Online password protection
2FA
If you want a state-of-the-art solution to password security, you can use two-factor authentication (2FA). The web application asks for a one-time key in addition to the username and password. In most cases, these one-time keys are generated by mobile phone applications such as Google Authenticator or by special hardware such as YubiKey [12]. Users can also print out a list of one-time keys and cross them out manually with a pen after use. Having said this, texting a one-time key via the server is no longer considered sufficiently secure.
Conclusion
When it comes to website passwords, guaranteeing security is a complex task for site admins. Hashes, salts, and 2FA are all tools that can help keep users' credentials safe. However, safety is a two-way street. It is still up to the user to provide unique passwords and keep those passwords private (see the box "Social Engineering").
Social Engineering
With most attacks, it doesn't matter how securely the website admins store the password if the end user can easily be persuaded by social engineering to reveal the password and – if necessary – the 2FA key. Then a simple phone and an untrained employee at the target enterprise are all it takes for the attack to succeed.
Infos
- LinkedIn hacks: https://www.theguardian.com/technology/2016/may/18/hacker-advertises-details-of-117-million-linkedin-users-on-darknet
- vutuv: https://www.vutuv.de
- Shorewall: http://www.shorewall.org
- MariaDB: https://mariadb.com
- PostgreSQL: https://www.postgresql.org
- NGINX: https://www.nginx.com
- Phoenix Framework: https://phoenixframework.org
- "Functional Programming with Elixir," by Andreas Möller, Linux Magazine, issue 181, December 2015, http://www.linux-magazine.com/Issues/2015/181/Elixir-1.0/(language)/eng-US
- Phauxth: https://github.com/riverrun/phauxth
- PHC: https://password-hashing.net
- Argon2: https://www.ietf.org/archive/id/draft-irtf-cfrg-argon2-03.txt
- YubiKey: https://www.yubico.com
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)