a database of potential passwords from the information they find;
Each website or IoT interface needs to have its own unique password. Whenever an end-point is hacked and its database credentials are stolen and made public, new hackers will use the breached username / password combination on other web sites in the hope that the owner reused them multiple times;
Passwords should never be written down.  If you can find the paper and read it, so can others;
Passwords should never be shared. 

There is universal agreement that the human and his passwords are the weakest link. There is a need to have very strong authentication mechanisms with little or no effort on the user’s part. Borrowing from the Lord of the Rings book, there is a need for One Code To Rule Ǝ’m All (1C2R3A).

1C2R3A provides the most secure environment with the least effort


The 1C (One Code) can be any unique token related to a single individual.  Passwords, biometrics or any device that can uniquely identify an individual all satisfy this requirement. Solutions using mobile phones as well as specifically designed hardware devices such as Yubikeys are being used for this purpose.
Secure Quick Reliable Login. A highly secure, comprehensive, easy-to-use replacement for usernames and passwords

The 2R (To Rule) aspect of the definition is managed by the proxy. The proxy is a hardened software solution, which retains a secure database with unique strong tokens for each endpoint (website, service). After the person has correctly authenticated himself to the proxy this database is unlocked and it can exchange with the end-point.  The interaction between the proxy and the end point may be completely transparent to the human.  Excluding the human out of this part of the transaction reduces the risk of having someone weaken this part of the solution because of his involvement. Not all solutions completely exclude the user.



A hardware device used to authenticate a person.


There are many proxy solutions on the market. Proxies should be open-source products that can be community inspected for flaws and vulnerabilities. They need not necessarily be free.  

Biometric identity verification.


Here is a quick overview of some of the proxies that make the 1C2R3A possible:

Third Party Password managers. Enpass, Keepass and LastPass are examples of such products. They are programs that manage a secure vault of credentials. After the vault is unlocked, the credentials can be used.  Many of the better-known password managers are available on multiple platforms and seamlessly integrate with multiple browsers. 
Browser-based password managers. Similar to Third party password managers, these are built into the browser itself.  As there is no common API shared by browser manufacturers, each browser is a silo. This may result in browser lock-in and will impacting the ability of a person to change browsers. Another concern is that because browsers are the interface to internet traffic, they constitute a first-line attack surface for all sorts of malicious attacks. If a hacker manages, through a vulnerability, to gain access to the browser they have a higher probability of gaining access to the password manager database than say a separate independently developed third party solution. The scenario described here recently happened with the Firefox browser.
Free and commercial authentication solutions. These solutions vary from the password managers described above in that they tend to obfuscate the password with the end user site. Many-a-times, the person will be prompted for a biometric token such as fingerprint or retina scan although there could be instances in which a code needs to be entered.

As the distinction between one’s physical and digital being evaporates it is important for governments, assisted by the tech industry, to help protect users from technological naiveté and ignorance. While education is always good, it is too slow and inefficient with respect to the rate at which hackers are discovering and improving their ability to make illicit gains at the expense of society.  

Anyone wishing to experience a task of how this feels should hop over to the first-person recount by ZD Net Journalist Matthew Miller titled “SIM swap horror story: I've lost decades of data and Google won't lift a finger”. You can find it at https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/.


Comments

Popular posts from this blog

HOWTO setup OpenVPN server and client configuration files using EasyRSA

HOWTO Generate password protected OpenVPN client configuration using EasyRSA.

Securing your Web Server using Let's Encrypt and Certify-The-Web