9. The Application of Cybersecurity: Principles and Practices 237 Hopefully this password math convincingly demonstrates the need to use long and complex passwords. But even the best passwords are susceptible to keystroke logging and shoulder surfing attacks, so following this advice does not turn passwords into a perfectly safe authentication token. However, choosing strong passwords definitely helps protect users from account compromises. 9.2.1.2 Password Management Passwords should not only be long and complex, but users should have different passwords for different sites to protect against credential stuffing attacks. This way the damage of an account compromise is limited to a single account. The problem is that even using the quasi-acronym technique outlined above, it is not possible to remember unique passwords for all the different accounts that a user needs to maintain. Therefore, a best practice for managing user credentials is a password manager. A password manager is a software solution that stores user credentials in an encrypted file (AKA vault). Vaults are unlocked with a master password. Once unlocked, all of the user’s passwords are accessible. Because they are encrypted and protected by a master password, password managers are far superior to storing usernames and passwords in an ordinary file such as a spreadsheet or text document. If a hacker gains access to a computer, he is likely to find such password files through string searching and pattern matching even if they are disguised with an innocuous name or hidden. Password managers can be online or offline. There are pros and cons to each approach. Online password managers can be accessed by signing in from any Internet-connected computer. Once signed in, the password manager software can automatically fill in passwords on websites on any device, and user credentials can be added and updated from anywhere. Unfortunately, being online also means that the password managers can be attacked from any Internet-connected computer. Attackers could steal a user’s password manager credentials, thereby gaining access to all of the victim’s accounts. Plus, password vaults are a high-value target for hackers. If a password manager company is hacked and their password vaults are breached, the attackers could try to crack them via brute-force password attacks. In addition to trying to brute-force crack password vaults, it is possible that shortcut attacks exist via cryptanalysis or through a backdoor or vulnerability in the password manager software. This is a reminder that using a password manager, whether online or offline, places a significant amount of trust in the vendor. Is their software secure? Are they honest? Password manager companies likely use closed-source software. Closed-source means the software’s source code is not published. This makes it difficult to verify the security of their software. The alternative is open-source software. Open-source software means that the software’s source code is published. Therefore, open-source software can be verified by anybody willing and able to go through it line-by-line. Most people believe that vulnerabilities such as bugs and backdoors are more prevalent in closed-source software
RkJQdWJsaXNoZXIy MTM4ODY=