Arvutiteaduse instituut
  1. Kursused
  2. 2019/20 sügis
  3. Infoturve (MTAT.07.028)
EN
Logi sisse

Infoturve 2019/20 sügis

  • Home
  • Lectures & labs
  • Homework & course rules
  • Exam
  • News
  • Links

Passwords and authentication

Passwords

In the previous lecture we talked about hashing passwords. However, this might have been too vague, so lets try to use a cryptographic hash function on our own. First, lets create a hash of a word or a sentence and after that we can try to find a hash value of a file.

This task requires access to Linux / Mac but you can do a similar task also in a Windows OS that has powershell. The instructions for using a hash function with powershell can be found from here: Get-FileHash. If you prefer to use Windows, then just see how to find hash values of files that are of interest to you. The following instructions are for calling a hash function from linux terminal.

The simplest way to access linux terminal is to connect to the university server. You can access the university server by using ssh. Windows 10 has built in support for ssh: How to Enable and Use Windows 10’s New Built-in SSH Commands. Linux / Mac should have ssh client by default.

To log in to the university server via ssh:

  • Hostname is "math.ut.ee"
  • Accept the servers public key (or verify it if you know how)
  • Enter your university username (same as in the Study Information System)
  • Enter your university password (same as in the Study Information System)
  • Check that you are logged in: you should see yourusername@math: on the terminal

Test the SHA256 hash function:

  • Command to hash the text that you enter: echo -n "text what you would like to hash" | sha256sum
  • Command to hash a file: sha256sum filename
  • To end the ssh session write "exit" and hit enter.

Password management provided by the browsers

All major web browsers ask if the user might want to save the username and password once it is entered into the login fields. When the username and password is saved then then next time the user does not have to enter the fields again as the task is done by the browser. So, is this feature good for the security? Actually, the security of these features depends on how the password management is used. One might say that if the user can save the passwords then the passwords could be longer and more complex. This could be true but what happens if the user has to switch computers? Do the browsers allow secure exporting and importing of the password database? What happens if a third party gets access to the exported password database, i.e., is it correctly encrypted? What happens if an attacker gets access to the computer where the passwords are saved? Is the attacker able to use the saved passwords to access the corresponding accounts or might it even be possible to directly access the saved usernames and passwords?

Google Chrome

In order to view the saved usernames / passwords: “Settings” -> “Show advanced settings...” -> “Manage passwords”

Passwords are not shown by default. In order to view a password one has to click on the "Show" button. Google Chrome protects the password database with the user account password. What happens if you are using Windows with an account that does not have a password? Is it then possible to read all of the saved usernames and passwords?

Task: Test the password management of Google Chrome. First log in to a website and save the password. Find out how much time it would take to access the saved usernames and passwords in case the Windows account does not have a password. As a final step you should remove the saved login information from Google Chrome.

Firefox

Firefox also has a system for password management. When username and password are entered for the first time then Firefox asks if the login information should be saved as shown on the following screenshot:

The saved passwords can be viewed by navigating to: Tools (Options) -> Security -> Saved Passwords

In order to view the passwords one has to click on the "Show passwords" button.

Firefox differs from Google Chrome as it allows to set an additional master password that protects the password database. This protects the passwords from an attacker who might get temporary access to an unlocked computer or to a computer which does not have a password on the user account. However, the master password makes the user experience less convenient as the user has to enter the master password each time the browser wants to access the saved passwords. Still, the same master password is used to access all different service passwords stored in the database.

Task 1: Log in to a website in order to add a password to the password manager. Check how easy it is to access and read the password. As a final step remove the saved password(s).

Task 2: Add a master password to the Firefox password manager. Change how the user experience changes when you would like to use a website that has the login information saved in the browser. Try to view the saved passwords and finally remove all saved login information.

