Blog EN

dem Passwort
Blog, Blog EN

The Psychology of Password Allocation

The Psychology of Password Allocation

The Psychology of Password Allocation

Bruteforce attacks are often experienced attacks that can cause major reputation damage in addition to financial damage. Those who used to swim under the radar may have to expect attacks of various kinds today. For quite some time now, Criminals are no longer just after the big companies but use the attack areas of every company. It is essential to be equipped.

Bruteforce attacks attempt to get access to an account via different username-password combinations. As if someone turns on the wheel of a combination lock and tries out the most different number combinations until the combination lock is cracked.

Whereas the combination lock is turned manually on the wheels, the computer does a great job in a brute force attack. With more than 10,000 password combinations per second, the attacker can shoot at the login mask and try a so-called account takeover.

The logic behind the password strength

A password consisting of 6 lower case letters of the German alphabet gives 308,915,776 possible combinations.

This is calculated by determining the letters of the alphabet that can be used without äöü and ß, which in this case are 26 letters to the power of 6. The length of the password is 6.

If one assumes 1000 attempts per second, the password can be guessed in 3.5 days at the earliest.

This should be improved by password guidelines or password policies, which then say that 12 characters are required, upper and lower case letters must be included and a special character should be used.

This increases the number of possible characters from 26 to 72 and the exponent from 6 to 12, so that 19,408,409,961,765,342,806,016 passwords are possible. Thus, an attempted attack would already have reached 615,436,642,623 years.

This is the result is quite impressive.

Why are Bruteforce attacks impossible to defeat despite password policies

In IT one would say a layer 8 problem – this means the person in front of the screen.

The evolution of mankind is impressive so that today we speak of modern man. Unfortunately, we still have a big problem with remembering passwords.

The assumption behind the many different password combinations and the solution space is that a random combination of characters is chosen.

The human factor: The psychology of password assignment and password remembering

To make life a little easier, we tend to use patterns and apply logic to our passwords. These logics can be depicted. The solution space shrinks considerably as different probabilities are applied to the combinations. For example, the Duden is taken and an E is converted to a 3, with combinations of special characters and numbers appended at the end.

It becomes even more simple when password guidelines are not interpreted so strongly and particularly when users use the same passwords or choose one of the most popular passwords. For the latter, there are many lists and statistics which show that passwords such as 123456 are still used by up to 10% of users on some platforms.

It makes it very easy for a hacker to get access to accounts. A few more patterns in password assignment and password remembering behavior have been identified. Various psychological studies have dealt with these issues which among other things identified a connection to natural language. In concrete terms, the connection is which letters usually or very often follow each other. This frequency with which a letter follows another letter is known as a bigram. The TU Freiberg has published a statistic on this subject, which shows the ten most frequent double letters, the eighteen most frequent bigrams, among which ER, EN, and CH are among the top three candidates in German, and also further analyses of English language use.

Please follow and like us:
Zum Single Sign On in 30 Minuten
Blog, Blog EN

To the single sign on in 30 minutes

Reading time approx. 5 minutes

To the single sign on in 30 minutes

Due to the increased number of various digital services in the enterprise as well as in the customer environment, Single Sign-On became increasingly critical. On the one hand, it is an essential element to provide more user comfort and a smooth journey and on the other hand, it serves to improve security. Identity and access management play a central role in the realization of Single Sign-On.

Where do cloud identity and access management help?

A cloud identity and access management support the management of the various stakeholders. This begins with employees, customers and partners. This is not just about individuals, rather about customers and partners, it is obvious that stakeholders can also represent organisations, which in turn can be structured in hierarchies. An Identity and Access Management System must be capable of representing all this.

Internal/Enterprise IAM: The management of employees is becoming increasingly complex due to the numerous digital channels. For a long time, companies have therefore used a so-called IAM or IDM. In particular, the mapping of the authorization plays an essential role in implementing access restrictions, segregation of duty and thus the authorization concept. Both onboarding and further needs-based allocation of rights must be implemented efficiently, transparently and quickly. The requirements and processes vary greatly depending on the industry, organization and department. An IAM must therefore be able to cover the individual needs of a company to enable a clear, secure and efficient implementation of the authorization concept.

Customer IAM: Digital services are almost springing up out of the ground, particularly in the end customer environment. In every industry, in the B2B as well as the B2C environment, they will become an essential component, a decision criterion, in order to get to know customers better, to work together more easily, to inspire customers and partners and thus also to retain them in the long term.

