9. The Application of Cybersecurity: Principles and Practices 237 posed to being concentrated in a small area like in Figure 9.8. If we assume that a nation-state hacker could compute 250 hashes per second (one quadrillion per second), it would take: 298 passwords / 250 hashes per second / 2 = 247 seconds This many seconds is more than four million years, and this assumes a highly advanced adversary. Hopefully this password math convincingly demonstrates the need to use long and complex passwords. But even the best passwords are susceptible to keystroke logging and shoulder surfing attacks, so following this advice does not turn passwords into a perfectly safe authentication token. However, choosing strong passwords definitely helps protect users from account compromises. 9.2.1.2 Password Management Passwords should not only be long and complex, but users should have different passwords for different sites to protect against credential stuffing attacks. This way the damage of an account compromise is limited to a single account. The problem is that even using the quasi-acronym technique outlined above, it is not possible to remember unique passwords for all the different accounts that a user needs to maintain. Therefore, a best practice for managing user credentials is a password manager. A password manager is a software solution that stores user credentials in an encrypted file (AKA vault). Vaults are unlocked with a master password. Once unlocked, all of the user’s passwords are accessible. Because they are encrypted and protected by a master password, password managers are far superior to storing usernames and passwords in an ordinary file such as a spreadsheet or text document. If a hacker gains access to a computer, he is likely to find such password files through string searching and pattern matching even if they are disguised with an innocuous name or hidden. Password managers can be online or offline. There are pros and cons to each approach. Online password managers can be accessed by signing in from any Internet-connected computer. Once signed in, the password manager software can automatically fill in passwords on websites on any device, and user credentials can be added and updated from anywhere. Unfortunately, being online also means that the password managers can be attacked from any Internet-connected computer. Attackers could steal a user’s password manager credentials, thereby gaining access to all of the victim’s accounts. Plus, password vaults are a high-value target for hackers. If a password manager company is hacked and their password vaults are breached, the attackers could try to crack them via brute-force password attacks. In addition to trying to brute-force crack password vaults, it is possible that shortcut attacks exist via cryptanalysis or through a backdoor or vulnerability in the password manager software.
RkJQdWJsaXNoZXIy MTM4ODY=