Password managers

Using a password manager would be similar to writing the passwords to a text file and then encrypting the file using AES with a strong password. However, special purpose password manager software has some additional benefits:

  1. it is more easy to use
  2. with plugins the login forms can be automatically filled
  3. it is possible to generate strong random passwords
  4. it is not limited to one environment (this is the problem of the browser based solution)
  5. it might be possible to sync the database between different devices

In the following we will focus on KeePass as this is one of the most commonly used offline password manager. There are also quite good cloud-based password managers like 1Password and LastPass but we chose to focus on KeePass mainly for the reason that it is not cloud-based and is therefore harder to attack.

Password manager KeePass

KeePass is a free open source password manager for Windows. KeePassX and KeePassXC are ports of KeePass that support the same database format and are also available on Linux and Mac OS X.

Task: Install KeePass (or KeePassX) and create a test database of passwords.

If you are using a virtual machine that was provided by us then you do not have to install the software as it is already available on the virtual machine. First, open the installers folder on the desktop and find the file "KeePass-2.40.zip". Now extract the contents of the zip file and find "KeePass.exe". Now you can skip the following instructions and move on to the instructions which tell how KeePass can be used.

If you are not using a virutal machine then you will have to download KeePass from http://keepass.info/download.html. You will need the professional version but there are two options: installer and portable. I would suggest to use the portable version as this can be carried e.g., on a usb stick. Choose the suitable option and get KeePass.

  1. Start KeePass.exe
    • Create a new database for passwords: File -> New -> (enter a name of the database) -> Save
    • Generate and enter a master password. It is important that the key would not be short and easy to guess. The estimated strength of the password can be visually seen under the password fields. It is important that you would remember the master password as otherwise you are not able to access the passwords. Now, the settings of the database are shown but the default options are fine and we can click "OK".
  1. Add a fake password entry to the database.
    • To add a new entry: Edit -> Add Entry...
    • Add a new entry with a randomly generated password that has 57 characters.
    • Lock KeePass: File -> Lock Workspace
  2. Try to find out if the KeePass plugins improve the user experience
    • The plugins can be viewed from http://keepass.info/plugins.html
      • There are plugins that allow to import login information from Firefox
      • There are plugins that allow to use the KeePass login information to fill forms in browsers

Task #2 (part of homework): Create a KeePass or KeePassX password database following these rules:

  • The master password for the database has to be infsec. This is deliberately too short to make verifying the solutions easier. You will get 0 points if you use a wrong password.
  • The database contains a single entry (delete the automatically generated entries).
  • The entry's name must be your full name.
  • The username must be the pseudonym that is generated to you for the information security course.
  • Password must be randomly generated and 32 characters long.

Two-factor authentication

Two-factor authentication (2FA) significantly increases the security but the improvement has to be paid with privacy, i.e., usually with a phone number. Two-factor authentication protects against leaks, keyloggers and other malware that tries to copy the login information. Even when a third party is able to access the login information he / she is not able to access the account without having access to the second factor which usually is a phone. In addition, usually it is possible to find out if a third party is trying to access your account as then a notification might be sent to your phone (depending on the type of 2FA). Therefore, one has to make a choice between privacy and security. If the service provider already has access to your phone number then the answer is quite easy as 2FA significantly increases the security. If the service provider already has access to a large amount of private information about yourself then giving out the phone number in order to protect your private information might not be such a bad idea.

There are different ways how to build 2FA. The common methods used as a second factor are:

  • SMS
  • special application that provides authentication codes
  • push messages
  • physical security keys (FIDO U2F)
  • backup codes

You can get a brief summary of these methods by reading the following guide: A Guide to Common Types of Two-Factor Authentication on the Web. (2017)

Google's two-factor authentication

The two-factor authentication provided by Google verifies the users with a code that is sent to the mobile devices by a SMS. Two-factor authentication has to be activated and for that a mobile phone number is required. The verification codes may also be sent to the phone via a special application. The second authentication factor is required only when logging in from a new browser, i.e., you can save the browsers that you are frequently using. It is important that backup codes would be generated and stored in a safe place in case the SIM-card gets lost or damaged. If the user loses access to the SIM-card and has not set up a backup phone number and does not have access to the backup codes then it will not be possible to access the Google account. In such situation it might be possible to contact the customer service in order to get access to your account but this might take time and is not guaranteed to be successful. Therefore, one has to set up a backup phone number or create backup codes in case two-factor authentication in used.