Customers’ systems can usually be easily separated from their internal systems. The customer channels represent the communication channels that are provided to customers to offer new services. Then there are the systems that are mainly used internally, within the company, such as the CRM, the ERP system, time recording etc. Only employees have access to these systems. While in the case of customer channels employees often need access, partners are the extreme cases. Depending on the task, the partner is on the road both on customer channels and on the internal systems. Group management is therefore necessary.

To the single sign on in 30 minutes

With Identity and Access Management, such as cidaas, you create an identity of the user across all channels via the applications in a company, such as CRM, ERP, office systems, etc. and thus introduce Single Sign-On.

And for the customer area, the registration and authentication of the customer are carried out via Identity and Access Management. This enables you to recognize your customers via the various digital services such as cloud services, web services, shop systems, etc., know where they move, which channels they use and can offer them not only convenience but also exceptional, individual customer experiences.

Procedure of a Single Sign-On:

The de facto standards in the identity environment are OpenID Connect and OAuth2. These are the newer standards. SAML, especially in the SAML2.0 version, is the older standard, which is nevertheless still followed by many systems, especially in the internal environment. These standards are used to integrate an identity management system and to implement Single Sign-On.

  1. Calling domain 1: This could be a shop system, for example.
  2. Domain 1 says that a login is required here, which initiates the forwarding to cidaas.
  3. In the third step the user logs in.
  4. Cidaas stores the information in the cookie, in the browser storage. Other information is also stored to prevent bot attacks and fraud attempts.
  5. Afterwards the information is forwarded to the shop system.
  6. The shop system can work with the token sent with the order. With it the user can be authenticated and the use of the shop system can take place.
  7. The shop system can then store information in the domain 1 cookie
Single Sign On is characterised by the fact that the same authentication mechanism can be used on the various domains, but also that the user remains logged in across all channels.
  1. User switches to the website in domain 2.
  2. A login is also required here, so that the forwarding to cidaas takes place
  3. Whereupon the redirection to the website with the issued token takes place.
  4. The Web page can now use the token and perform authentication. Information such as first name, surname, etc. can then be available in this token.
  5. Further information can be stored in the domain 2 cookie.

Single Sign On - Process

To demonstrate these possibilities and Single Sign On in a practical way, you can easily carry out the integration based on OpenID Connect following these steps.

Here you can see and test how the integration is based on the SAML Standard.

Please follow and like us:
FIDO2 läutet die Benutzer in ein neues Zeitalter der ubiquitären Authentifizierung ein.
Blog, Blog EN

8 years in FIDO – What has happened so far

8 Jahre FIDO – Was bisher geschah

8 years in FIDO – What has happened so far

FIDO2 heralds a new age of Universal Authentication.

For several reasons, logging in to a website with your username and password may not be the ideal method of authentication. On one hand, the number of applications a person uses is constantly increasing. On the other hand, the security of credentials is increasingly at risk as cybercrime becomes more sophisticated and technologically advanced. Targeted brute-force attacks or seemingly harmless phishing attacks via email have become so common that users often do not even notice that their own credentials have been hacked.

  • 2009

    Validity Sensors and PayPal deal with the use of biometrics to register online users instead of passwords. The session stimulated the idea of working on an industry standard based on public key cryptography that would allow password-less login with only local authentication.

  • 2012

    The FIDO alliance was founded by PayPal, Lenovo, Nok Nok Nok Labs, Validity Sensors, Infineon and Agnitio. The development of a password-less authentication protocol was started.

  • 2013

    Major Internet companies, system integrators and security providers have joined to form the FIDO (Fast IDentity Online) Alliance to revolutionise online authentication with an industry-supported standard-based open protocol. Finally, the Alliance was launched in California.

  • 2014

    The comprehensive password less protocol FIDO v1.0 (called FIDO Universal Authentication Framework – FIDO UAF) and the second factor protocol (called FIDO Universal 2nd Factor – FIDO U2F) were completed and released at the same time. The production launch of fully compliant FIDO v1.0 devices and servers began.

  • 2015

    cidaas, the modern Cloud Identity and Access Management solution, was created. Widas ID started the development of cidaas. With the best user experience in mind, cidaas added versatile, convenient and secure authentication methods.

    In a pluggable approach, cidaas offers e.g. biometric methods like TouchID or WebAuthn, One-Time Passwords and many more. Customers can easily add and offer new methods.

    With the seal Software hosted in Germany and ISO27001 certification, cidaas complies with the highest data protection and security standards.

  • 2016

    The World Wide Web Consortium (W3C) has launched a new standard project for web authentication based on the FIDO2 2.0 web APIs proposed by the Alliance. The aim of the FIDO Alliance in this work called FIDO2 was to work with the W3C to standardise strong FIDO authentication across all web browsers and the associated web platform infrastructure.

  • 2017

    The FEWG-FIDO Europe Working Group was established.

    Based on Google Chrome, Microsoft Edge and Mozilla Firefox, the FIDO2 project heralds a new era of ubiquitous, phishing-resistant, strong authentication to protect Internet users worldwide.

  • 2018

    cidaas announced to support FIDO2. Since then it is possible to experience FIDO2 and WebAuthn live on https://cidaas-in-action.cidaas.de/demo-site/demo and to test the new user experience.

  • 2020

    Apple extends FIDO authentication support in Safari to iOS 14, MacOS Big Sur and iPadOS 14 and enables users to log in with FIDO on websites using Apple’s Face ID and Touch ID biometric authentication.

    To learn more about cidaas, key features and various password-free authentication methods, please visit https://www.tschuesspasswort.de vorbei.

Please follow and like us:
The Digital Pioneers Conference - Digitisation on the rise - 5 wonderful years of cidaas
Blog, Blog EN

The Digital Pioneers Conference – Digitisation on the rise – 5 wonderful years of cidaas

The Digital Pioneers Conference - Digitisation on the rise - 5 wonderful years of cidaas

The Digital Pioneers Conference – Digitisation on the rise – 5 wonderful years of cidaas

On Friday (13.11.2020) the first Digital Pioneers Conference, organised by esentri AG, was held and we were present there. In this blog, we look back at the event and the various impulses.

What does the Digital Pioneers Conference stand for: “With the Digital Pioneers we look behind the scenes of successful digitization projects and learn from courageous personalities who have shaped their own future. The audience could [look forward] to inspiring keynote speakers, interesting project stories, tech talk, and the extraordinary atmosphere of a hybrid conference!

The topics and contents of the conference were very diverse. Leander Govinda Greitemann started the conference with a keynote speech about the pioneering spirit and supported his presentation with exciting stories. Robert Szilinski then took up the pioneering spirit in his slot and declared a battle against pessimism. Throughout the day, there were many exciting presentations on successful digitization projects, new and changing business models, and the culture necessary for a sustainable digital transformation, but there was also no shortage of prospects for technological advances such as the quantum computer. In summary, the diversity of the conference was a key success factor, because as diverse as the presentations are, so are the ideas and challenges in digitization. Digitization is not driven by technology, but by the combination of many impulses, with technology also being an enabler, but business culture, ideas, and concepts are the drivers of development.

We were pleased to take the opportunity to play our part in the conference. Based on the quotation from Raumschiff Enterprise: “Identity – infinite vastness. It is the year 2020” we started to think the world differently five years ago – we started with cidaas, our Cloud Identity & Access Management. And a lot has happened in the past 5 years. We have become aware of this once again, particularly in the preparation for the conference. Only recently we have summarised the history of the FIDO Alliance and the FIDO2 standard in a blog (8 years of FIDO – What has happened so far). We have already integrated FIDO2 into cidaas since 2018, the distribution, but especially due to the availability on Apple, it has been a long time coming. In our presentation, we took a closer look at these and other highlights from 5 years of cidaas, because: “On our journey through the galaxies of our customers we have mastered different requirements. However, we have also avoided the odd meteorite or two in our continuous efforts to push cidaas forward”.

At this point we would like to thank esentri for the great organisational work. The conference was planned wonderfully, there were two stages, as well as the opportunity to network, and though a personal visit to the conference during Corona is not possible, it had a personal touch.

We are looking forward to 2021!

Please follow and like us:
Now, FIDO2 is set as standard in Apple Browse
Blog, Blog EN

Now, FIDO2 is set as standard in Apple Browser

Now, FIDO2 is set as standard in Apple Browser

Now, FIDO2 is set as standard in Apple Browser

Using TouchID or FaceID to unlock the smartphone is the current standard. In addition to security, it is above all a question of convenience for users to unlock their smartphone quickly and easily using a biometric procedure. This was not possible in the browser of the iPhone so far. With the new major version of the Apple browser Safari 14, Apple supports biometric authentication using TouchID and FaceID (Device Biometrics) via the FIDO2 and WebAuthn standards, respectively.

Authentication with a wide variety of platforms, online shops or other digital services via device biometrics is no longer a futuristic dream. Technically, the FIDO2 standard consists of two components, the WebAuthn standard of the World Wide Web Consortium (W3C) and the Client-to-Authenticator Protocol (CTAP) of the FIDO Alliance.

For quite some time now, we have been offering authentication via the FIDO2 standard with our Cloud Identity & Access Management, cidaas, both as two-factor authentication and as password less authentication. Even though FIDO2 has become more and more popular in recent years, the introduction of any procedure is subject to the limitations that come with it. Although providers such as Google or Microsoft have supported FIDO 2 for some time

and integrated it into their own platforms, Apple has been a long time in coming – it was not until iOS 13 that FIDO2 support for external authenticators, such as via NFC, BLE, or USB, came to the iPhone. On the contrary, Android has already received FIDO2 accreditation in February 2019.

With the introduction of FIDO2, especially through device biometrics, on the Apple ecosystem, the FIDO Alliance as well as many platform and service providers are now hoping for wider and mainly faster dissemination of FIDO2.

We at cidaas are also strong supporters of FIDO2 and other passwordless authentication methods, as these methods allow us to offer secure as well as convenient authentication on a wide range of channels. More than ever before, the password is the killer of user comfort and security. If you want to know more about passwordless authentication or FIDO2, have a look at www.tschuesspasswort.de, under this slogan we have started an initiative for passwordless authentication.

Please follow and like us:
cyber security
Blog, Blog EN

Experience with the Alliance for Cyber Security

Experience with the Alliance for Cyber Security

Experience with the Alliance for Cyber Security

We joined the Alliance for Cyber Security as a member in mid-July and then completed our onboarding as a partner at the end of August. We would like to use this short blog to describe our first experiences with the Alliance for Cyber Security and our partner contributions.

As a short digression, what does the Alliance for Cyber Security do (extract from the ACS website):

“With the Alliance for Cyber Security, founded in 2012, the Federal Office for Information Security (BSI) is pursuing the goal of strengthening Germany’s resistance to cyber-attacks.

Currently, 4548 companies and institutions are members of the initiative – and more participants are joining every day.

IT service and consulting companies, as well as IT manufacturers, are equally represented within the network as user companies of all sizes and industries. This diversity is an important guarantee for a rich exchange of IT expertise and application experience, from which all participants benefit.

148 partners and 99 facilitators are involved in the initiative and thus make a valuable contribution to more cybersecurity in Germany as a business location”.

As Cloud Identity & Access Management (cidaas) we are predestined for the partner program, we offer an IT security solution & in this context, we have to deal with the most diverse requirements in this environment daily. Furthermore, we see cidaas as Identity & Access Management as a central component in the digitalization of companies. Combining security with digitization, innovation and ultimately user comfort is one of our goals. To mark this occasion, we have designed our first partner contributions for the Alliance for Cyber Security and launched a webinar series that shows how modern authentication can and should be secure and convenient.

Which topics did we cover in the webinars?

  1. Bruteforce attacks and what can one do against them?
  2. FIDO2 and password less authentication explained simply

Brute force attacks and what can be done about them

Attacks – where the attacker tries to gain access by trying/ guessing passwords – is one of the most common attack patterns in the digital world and has become a major threat in recent years. This type of attack is not new, but it is now more of a headache than ever. Because almost all common approaches to defence bring other problems with them, which can sometimes be more serious for companies than the brute force attack itself. The classic brute force defence mechanisms often not only protect against attacks but also exclude real users or massively restrict user comfort. In this webinar, we have shown different forms of the brute force attack and common defence mechanisms. Among them are classical defence mechanisms, the Brute force Protection via Device Cookies of OWASP, and the multi-factor authentication. As a transition to the next webinar, we gave a short outlook on the world after the password.

FIDO2 and password-free authentication explained simply

A World without passwords will be the future! In this webinar, we will discuss the FIDO2 standard with its protocols WebAuthn (W3C) and Client to Authenticator Protocol (FIDO). We first looked at the current situation regarding passwords and the associated disadvantages and then focused on the technical specification of the FIDO2 standard. Finally, we reported on first experiences and use cases with the FIDO2 standard and other passwords-less authentication methods. We also showed the transition path with which users can be introduced to password-less authentication or cross-device scenarios and how these can be handled.

Let us now look back at our experience:

The participants:

We regularly host webinars, both self-organized and in cooperation with other networks, e.g. now in October during the European Cyber Security Month. As a small side note, we were very sceptical at the beginning, whether webinars of our own would be useful and could even achieve the necessary coverage. But we are very satisfied with our previous webinars and the number of participants and feedback. Since our webinars were closed to the Alliance for Cyber Security and only accessible to a limited number of participants, we also expected lower numbers of participants. After we had planned the webinars and announced them via the Alliance for Cyber Security, we were surprised how quickly the number of registrations increased. So that these two webinars are among our most visited events.

More importantly, the number of participants is one of the most active we have seen in our webinars so far. We were particularly pleased about this because it is precisely this exchange that makes the Alliance for Cyber Security so valuable!

The cooperation with the colleague at the Alliance for Cyber Security:
The cooperation was very great. Our enquiry was processed very quickly and together we designed our first partner contributions.

We are already looking forward to our next partner contributions and are pleased that there is such a network organized by the BSI in Germany. Good job!

Please follow and like us:
cidaas-support
Blog, Blog EN

Why Happiness Team? – The cidaas support

Why Happiness Team? - The cidaas support

Why Happiness Team? – The cidaas support

Ever since we launched cidaas a few years ago, we have been developing technology, in terms of organization and processes. And we are constantly working to incorporate the vast experience we gain every day and to implement new ideas.

We would like to highlight a special organizational development in this blog – the Happiness Team.

As a product provider, especially for a Software-as-a-Service cloud service like cidaas, which as Identity & Access Management plays a central role in the digitalization of almost all companies and the IT infrastructure, customer support is very important to us. This has been a matter of course for us from the very beginning, so we have always attached great importance to good and especially fast support. Every developer knows it, when a question comes up, the Internet is consulted, the documentation is checked and it feels as if you were the only one with this question. Since an answer is essential to get ahead, contact the support is sought.

Waiting for a response for days at a time would be annoying as well as potentially shifting the timeline. It is even worse when there are difficulties in live operation and the cause cannot be found. Undoubtedly a self-explanatory API and detailed yet simple documentation are helpful and necessary. However, reliable, strong and individual setup support is also necessary to enjoy a product. That’s the way it should be!

Happy – that is the most important word! When we sat down for a small workshop a few weeks ago, one of the main topics was how we can further expand the support for our customers. We already rely on many different processes and tools: Besides documentation and API descriptions about Postman and Swagger UIs, we offer a support portal, a community platform and a chat. Our support team consists of colleagues from the development and product team as well as from our management. They support specific customers, so our team is always informative, has a deep knowledge of cidaas and knows the customer’s setup. Through continuous, intensive training, the team is familiar with a wide range of use cases and possible applications and is available to advise our customers. This constellation distinguishes our support from that of many other product manufacturers.

So, what has changed? – We have renamed our Support Team to Happiness Team!

Although this may sound somewhat platitudinous, it expresses the fact that we are not just a pure support team, but it is our mindset and objective to make our customers happy with cidaas.

Learn more about us or meet us personally and contact us here in the chat.

Please follow and like us:
Compromised Credentials
Blog EN

Detect Compromised Credentials – Goodbye password

Compromised Credentials Detection – Goodbye password

Detect Compromised Credentials

With Compromised Credentials Detection, users are informed about stolen or already cracked passwords to protect them even better. Let us first reveal why Compromised Credentials Detection is necessary and how digital platforms can be made even more secure.

We are promoting our initiative ” Goodbye password – The future of login” for quite some time now.

We would like to take this up again in this blog post and highlight the advantages of password-less authentication procedures.

However, since the beginning, yes! We first published an article on the three most common hacker attacks at the end of July: https://www.cidaas.com/blog-en/identity-theft-hacker-attacks/ and then an article at the end of August explaining why 4 out of 5 privacy violations are related to weak or stolen passwords: https://www.cidaas.com/blog-en/world-wide-4-out-of-5-data-breaches-arise-from-weak-or-stolen-passwords/.

This is about an inherently mysterious problem: I can eventually guess the secret by simple trial and error.

This problem has so far been solved by firstly trying to prevent or at least slow down brute force attacks and secondly by setting the password strength accordingly high. As a short example a password with 6 lower case letters (26 letters without äöü and ß), e.g. secret, results in 266 possible different passwords. If you set the password strength accordingly high on a password with 12 characters, which is a combination of upper and lower case letters (without äöü and ß), the 10 possible digits and 10 special characters (e.g. !, @, #, $, %, ^, &, ?, / and +), e.g. Geh3imn1ss!2, this gives 7212 possible different passwords. This makes it much more difficult for an attacker to guess the password.

However, now we arrive at the real problem of secrets – the human being. As humans, we do not use randomly chosen combinations of numbers and characters, we follow certain patterns and use certain variations to create passwords that are “easier” for us to remember and comply with the password guidelines of digital portals, as in the example above Geh3imn1ss!2. This leads to the fact that we often use one and the same password, an extension, or a small variation of it. And that makes it easier for the attacker. You do not have to address the entire solution space of 7212 but can search the solution space in a structured way through models, patterns, and especially with already stolen passwords.

How can this problem be solved? – The answer is you cannot!

Simply because users are being asked to enter secure passwords and completely different passwords for each portal, you do not do it. Studies provide a wide range of figures on the number of identities or accounts that users have on digital portals, from 30 to well over 100 – the magnitude shows that users have many accounts and cannot remember a different password for all of them.

As the traditional login is common practice for many people and will continue to be so for some time to come, we are working continuously to increase the security of the existing authentication with passwords. We are also pleased to announce the new cidaas feature Compromised Credentials Detection, which has been in beta testing since this week. With our new feature, we offer the possibility to check users’ passwords against already stolen passwords. By integrating this feature into the registration process, or the password change/forgotten process, users can be notified that their chosen password has been cracked several times or has appeared in stolen password records. In this way, we help users to choose secure passwords that hackers cannot easily guess by using stolen data sets.

Let us think one step further. In addition to memory, a much more important criterion of people resonates – user comfort. Today, users seek and demand the best possible user comfort and punish providers of digital services with non-use if they are not offered. Be it a shop where you cancel the purchase and switch to another provider because the registration form is too long, or the app where the user does not stay logged in or can simply authenticate with the device biometrics, but has to deal with a traditional username and password login.

These are all indicators that the life cycle of the password for the public is coming to an end in the foreseeable future. At the same time, more and more password-free alternatives are opening for users to authenticate themselves securely and conveniently. We, at cidaas, want to further promote password-less authentication and have therefore launched the initiative www.tschuesspasswort.de.

To increase security further, multi-factor authentication methods can be integrated into the login process. To enhance convenience, a risk-based multi-factor authentication system is suitable, with which multi-factor authentication is only requested if there is a suspicion of identity theft or if there is an increased risk.

We are delighted to offer our customers a competitive advantage in terms of security and convenience with the password-less authentication procedures.

Please follow and like us:
World-wide 4 out of 5 data breaches arise from weak or stolen passwords
Blog EN

World-wide 4 out of 5 data breaches arise from weak or stolen passwords

World-wide 4 out of 5 data breaches arise from weak or stolen passwords

Initiative Bye Bye Password: With advanced login we create more comfort and security for users on digital channels.

“Your password must be at least 8 characters long and must contain at least one uppercase letter, one lowercase letter, a number and a special character.” We are all too familiar with the failure of password guidelines.

Some time ago we were relying only on passwords that we needed to secure our digital lives. Over time, the passwords lost their value as we users began to reuse an endless series of easy to guess phrases. This is not surprising. With countless accounts with different password policies, it became impossible to remember them all.

Furthermore, the underlying technology also made passwords vulnerable to a variety of attacks. For example, phishing attacks.

Let us get some facts: Weak or stolen passwords are responsible for an average of four out of five global data breaches.

If we free ourselves from passwords, then:

Our users can smoothly use the offered digital services. Our interest in the registration of a user has different sides. First, we want to recognize our customers, create a personal experience, and create new added value. Secondly, we do not, as a matter of principle, want someone unknown to us to use the digital service. Third, the user has certain rights to perform tasks. By identifying the user, he can use the system accordingly.

The users’ authentication is therefore important. The end devices that are used can look very different. On a smartphone, for example, complex character strings are not practical. The manufacturers recognized this early on and created mechanisms such as Android Fingerprint, TouchID or FaceID. If gloves are worn at work, the fingerprint is not a sophisticated authentication method.

Protect our users from identity theft

A password is a secret word or string of characters used for user authentication to prove identity.
For a long time, the BSI has issued guidelines on when a password is considered secure and how often a new password should be issued. Meanwhile, they have distanced themselves from this because as soon as guidelines are known, it is even easier for attackers. In the blog Identity Theft: The 3 most frequent hacker attacks it becomes clear why password fewer procedures are important.

Secure our systems against unauthorized access

In addition to protecting users, we also use password-free procedures to prevent unauthorized access to the system. In addition to internal company data, we also protect ourselves against activities on the system that could damage the company.

Let us create more efficiency in the company

The volume of passwords and password changes make the use of internal applications time-consuming for employees as well. The password forgetting processes are also complex and expensive.

The motto is “Bye password, hello modern login”: passwordless authentication is nothing but using authentication methods that we already know from mobile devices, or one-time passwords, such as e-mail, push and many more. With the help of advanced authentication methods, users can be offered a better digital experience.

Please follow and like us:
Identitätsdiebstahl: Was sind die häufigsten Hacker-Attacken?
Blog EN

Identity theft: The 3 most common hacker attacks

Identity theft: The 3 most common hacker attacks

Identity theft: The 3 most common hacker attacks

Hacker attacks come in many forms with different targets. Identity theft is one of them. In this blog we would like to show you what kind of hacker attacks there are in the field of identity theft. Why don’t password rules help with hacker attacks? How to prevent identity theft?

Every company now has digital identities through the bank. In one case, it is more like employee data, in another, it is countless customer data. We owe this to digitalization and the new possibilities in the form of digital services. This also increased the potential for hacker attacks.

As a rule, users gain access to the digital service by entering a username, an e-mail address, and the password they have been given.
In some cases, passwords must also be changed after a certain period of time and set according to certain password rules, so that they are as complex as possible.

Are passwords and password rules the ideal protection?

I think the answer to this question is quite clear. But passwords are not insecure per se. Rather, we make them insecure because we often reuse them or create them so that we can still remember them.

In early February, the BSI took leave of the following item on security and passwords: “Passwords should contain upper- and lower-case letters, numbers and special characters and should be changed periodically.”

Which hacker attacks are there and why do password rules not help?

Phishing:

Let us unpack the dictionary definition. “Phishing means the interception of data from Internet users via fake Internet addresses, e-mails or SMS.” (Gabler Business Dictionary)

Basically, it is exactly that, criminals try to trick users into entering their access data via e-mails, SMS or other media, some of which appear very authentic.

In this context, I would like to mention the term social engineering attack. The users are manipulated by interactions and abilities of the attacker and are therefore unfortunately a risk. For this reason, security awareness training courses are typically held in companies, in which exactly these types of dangers are pointed out.

The access data can quickly fall into the wrong hands and a password rule has no protection mechanism at all.

Password Spray / Brute Force:

In password spray or brute force attacks, the most common passwords are used and tried on countless accounts. This is a way to bypass the number of attempts before the next common password is tried.

Brute force means that login attempts are made by a machine within a very short time.

Password rules can even have negative effects. As soon as it is known which password rules are used, some common passwords can already be excluded. As a rule, they provide at least a little protection, as this typically makes users’ passwords more complex.

In principle, however, the protection here is not sufficient. Instead, the value should be placed on smart multi-factor authentication and botnet detection to counteract such attacks.

Credential stuffing

Data theft and the sale of data on the Internet seems to be a lucrative business. Since users like to use the same login data on different platforms, Credential Stuffing has emerged as a new form of brute force attack.

Well, you cannot really blame users for it either. There are so many digital channels, platforms, and services and different devices on which you want to use all these services. A user simply cannot remember passwords in this number.

The stolen access data is therefore tried out on the various platforms during credential stuffing to gain access to the user account.

In our opinion, there are two important measures to be taken against this: Again, Bot Net Detection is critical to detect and block a bot network. Second, for users, password-less methods, such as those we already use on TouchID smartphones, or one-time passwords, offer not only greater convenience but also much greater security and protection against identity theft.

If you want to know more about security, check out our article “Security for data in the digital and real-world” or see how our customers use cidaas.

Please follow and like us: