Why passwords at all?
Ultimately, passwords only have the purpose of proving that access has only come from someone who knows this “secret”. In principle, it is only a question of protecting the data that is to be accessed from unauthorized access.
Incidentally, there is a great project from the Hasso Platner Institute – the Identity Leak Checker. Here you can enter your private e-mail address and you will then receive all providers that were hacked and your password was affected! You can find the service here .
The same old story, please long, complicated and impractical!
“IT security experts” always advise to use at least 9 characters, capital letters, small letters, special characters of any kind, numbers and of all as many characters as possible. I’ve seen password policies of at least 14 characters – just incredibly stupid.
The consequence is, and if you smile at once, you know that I am right that there are word combinations – Hund123 +, NamevomKind27! and so on.
A hit for hackers – with tools like Cewl and Crunch, we build word lists for our pentests that are individual, i. H. we create these from social networks such as employees’ Facebook, the company website, etc. and yes – we also put words together and put numbers into these compositions according to patterns. Thus, the above supposedly secure passwords cracked in seconds.
Passwords are out of date – by the way, my “password” is only 4 characters long! How is that supposed to be safe?
There are alternatives and useful supplements that make life a lot easier. You’ve probably heard of two-factor authentication, where you add a second device as security.
With PayPal, for example, you can use your mobile phone to log in in addition to your password – PayPal sends an SMS code for every login, the second factor.
First of all, the following scenario is just one of many others; However, the right method and the right concept have to be determined and conceptualized for each of our customers individually based on their needs – there is no all-inclusive solution.
Single Sign On
Windows systems offer the option of authenticating themselves using a SmartCard, which means that the user receives a PIN code – similar to a bank card – and a chip card for his card.
This is then z. B. pulled through the keyboard or inserted into a reader. You log into the system with your pin and “key”, which is saved on the card.
Using MS AD and Kerberos, to put it simply, you get a ticket with which you can then legitimize yourself with other services. So as not to bore you with technical details: You log in once in the morning and then have secure access to all company services (intranet portals, file shares, etc.) without having to enter a password again.