Voluntary task: try to use two-factor authentication with the Google account. If you do not want to share your mobile phone number with Google or if you do not have a Google account then you can just read how this can be done. As an alternative you could sit next to a student who would like to set up two-factor authentication for Google.

If you decide to set up two-factor authentication then you will have to create a backup method for accessing your account in case something happens with your mobile device or SIM-card: i.e., you will either need to set a backup phone number or safely store backup verification codes.

  1. Navigate to http://www.google.com/landing/2step/
  2. Read the instructions
  3. Click on “Get Started” and then on “Start Setup”
  4. Log in with your Google account
  5. Enter your mobile phone number and then click on “Send code”
  6. Wait for the SMS
  7. Enter the verification code and click on “Verify”
  8. Choose if you trust the current computer (only trust your own computer) and then click “Next”
  9. To activate two-factor authentication click “Confirm”
  10. Write down the backup codes in case something happens with the phone / SIM-card / network. The backup codes will help you to get back the access to the account. You will need either the phone or a backup code to deactivate two-factor authentication.
  11. Try to log in to your Google account
  12. To remove two-factor authentication navigate to: https://accounts.google.com/b/0/SmsAuthSettings and choose "turn off 2-step authentication"

Google's two-factor authentication is not supported in many programs or applications that allow to log in by using the Google account and therefore the login information for these programs has to be changed. For all such programs an application specific password has to be created. This might be required by the calendar application if the calendar is connected with the Google account. Once two-factor authentication is enables these applications won't be able to access the Google account anymore. In order to fix the problem you would have to create an application specific password for each program that uses Google's account and this can be done from the settings page of the Google account. To create application specific passwords navigate to: "Account -> Security -> 2-step verification -> Manage your application specific passwords".

Facebook's two-factor authentication

The two-factor authentication of Facebook works in a similar way as Google's two-factor authentication. It also allows to create the verification code either in a smartphone application or it can be sent to the mobile device via SMS. However, Facebook by default wants the users to use a smartphone application to create the verification code and therefore if the user wants to get a SMS then this has to be explicitly selected each time the verification code is asked.

Voluntary task: Try out Facebook's two-factor authentication.

  1. Read about Facebook's two-factor authentication: https://www.facebook.com/note.php?note_id=10150172618258920
  2. Log in to Facebooki and choose “account settings”
  3. Choose "security" from the menu on the left
  4. Choose “Login approvals” and mark “Require a security code to access my account from unknown browsers”
  5. Choose “Get Started”
  6. Choose the type of the device
  7. Follow the instructions about the Facebook application
  8. Insert the verification code and click “Continue”
  9. Enter the verification code that you got from the SMS
  1. You will have to write down the backup codes in case the mobile device / SIM-card / network is not available.
  2. Try to log in to Facebook with a different browser or a different device
  3. Deactivate two-factor authentication from the “Login Approvals”

Two-factor authentication is also supported by Apple, Microsoft, Twitter, Wordpress and many other companies. There is a website that contains a list of companies that are using 2FA: *https://twofactorauth.org/.

Further reading

  • Why passwords have never been weaker—and crackers have never been stronger (2012)
  • The secret to online safety: Lies, random characters, and a password manager (2013)
  • Websites, Please Stop Blocking Password Managers. It’s 2015 (2015)
  • You Gave Facebook Your Number For Security. They Used It For Ads. (2018)
  • Firefox - password manager
  • Google Chrome - password manager
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused