Complete guide for SSL, TLS and certificates

AES

Latest — Apr 8, 2025

What is the Advanced Encryption Standard (AES)?
Where is AES encryption used?
How AES encryption works
Advantages of AES encryption
Attacks on AES encryption
How to prevent attacks on AES encryption
How does AES compare to other encryption?
How Passwork can help with encryption

What is the Advanced Encryption Standard (AES)?

The Advanced Encryption Standard (AES) is a method used to convert plain text into unintelligible code. This encrypted data can only be accessed by those who possess the proper key.

The United States government formally made AES its encryption standard during 2001. National Institute of Standards and Technology (NIST) selected AES to replace the outdated DES encryption system after conducting its evaluation. It is currently among the most dependable approaches for securing digital information.

What is unique about AES? It is quick, safe, and adaptable. 128, 192, or 256-bit keys may be used with it. The protection increases with the length of the key. But even the 128-bit version is considered very secure.

AES uses a symmetric encryption method. That means the same key is used to lock and unlock the data. Both sides must have the same key to communicate safely.

Governments, banks, and tech companies use AES every day. It guards emails, passwords, files, and even voice calls.

Where is AES encryption used?

AES encryption works discreetly behind the scenes, protecting your data every day. It keeps logins, online banking, Wi-Fi, and cloud storage. Mobile applications, communication tools like WhatsApp and Zoom, and cloud systems like Google Drive depend on AES. It’s embedded into USBs, SSDs, and cellphones to lock down data. Even if your gadget goes lost, AES keeps data protected. Businesses use it to preserve client details, emails, and personnel records. Governments trust AES too, making it important for securing sensitive data across both personal and professional contexts.

How AES encryption works?

AES scrambles your data via a technique called substitution and permutation. It might sound complex, but let’s break it down.

AES separates the data into generally 128-bit long small blocks. It then sends each block through a sequence of steps called rounds. The number of rounds depends on the key size:

10 rounds for 128-bit
12 rounds for 192-bit
14 rounds for 256-bit

Each round updates the data using mathematical operations. It mixes stuff up, substitutes bits, and changes components around. The key guides this entire process — without the appropriate key, the result appears like random garbage.

This is where AES excels. The same procedure is used to encrypt and decrypt. You simply reverse the steps using the same key.

Because it employs a block scheme, AES operates rapidly. It’s also less likely to break down if a tiny element is modified or lost. That’s why it’s perfect for huge files and streaming.

To put it simply, AES transforms your communication into a puzzle. Without the key, the components won’t fit.

Advantages of AES encryption

Globally, AES encryption is trustworthy, rapid, and strong. It’s one of the most secure methods for protecting information, which is why banks, governments, and major tech companies use it every day.

One major win? Speed. AES operates quickly on both small and large files. It runs nicely even on minimal hardware. That means it won’t slow things down — even while encrypting huge amount of data.

Security is another significant advantage. AES employs complicated keys and several rounds to scramble information. Hackers can’t break it without huge computational power. And even then, it would take thousands of years.

Flexibility matters too. AES offers three basic key lengths: 128, 192, and 256 bits. You can choose the degree of security suited for your scenario — longer keys give greater protection.

It’s also extensively embraced. Since it’s a worldwide standard, most tools and platforms support it. That makes integration simpler. You don’t need to develop anything from the start.

Plus, AES is efficient. It requires less system resources than some previous approaches. That saves power on mobile devices and keeps systems working smoothly.

Attacks on AES encryption

AES is challenging to penetrate. Still, attackers continuously attempt new techniques. Instead of breaking the math behind AES itself, they usually target the systems that use it.

One such way is side-channel assaults. These don’t touch the algorithm itself. Instead, they monitor how it operates. Think power utilization, timing, or electromagnetic leakage. It's like eavesdropping on someone inputting a password, not breaching the lock.

Another option is the brute force assault. This requires testing every key until one fits. For AES-128, that’s 2¹²⁸ combinations. It’s an extremely large number—just to give you an idea, it’s much more than the number of atoms in the observable universe. Even the fastest computers would require billions of years. Simply, it’s just not practical.

Some go target weak passwords instead. AES may be strong, but a lousy password may shatter everything. It’s like putting a cheap lock on a bank vault.

Then there’s the related-key assault. It’s unusual and only works if attackers know specific details about the keys. With effective key management, this attack is virtually worthless.

Sometimes, hackers utilize key recovery attacks. They attempt to find out the encryption key by examining trends or flaws in how data is handled.

These assaults don’t indicate AES is weak; they merely illustrate that security isn’t about one single component. It's about the complete picture. The configuration, the keys, the users — each plays a crucial role.

How to prevent attacks on AES encryption

Even the toughest lock requires a clever owner. AES is strong, but wise usage makes it secure.

First, use strong, unique passwords. Don’t reuse them. Don’t make them simple. A good encryption system with a weak password is like closing your door and putting the key under the mat.

Next, safeguard your keys. Don’t store them with your data. That’s like placing your combination lock and the code in the same drawer. Use separate, trustworthy key management tools.

Keep your software updated. Old systems may contain faults or weaknesses that attackers already know. Patches heal the flaws. Skipping updates gives hackers a head start.

Watch out for side-channel leakage. If attackers can read power utilization or timing, they may put things together. Devices processing AES should have protection against these signals.

Don’t forget access control. The castle's keys are not necessary for everyone. Limit who can see or utilize sensitive data.

Also, avoid copy-paste security configurations. What works for one system may not suit yours. Understand your requirements, then pick the proper settings.

How does AES compare to other encryption?

AES stands tall in the encryption world. But how does it compare to others like RSA and DES?

First off, AES is symmetric. That means the same key is used to lock and unlock data. It's fast and works great when both parties already know the key. RSA, on the other hand, is asymmetric. It uses a pair of keys: one public, one private. It's slower but better for situations where users don’t share a key ahead of time like email encryption.

Now, DES used to be the big boss. But it's way too weak now. Hackers can crack it in hours, maybe less. AES replaced it because it’s faster, safer, and designed to last.

What makes AES shine is its balance, strong security, quick processing, and wide use. It runs smooth on most devices and doesn’t eat up system power like RSA. That’s why it’s popular in banking, Wi-Fi, and cloud apps.

RSA still has a place, especially for secure key exchanges. But once the keys are shared, AES usually takes over.

Using RSA acts like a bodyguard giving you the key to access a protected space implemented through AES encryption.

AES provides greater encryption security than original encryption systems such as Blowfish and Twofish. Users benefit from its global-wide tested, trusted, and authorized security approval.

AES-128 vs. AES-256

AES encryption includes three key variations which are explained through 128, 192 and 256-bit measurement systems. AES-128 and AES-256 represent the primary opposition group of encryption standards. AES-128 employs a 128-bit key. AES-256 uses a 256-bit key.

Simple, right? The key length directly affects the strength of the encryption, which is what distinguishes these two variations. Taking longer key lengths enables hackers to face increased difficulty when trying to predict potential combinations. AES-256 offers a key selection capacity 2¹²⁸ times greater than AES-128 does. That’s not just bigger, that's gigantic.

But here’s the twist. AES-128 is still quite secure. Experts have yet to break the code, even with the power of supercomputers attempting to crack it. The algorithm runs quickly and consumes minimal power, making it ideal for mobile devices and real-time applications.

AES-256 gives further levels of safety. The encryption shows resistance to force-based attacks while delivering maximum protection against complex threats. Government and military organizations implement AES-256 because the extra security level exceeds their requirements.

So, which one should you use? Consider AES-256 as your protection choice if you need the highest level of encryption security. AES-128 provides sufficient protection to secure most typical applications when one considers both speed and security performance. Deciding between armed tank protection and bulletproof vehicles represents the choice between AES-256 and AES-128 cryptographic protocols. Both protect you. One is simply more robust.

Bottom line? AES-128 is quick and powerful. At the same time AES-256 provides maximum strength yet operates at slightly reduced speed. The selection should rest on your specific needs regardless of any exaggerated claims.

AES vs. RSA

AES and RSA both provide strong data protection, but they operate in fundamentally different ways.

AES is symmetric encryption — fast, efficient, and perfect for large files or real-time communication.

RSA is asymmetric. This cryptographic system requires two specific keys where one remains public for encryption purposes and the second remains private for decryption functions. People can provide encrypted content like putting letters in a mailbox yet only the mailbox owner possesses the required key for decryption.

AES encryption operates at speeds much higher than those of RSA encryption. The majority of systems first use RSA to distribute the AES key before they transition to AES operations. The system works similar to RSA which opens the door before AES handles all the cleaning operations within.

RSA is ideal for secure key exchange, especially over open networks like the internet. But it's slow for large data. Very slow.

AES shines when speed matters. It’s built for bulk encryption files, hard drives, apps, you name it.

So, which is better? Neither. They do different jobs. In fact, most secure systems use both together. RSA to safely share the AES key. AES to encrypt the actual data.

AES vs. DES

AES and DES are both encryption standards, but they’re not on the same level. DES came first. It was developed in the 1970s. Back then, it was a big deal. It protected sensitive data for decades. But times changed. Hackers got smarter. Computers got faster. And DES started to fall apart.

DES uses a 56-bit key. That sounds fine until you realize how easy that is to crack today. A regular desktop computer can break DES in hours. A powerful system? Minutes. That’s not good enough anymore.

AES came in to fix that. It uses key widths of 128, 192, or 256 bits. That’s a massive upgrade. AES isn’t just harder to break, it's practically impossible with today’s tools. That’s why banks, the military, and even WhatsApp trust AES.

There’s also speed. DES works with 64-bit blocks, while AES handles 128-bit blocks. AES encrypts more data at once and does it faster. DES feels like a typewriter in a world of smartphones.

In simple terms: DES is outdated. It’s like using a flip phone when you could have a secure smartphone. AES isn’t just better. It’s safer, smarter, and future-proof. If you care about security, there’s no real debate.

What is advanced encryption standard and how does it work

AES encryption FAQ

Is AES symmetric or asymmetric?

AES is a symmetric encryption algorithm. The encryption process utilizes a single key which performs the decryption operation as well. The system functions by utilizing a solitary key both for encryption and decryption processes. The system enables rapid execution for encrypting files and networks alongside message protection since it depends on existing shared keys between users. Symmetric systems like AES are usually faster than asymmetric ones, but the trick is safely sharing that key. If someone steals the key, they get access. That’s why key management is super important with AES.

What is AES 128 vs. 192 vs. 256?

The key sizes measured in bits include numbers ranging from 128 to 192 and 256. Extended keys become harder to break. AES-128 is already extremely secure. Higher security levels come from AES-192 and AES-256 — yet they operate at a slightly reduced speed. A majority of systems choose AES-256 because of its exceptional security features. The padlock analogy applies where AES-128 represents strong security while AES-256 functions at Fort Knox level of protection. Each AES version maintains a constant block size of 128 bits alongside unchanged basic building components while adding additional rounds of complexity through larger key lengths.

Is 128-Bit AES secure?

Yes, AES-128 is very secure even by today’s standards. It would take billions of years to brute-force with current tech. While some organizations prefer AES-256 for extra strength, AES-128 has never been broken. It’s still widely used in apps, websites, and devices. Unless someone invents a quantum computer that works like magic, AES-128 isn’t going anywhere. It’s fast, reliable, and strong enough for almost any purpose.

Is AES the best encryption method?

For most uses? Yes. AES is the gold standard. It’s trusted by governments, banks, and tech companies worldwide. It’s fast, secure, and flexible. That’s hard to beat. It’s not perfect for everything, though. For secure email or digital signatures, asymmetric methods like RSA work better. But for locking down files, networks, or apps? AES takes the crown. It’s been tested, approved, and trusted for over two decades and still going strong.

How Passwork can help with encryption

Keeping passwords safe is tough. You probably have dozens, maybe even hundreds of them. And when they’re scattered across random locations, it’s a disaster waiting to happen.

That’s where Passwork comes in. A password vault is a secure storage system that protects your sensitive information in one safe location. AES-256 encryption secures everything, using the same standard trusted by banks and governments. So, yeah, it’s solid.

But Passwork doesn’t stop at security. It also makes your life easier. You don’t need to memorize every login. Just store it once, and boom it's always there when you need it. Need to share passwords with your team? You can do that safely without sending anything over chat or email. No more “What’s the Wi-Fi password again?” moments.

Passwork also puts you in control. You decide who gets access, when, and to what. You can see logs of who accessed what and when. Plus, you can view logs showing who accessed what and when. It’s peace of mind for IT admins and managers.

And let’s not forget backups. Passwork keeps your data synced and safe. If something goes wrong, you’re not stuck. Your passwords are still locked down and ready to go.

What is the Advanced Encryption Standard

Cybersecurity

Apr 1, 2025 — 8 min read

Introduction
What is a cybersecurity risk assessment?
The importance of cyber risk assessment
Who should perform a cyber risk assessment?
Common cybersecurity risks and threats
How to perform a cybersecurity risk assessment
Conclusion

Introduction

The surge of cybercrime involves attacks that continue to become more complex and expensive. Cybercrime experts predict that costs from cybercrime will reach $10.5 trillion by 2025 therefore cybersecurity risk assessments need to become more essential than before. Attacks against organizations occur through the abuse of weak networks alongside software flaws together with undetected human errors.

A cybersecurity risk assessment enables businesses to locate and solve security vulnerabilities which become devastating breaches unless addressed. When organizations omit this step they become vulnerable to ransomware intrusions as well as phishing attacks from inside their operations and non-compliance issues arise. The 2017 Equifax breach revealed 147 million records because an updated vulnerability remained unpatched. This guide explains cybersecurity risk assessments while showing their significance and offers proper execution directions.

What is a cybersecurity risk assessment?

The definition of a cybersecurity risk assessment involves identifying and reducing potential threats against IT systems data and operational environments.

The goal of a cybersecurity risk assessment is to help organizations detect and lower the risks impacting their IT systems together with their data and operational functions. Modern cybersecurity threats demand active protective security measures to prevent potential audience points of weakness.

Key components of a cybersecurity risk assessment

Risk identification
Identifying Cyber weaknesses in systems, software, networks, and employee practices a cybercriminal can exploit.

Risk analysis
Assessing the impact that these threats can have on the business continuity, finances, and regulatory compliance.

Risks mitigation
Take cybersecurity mitigations like firewalls, encryption, MFA (multi-factor authentication), and user training.

Risk monitoring
Updating and improving security strategies to adapt to changing cyber threats, including keeping up with compliance requirements such as NIST, ISO 27001, GDPR, and other cybersecurity data compliance regulations

Analogy: Cybersecurity risk assessment is like a home security audit

Imagine your home. You wouldn’t leave the doors unlocked or overlook vulnerable entry points that could be used by intruders to gain access. You wouldn’t leave your door unlocked, though: you’d put in locks, security cameras and an alarm system so that no one could break in. Just like how risk assessments in cybersecurity allow businesses to discover and fix gaps in their digital defenses before they can be exploited by hackers.

The risks of neglecting cyber risk assessments

Failing to perform routine assessments for cybersecurity related risks makes organisations vulnerable to data breaches, financial loss, damage to reputation, and fines. There are had cybercrimes, including ransomware, phishing, and insider threats, that's steal customer information and grind operations to a halt.

Assessment and strengthening of security defenses are measures which protect sensitive data and keep modern business up and running, hence minimizing risk for companies.

What is the primary purpose of a risk assessment in cybersecurity

The importance of cyber risk assessment

Organizations today must perform cyber risk assessments since they are a mandatory requirement. The absence of consistent assessment puts businesses at risk of losing data confidentiality through breaches and operational interruptions while harmful damage occurs to their public image. Security maintenance along with stability depends directly on discovering and solving vulnerabilities.

Why businesses must conduct cyber risk assessments

Preventing financial losses
Cyberattacks can have severe financial consequences, with the average data breach costing up to $4.45 million. This includes expenses for system recovery, legal fees, reputational damage, and customer loss (IBM Cost of a Data Breach Report, 2023). Regular security audits and risk assessments help businesses detect vulnerabilities early, preventing costly breaches and saving significant resources.

Ensuring business continuity
Cyberattacks don't just compromise data; they can bring business operations to a standstill, resulting in extended downtime and revenue loss. A ransomware attack, for example, has the potential to lock businesses out of critical systems for days or even weeks. Businesses can establish safety protocols at the outset to minimize the blow when a sucker punch comes in the form of a cyberattack.

Avoiding legal penalties & compliance violations
Established security regulations require multiple sectors to take specific actions including:

● NIST Cybersecurity Framework

● CISA Cybersecurity Risk Assessment Guidelines

● ISO 27001 Information Security Standard

● GDPR & HIPAA Data Protection Laws

Non-adherence to regulations results in both significant court actions and hefty fines together with potential damage to public image. Businesses that conduct cyber risk assessments on a regular basis stay compliant with regulations thus preventing any potential legal consequences.

Who should perform a cyber risk assessment?

A business can evaluate risks through dedicated IT personnel or by contracting with external cybersecurity firms.

Internal IT teams vs. third-party assessments

Internal IT teams
Suitable for companies with a dedicated cybersecurity team. Internal IT staff members reduce costs but typically have fewer advanced assessment capabilities at their disposal. Companies conducting security evaluations through their own staff members risk introducing personal preferences that might affect the evaluation results.

Third-party cybersecurity firms
The company should present independent professional cybersecurity knowledge for conducting threat evaluations. Companies benefit from receiving both advanced security technology together with the most recent threat intelligence information. Level of precision along with objectivity rises significantly yet costs more money. Third-party cybersecurity services provide small businesses that have limited resources with thorough security risk assessments which are also conducted without bias.

Different approaches to cyber risk

An organization can execute cyber risk assessments by hand or through programmed systems which provide both pros and cons for each method.

The direct assessment method allows internal IT groups or external cybersecurity companies to perform detailed evaluations but demands experienced personnel along with prolonged examination durations. The approaches deliver specific results that could contain mistakes due to human factor involvement.

Cyber risk assessment tools perform automated scans on vulnerabilities at high speed because of their automated nature. The automated assessment method delivers time and cost effectiveness although it lacks the contextual knowledge that manual assessment provides.

Organizations team up these two risk assessment approaches to achieve full visibility into potential threats to their cybersecurity posture.

Types of risk assessment in cyber security

Common cybersecurity risks and threats

● Hackers stealthily access systems using malicious software programs to steal vital information that they hold hostage as ransom. WannaCry ransomware conducted a worldwide attack on 200,000 machines which led to massive disturbances together with substantial monetary damages.

● Cybercriminals use social engineering tactics along with phishing to obtain confidential employee information. The 2020 Twitter system breach occurred when employees fell victim to a phishing scheme that led to the system compromise.

● The organizations experience data breaches when employees together with third-party business associates and contractors either by mistake or deliberately reveal confidential information.

● Software vulnerabilities become targets for attackers at security holes that will not receive fixes before their launch.

● Numerous companies encounter cloud security issues due to their inability to protect cloud-stored sensitive customer information.

How to perform a cybersecurity risk assessment

The process of performing a cybersecurity risk assessment enables organizations to find system weaknesses while stopping possible internet threats. To evaluate successfully you should follow these provided steps.

Determine the scope
Establish which information systems along with data and external vendors require assessment consideration. Organizations should follow compliance standards that include NIST and ISO 27001 as well as HIPAA and the GDPR.

Identify and prioritize assets
Organizations should place assets within categories depending on their different risk rankings:

● Critical: Customer databases, financial records, intellectual property

● Medium: Internal emails, login credentials

● Low: Archived data, public website content

Identify cyber threats and vulnerabilities
Determine which vulnerabilities hackers can use against your assets including ransomware malware along with phishing attacks. Results of penetration testing and vulnerability scanning help organizations detect their risks.

Assess and analyze risks
Assess every menacing factor through past scenario occurrences and industry-established benchmarks. Data security breaches trigger multiple adverse effects that include monetary losses alongside operational interruptions together with damage to company reputation.

Calculate risk probability and impact
Evaluate and categorize risks using qualitative analysis in order to determine their level (low, medium, high) as well as their potential financial consequences.

Prioritize risks with cost-benefit analysis
Allocate resources efficiently. Clients should invest in multiple-step authentication security measures to handle a $5M ransomware risk.

Implement security controls
Deploy firewalls, MFA, and encryption. The protection value improves when maintaining regular software updates and performing security audit inspections.

Monitor and document results
Security assessments need to run continuously and annual checkups need to function alongside incident log maintenance for following compliance protocols.

Benefits of cybersecurity risk assessments

Security risk assessments act as defensive tools which protect a company from cyberattacks while enabling companies to follow regulations and fortify their defenses leading to data protection and protecting them from expensive breaches.

Conclusion

Security risk assessments should take place habitually because they detect vulnerabilities and stop attacks and maintain regulatory conformity. Companies need to take proactive security measures because cyber threats continue to change without any possibility for choice. Regular assessment practices allow businesses to create stronger defensive measures for their data protection and evade damaging data breaches. A long-term defensive position comes from continuous security monitoring together with employee training as well as enhanced cybersecurity tools. Security strategies deliver protection through preparedness as much as through defense initiatives. The current investment in cybersecurity defenses by businesses ensures their success in facing future risks. The regular performance of assessments will both protect your business from cyber threats and guarantee your preparedness regarding new security risks.

What is a cybersecurity risk assessment?

Password security

Mar 6, 2025 — 7 min read

Digital security demands the highest possible protection for passwords due to modern advances in digital presence. For effective password security people need to understand that cybercriminals have developed intricate ways to break passwords. The lack of password security foundation has resulted in many notable data breaches which released vital customer information and created severe financial losses together with reputation damage for companies.

The application looks into password security approaches through salting and peppering because they protect user credentials effectively. The paper explores implementation recommendations as well as a review of authentication strategies in present-day cybersecurity and emerging authentication trends.

Understanding password hashing

The core component for safe password protection rests in password hashing. System administrators use cryptographic hash functions to hide passwords by converting them into stable computational outputs known as hash codes. Hash values cannot be reversed to reveal the original password information after a transformation completes. The protection of passwords remains strong in case database systems fall victim to an attack.

Common hashing algorithms

Multiple cryptographic hash functions provide password security as part of their standard practice.

● SHA-256 functions as a safe hashing system that executes cryptographic applications with security as its primary priority. SHA-256 (Secure Hash Algorithm 256-bit) belongs to the SHA-2 standard of cryptographic hash functions. The Merkle-Damgård construction enables this system to split data into 512-bit blocks. The compression function inside this algorithm uses bitwise operations where XOR, AND, NOT, and shifts generate a 256-bit hash value. The security level of SHA-256 is solid but it fails to offer native defense against brute-force attacks so it cannot be used directly on passwords without salt insertion. The cryptographic method suffers from attacks that expand the input length.

● The adaptive function and automatically generated random components of BCrypt protect against brute-force attacks to establish superior password storage protection. BCrypt operates with Blowfish cipher technology while its cost factor controls the difficulty of the hashing procedure execution. The adjustment of cost factors allows for extending hash computation time which raises the cost of brute-force attacks both in time and resources. The security is improved through automatic BCrypt-generated salts designed for individual passwords.

● Argon2: A modern, memory-hard algorithm designed to be resistant to brute-force attacks by making hash computation resource-intensive. Argon2 has different variants like Argon2d, Argon2i, and Argon2id. Argon2d maximizes resistance against GPU-based cracking attacks by using data-dependent memory access. Argon2i is optimized to resist side-channel attacks by using data-independent memory access. Argon2id is a hybrid mode that combines the advantages of both Argon2d and Argon2i. It leverages memory-hard functions to resist side-channel attacks and GPU-based cracking, making it a robust choice for password hashing.

Hashing alone, however, is not sufficient because attackers can precompute hashes using dictionary attacks and rainbow tables. The process of salting and peppering takes over at this point.

What is salting?

The cryptographic method called salting enhances password hash security through its implementation. In the encryption process programmers introduce a unique random string called salt which they put before running the password through a hash function. Security salts stop cyber attackers from using precomputed tables called rainbow tables for password cracking.

Benefits of salting

A proper salting process stops identical passwords from producing identical hash values because attackers find it simpler to identify patterns in passwords that match.
The addition of salts defeats rainbow table attacks since they make computational password cracking via precomputed hash tables virtually impossible.
Strong hashing techniques together with individual password salts improve security through their ability to make attacks on different hashes impossible by using the same methods.

Best practices for salting passwords

Security demands each password to have its own unique salt.
Salts need to be placed in separate storage locations from posted hashes in order to protect user data from database breaches.
High-Entropy Salts are effective because their randomly created lengthy format decreases susceptibility to brute-force attempts. A password salt has unpredictable characteristics when its entropy level is high.
A 128-bit salt possesses such a great amount of randomness that guessing its value becomes virtually impossible.
The generation of salts requires using crypto-secure pseudo-random number generators (CSPRNGs).
Sustainable security comes from implementing complex Hashing Algorithms which include Argon2 and bcrypt among others; these methods demand high computing power from attackers.
The maintenance of security practices requires periodic evaluation and upgrade of password storage procedures in order to anticipate and counter new security threats.

What is peppering?

Pepper differs from salt by adding a hidden key (pepper) which secures passwords during hashing operations. A pepper serves as an additional security measure because unlike salt which stores password hash values it stays independent from database access.

Benefits of peppering

A stolen database remains insecure because penetration requires access to the protected pepper.
Separating the pepper from the database provides protection against unauthorized password decryption because database exposure is insufficient to complete password cracking.
The integration of a pepper element makes brute-force attacks much more difficult because attackers lack the required information to execute system wide hash testing.
Most automated attack scripts become less effective since they do not consider unknown pepper values in their standard operations.

Challenges of peppering

The storage location for the pepper needs to be separate from other data in a protected environment variable or hardware security module.
A compromised pepper poses a risk to decrypt all passwords which use that pepper whenever it gets exposed.
Organizations must replace their keys on a regular basis to decrease this security risk.
Organizations need to periodically change their peppers as part of their management requirements while maintaining hash integrity during replacements.
Proper implementation of peppering demands strategic approach because it needs to preserve efficient and scalable authentication procedures.

How salting and peppering work together

Security of passwords improves through the simultaneous application of peppering and salting techniques. A combination of salting provides unique hash values and peppering creates an added defense against potential attacks.

Users go through this process to create a password by using the following steps:

A new specific salt emerges which gets added following the password.
The pepper is applied as a secret addition to the combination of salted password.
A strong algorithm performs the hash operation on the final combined string.
Database storage houses both the combination of salt and hashed password but the system maintains exclusive control of the pepper data.
The combined security measures elevate password defense to such high levels that attackers would struggle to obtain undisputed passwords even after breaching the database.

Best practices for implementing salting and peppering

Use unique salts: Each password should have its own unique salt to maximize security. Store salts in a separate database column from password hashes.
Strong hashing algorithms: Implement industry-recommended hashing functions such as bcrypt, Argon2, and PBKDF2.
Secure pepper storage: Peppers should be stored independently from the database, such as in environment variables or a Hardware Security Module (HSM) for added protection.
Regular pepper rotation: Schedule periodic updates for peppers and encourage users to change their passwords when necessary.
Multi-factor authentication (MFA): Enhance security by requiring additional authentication factors beyond passwords.
Regulatory compliance: Ensure compliance with security standards like GDPR, NIST, and PCI DSS to protect against breaches.
Account protection measures: Implement failed login attempt limits and automatic account locks to prevent brute-force attacks.
Ongoing security audits: Regularly evaluate authentication and storage methods to detect and mitigate vulnerabilities.
User education: Encourage strong password creation using passphrases and password managers while promoting awareness of password security risks.

User education and password management

Each password requires its own individual salt creation to achieve maximum security level.
Storage of salts should be done in their own database column which must remain apart from the password hash storage area.
You should implement strong hashing functions which include bcrypt, Argon2 and PBKDF2 and other security hashing algorithms in your system.
The pepper must exist independently from the database storage by placing it either in environmental variables or within an HSM (Hardware Security Module).
The combination of security features in HSMs includes tamper-resistant storage and cryptographic key administration.
Security measures should be enhanced through Multi-Factor Authentication (MFA) which adds extra authentication protocols.
The combination of peppers should be replaced in scheduled rotations and you should change your passwords at needed times.
Protecting passwords against security breaches requires businesses to meet requirements of GDPR, NIST and PCI DSS while implementing robust password security.
Account security improves when system implements mechanisms that limit failed login attempts followed by automatic account locks.
The evaluation of password security practices should happen regularly through security evaluations which detect weak points in methods used for authentication and storage.
Users need to receive instruction about how to develop and store strong passwords through passphrases and password manager tools.
Users must receive proper training about creating strong passwords to improve security.
Creating passwords must start with developing complex alphanumeric passcodes that are different from each other and should avoid easy-to-guess passwords and grasp password reset danger points.

Compliance and regulatory landscape

Ensuring robust password security requires adherence to industry regulations such as GDPR, NIST, and PCI DSS. Key compliance measures include:

Salting & hashing: Each password should have a unique salt stored separately from hashed passwords. Use strong hashing algorithms like bcrypt, Argon2, and PBKDF2.
Secure pepper storage: Peppers should be stored independently, such as in environment variables or an HSM (Hardware Security Module) for tamper-resistant protection.
Multi-factor authentication (MFA): Implement MFA to enhance security and prevent unauthorized access.
Access control & monitoring: Enforce failed login attempt limits and automatic account locks to mitigate brute-force attacks.
Regular security audits: Conduct periodic evaluations to identify vulnerabilities in authentication and storage methods.
User education: Promote strong password practices, use of password managers, and awareness of password reset risks to minimize human error.

The Future of Password Security

New authentication methods become essential to combat evolving security threats despite existing added protection provided by peppering and salting. New trends in password security protection will include the following elements:

Through biometric authentication people no longer need to use passwords because their fingerprints and face and behavior patterns serve as alternative access methods.
Passwordless authentication: Provide more details on passwordless authentication methods like FIDO2 and WebAuthn. Public-key cryptography allows these technologies to authenticate users through passwordless authentication procedures.
Zero-Trust Security Models conduct continuous user identity verification for protecting against security threats.
The detection system uses AI algorithms to analyze suspicious login patterns for the purpose of preventing unauthorized entry.

Password security: Understanding salting and peppering

Feb 6, 2025 — 3 min read

AI technologies are changing industries fast and most companies are already using or will use AI in the next few years. While AI brings many benefits — increased efficiency, customer satisfaction and revenue growth — its also introduces unique risks that need to be addressed proactively.

From reputation damage to compliance violations and cyber attacks, the consequences of poorly implemented AI systems are severe. The rise of cyber-physical systems, like autonomous vehicles, highlights the need to integrate robust safety measures into AI development and deployment.

So experts have created practical recommendations to help organizations navigate these challenges. These guidelines are designed to make sure AI systems are secure, reliable and aligned with regulatory and ethical standards so businesses can use AI safely and responsibly.

Key risks to consider

With AI being applied in so many areas, businesses need to consider many risks:

Risk of not adopting AI
This may sound counterintuitive, but assessing the gains and losses of AI adoption is key to understanding and managing other risks.

Regulatory compliance risks
Rapidly evolving AI regulations make this a dynamic risk requiring frequent reassessment. Beyond AI-specific regulations, organizations must also consider associated risks, like violations of personal data processing laws.

ESG risks
These include social and ethical concerns surrounding AI and risks of exposing sensitive information.

Risk of AI misuse
From silly to malicious use cases, users will use AI in unintended ways.

AI models and training datasets threats
Attackers will target the data used to train AI systems and compromise their integrity.

Company services integrating AI threats
These will impact the broader IT ecosystem.

Data security risks
The data processed within AI-enabled services may be vulnerable to attacks.

The last three categories encapsulate the challenges of traditional cybersecurity in complex cloud infrastructures: access control, network segmentation, vulnerability management, monitoring, supply chain security and more.

Aspects of safe AI deployment

Safe AI deployment requires a balanced approach that combines both organizational and technical measures. These can be categorized into the following areas:

Organizational measures

Employee training and leadership education. Educate staff and leadership on AI risks and mitigation tools so you have an informed workforce to manage AI challenges.

Supply chain security. Scrutinize the source of AI models and tools. Make sure all resources come from verified, secure providers to reduce vulnerabilities.

Technical measures

Infrastructure security. A robust security infrastructure is necessary, incorporating identity management, event logging, network segmentation, and advanced detection tools like Extended Detection and Response (XDR).

Testing and validation. Thorough testing ensures AI models comply with industry standards, remain resilient to improper inputs, and meet specific business requirements.

Bias detection and correction. Detecting and addressing biases, especially when models are trained on non-representative datasets, is key to fairness and accuracy.

Transparency mechanisms. User-friendly systems for reporting vulnerabilities or biases helps organizations to build trust and improve AI systems over time.

Adaptation and compliance

Timely updates and compatibility management. Structured processes for updates and compatibility are needed to keep up with the fast pace of AI evolution.

Regulatory compliance. Staying aligned with emerging AI laws and regulations is an ongoing effort, requiring dedicated resources to ensure compliance with latest standards.

Practical implications

Deploying AI means focusing on risk management and security. Identifying vulnerabilities early through threat modeling allows businesses to address potential issues before they become problems. This proactive approach reduces the likelihood of costly mistakes and ensures smoother integration of AI systems.

A secure infrastructure is equally important. By implementing strict access controls and continuous monitoring, businesses can safeguard both their AI models and the IT environments they run in. Security measures must go beyond the models themselves, protecting the entire ecosystem that supports AI functionality.

Employee training plays a big role in responsible use of AI. Teams need to work effectively with these systems and leadership need to understand the risks and manage them. Proper preparation ensures a company-wide culture of accountability and awareness.

Thorough testing and validation of AI models are non-negotiable. These processes ensure that the systems perform reliably under different conditions and align with ethical standards. Testing uncovers weaknesses in data handling and decision-making, which can be addressed before the systems go live.

Supply chain security is another key element. Organizations must carefully vet their providers and ensure all AI models and tools come from trusted sources. This reduces the risk of vulnerabilities introduced through third-party dependencies. Addressing biases in AI models, such as those stemming from unrepresentative datasets, is equally crucial for maintaining fairness and reliability.

To maintain long-term system integrity, companies should have clear processes for reporting vulnerabilities. Allowing users and external experts to report issues improves system reliability over time. Regular updates and prompt fixes for compatibility issues are essential, as the fast pace of AI development means libraries and tools change quickly.

By integrating these practices, businesses can achieve a balance between leveraging AI’s potential and managing its inherent risks.

The road ahead

AI offers immense potential, but its successful and safe deployment requires foresight, planning, and continuous vigilance. By managing risks proactively, companies can harness AI’s benefits while minimizing its risks. Moreover, collaborative efforts between policymakers, industry leaders and researchers are essential to creating a safer and more innovative AI ecosystem.

Recommendations for the safe integration of AI systems

Cybersecurity

Nov 15, 2024 — 5 min read

What do a 15-year-old hacker, Julian Assange, inattentive administrators, and the War Thunder forum have in common? They were all involved in data leaks from the Pentagon. This article will explore several of the most prominent examples of leaks linked to one of the world's most secure agencies, as well as discuss the experience of interaction between the U.S. Department of Defense and ethical hackers.

Jonathan James

According to the U.S. Department of Defense, the first hacking of the Pentagon occurred in 1999 by a 15-year-old named Jonathan James, known among hackers as C0mrade. Jonathan found a server with a backdoor that allowed anyone to connect. He connected to the server, installed a sniffer, and gained access to all the traffic. This server belonged to a unit of the Department of Defense. Within a month, the boy intercepted numerous credentials, which he used to access the Department of Defense computers and download a vast amount of emails from Pentagon employees' mailboxes. Jonathan did all this not for personal gain but out of simple curiosity. Naturally, the intrusion was noticed, investigated, and the juvenile perpetrator was found. Jonathan's case is unique because he became the first minor in the U.S. to go to jail specifically for hacking.

Gary McKinnon

Two years after Jonathan James's story, another young hacker managed to breach this fortress alone. In January 2001, Gary McKinnon, a systems administrator from London, first broke into the American military computer system. Instead of wondering "how to hack the Pentagon," he simply found a flaw in the security system. Gary created a Perl program that identified administrator-status computers without a password. To the U.S. military ministry's embarrassment, there were many such machines. For 13 whole months, Gary studied the contents of Pentagon and later NASA computers unpunished. He was searching for evidence of extraterrestrial life and, according to him, found it. A year after his first intrusion, Gary was exposed, but he managed to avoid responsibility because a wave of protest arose, and the UK authorities did not extradite him to the U.S.

Julian Assange

Discussing whether the Pentagon was hacked, one cannot overlook Julian Assange, the founder of WikiLeaks. Since 2006, the portal has been publishing classified materials from the Pentagon and other U.S. law enforcement agencies. It is not known for certain whether Assange hacked government servers himself or if he received documents from third parties. But as the creator and distributor of information, he faces numerous charges, with a total criminal sentence of 175 years of imprisonment.

Edward Snowden

To extract and publicize classified Pentagon documents, hacking is not always necessary. Sometimes the danger lies within the employees themselves, who disagree with the methods of the military ministry. The most striking example is Edward Snowden. In 2013, he was an employee of the military system and had access to classified documentation. He learned about the massive U.S. surveillance of citizens of various countries around the world. Deciding to disclose the data, Snowden downloaded nearly 2 million secret documents onto a flash drive and took it out of the NSA office hidden in a simple Rubik's Cube. Then came the publications in the world media, major disclosures, accusations of espionage, fleeing the country, and a safe haven in Russia. It should be noted that there was also no selfish motive in this case.

Case of Jack Teixeira

In 2023, a loud scandal erupted related to the leak of classified Pentagon documents. Their photos appeared on the Discord platform, the 4Chan forum, Twitter, and some Telegram channels. Initially, it was thought that the Russians had hacked the Pentagon, but it later turned out that the leak was again related to a person working in the system and having access to secret information. Later, the world was shocked by footage of the arrest of Jack Teixeira—an Air Force pilot in red shorts being led by heavily armed American special forces. The information published by Teixeira contained secret documents concerning the conflict in Ukraine and revealing U.S. surveillance of partner countries. Jack was accused of espionage and now faces many years in an American prison.

Curious Cases

There have been many curious cases in the history of the Pentagon and similar agencies that led to the disclosure of official information. For example, last year a story surfaced about a typo that caused letters from the U.S. Department of Defense to go to mail addresses in Mali for years. Confidential information about U.S. (and French) military technology often surfaced on the War Thunder game forums so frequently that moderators had to publicly explain why their forum became a treasure trove of secret drawings. The U.S. military department did not overlook careless administrators either. Data can be found on at least one case when an unprotected Pentagon server with sensitive information was "shining" online for a long time. There are probably more such unpublicized incidents.

Pentagon and ethical hackers

If the human factor problem is solved by tightening internal policies toward employees, the Pentagon website and the entire U.S. Department of Defense infrastructure are protected by ethical hackers. As early as 2016, a government vulnerability search program called Hack the Pentagon was launched on the HackerOne platform. More than 100 potential breaches in ministry defense were discovered, and over 1,400 pentesters participated in the project. The number of participants is easily explainable. First, hacking the Pentagon online is the dream of any hacker. Secondly, the first bug bounty program of the Ministry of Defense was conducted on a paid basis. Individual payouts ranged from $100 to $15,000, with a total budget of $75,000. The next program was conducted in 2018 and focused on publicly accessible websites of the Ministry of Defense.

By the end of 2020, the department was hacked more than 12,000 times, but within controlled tests. Hackers were no longer paid for finding vulnerabilities but were awarded points on the HackerOne platform. The start of the third bug bounty program of the Pentagon was announced in 2023. But this time, hackers were invited to try to penetrate systems that control mechanical operations, such as heating and air conditioning in the main building, the Pentagon's heating and cooling installation, a modular office complex, and a parking lot. The task of the hackers is to identify weaknesses and vulnerabilities and provide recommendations for improving and strengthening the overall security situation.

Conclusion

It is naive to think that in the modern world there are objects that simply cannot be hacked. And the Pentagon is no exception. Today we have told only a few stories related to hacking and data leakage from the U.S. military department. But there are many more incidents that have not been publicly disclosed. Meanwhile, the Pentagon does not close itself off and actively uses external specialists to find vulnerabilities and weak spots in the system. This is the right tactic that helps the ministry improve its cybersecurity and respond more intelligently to attempts at penetration.

The unshakable fortress: Hacks, leaks, and pentagon bug bounty programs

Case study Passwork

Nov 8, 2024 — 3 min read

Kindernothilfe (KNH) is a German non-profit organization dedicated to supporting vulnerable children in impoverished and underprivileged regions worldwide. Founded in 1959, it has made significant contributions as one of Europe’s largest charities dedicated to child aid. Operating in over 30 countries, Kindernothilfe emphasizes the importance of ensuring children’s rights and providing access to education, healthcare, child protection, and community development initiatives, all aimed at enhancing children’s living conditions and eradicating poverty.

Company
Kindernothilfe
Location
Duisburg, Germany
Industry
Nonprofit organization
Company size
Over 300 employees in more than 30 countries
Passwork license type
500 users

The challenge: Finding a secure and user-friendly solution for global teams

Before choosing Passwork, Kindernothilfe relied on KeePass, a solution that limited scalability and lacked user-friendly features essential for a globally operating organization. With over 300 employees across more than 30 countries, the organization required a secure, scalable, and intuitive password management solution.

Doing so was crucial to meet the growing demands of its international team, especially for enhancing password sharing and access management capabilities for remote employees.

The solution: Switching to Passwork for improved security and simplified user access

Kindernothilfe opted for Passwork for its robust self-hosting capabilities, ensuring optimal data control and security. The seamless integration with SAML2 for Single Sign-On (SSO) streamlined access management across multiple platforms.

Furthermore, Passwork’s intuitive interface, along with its mobile app and browser extension, made it possible to manage passwords effortlessly from any device. The secure password-sharing features enhanced team collaboration, significantly reducing human error and improving overall security protocols.

The implementation: Gradual rollout and building a secure infrastructure

The implementation process took approximately two months. It was primarily focused on establishing and thoroughly testing the infrastructure to ensure Passwork met Kindernothilfe’s security requirements. The integration of SAML2 for Single Sign-On (SSO) was smooth and completed within a short timeframe.

To facilitate the successful implementation of Passwork, Kindernothilfe opted for a phased rollout rather than deploying the password management solution organization-wide all at once. They began with a smaller group of employees to showcase the benefits of the system and gradually promoted its use.

While organizing various promotional and educational activities, such as “Lunch and Learn” events, the organization encouraged employees to engage with Passwork. The goal was to achieve the point where at least 50% of the staff actively used Passwork before expanding the system to the entire organization.

The results: Increasing operational efficiency for cross-border teams

Currently, approximately 50% of the staff are actively using Passwork—a centralized, secure, and user-friendly solution for password sharing. This incremental approach not only ensured higher user engagement but also significantly strengthened security protocols across the organization.

By improving password management processes, Kindernothilfe increased its overall operational efficiency, especially for cross-border teams. Educational initiatives, such as “Lunch and Learn” sessions, were instrumental in raising awareness about Passwork and facilitating its successful adoption throughout the organization.

"Passwork met our needs with its affordable pricing and ease of use, making it an essential tool for our global workforce" — Bernd Schlürmann, network and security manager

Kindernothilfe: Simplifying global employee collaboration with Passwork

Cybersecurity

Nov 6, 2024 — 4 min read

The introduction of children to technology is happening at an increasingly younger age. This early exposure to the digital world, while beneficial in many ways, also carries significant risks due to the evolving tactics of cybercriminals. Parents must stay updated on the latest cybersecurity threats targeting young internet users to ensure their safety.

Today, we aim to shed light on various cybersecurity trends and provide practical advice for parents to safeguard their children's online presence.

AI and its impact on young users

Artificial Intelligence (AI) is rapidly transforming numerous industries, and its applications are becoming a part of daily life, from chatbots to personalized online shopping experiences. This technological advancement naturally attracts the curiosity of children, who often use AI tools for educational purposes or entertainment. A UN study indicated that approximately 80% of young participants interact with AI multiple times daily. However, these interactions are not without risks, including data privacy breaches, exposure to cyber threats, and inappropriate content.

Children often use AI applications for seemingly innocuous activities like photo editing. These apps might prompt users to upload personal photos, which could then be stored in unknown databases or used in ways the user did not intend. Parents must guide their children in using these applications cautiously, ensuring no personal information is visible in the background of photos or shared through the app.

AI chatbots, while useful, can sometimes provide content that is not age-appropriate. Imagine a scenario where a parent has installed an AI chatbot on their child's smartphone to assist with homework and answer educational questions. One day, the child decides to ask the chatbot a seemingly innocent question about birds. However, instead of receiving a child-friendly response, the chatbot generates inappropriate content related to adult topics or includes explicit language, causing the child to stumble upon content that is not age-appropriate.

In this example, the AI chatbot, though designed to be helpful, has failed to filter or moderate its responses properly, leading to a potentially harmful and inappropriate experience for the child.

The world of gaming and its hidden dangers

Gaming is a popular activity among children, with statistics showing that 91% of children in the UK aged 3-15 play digital games. This vast digital playground, however, also exposes them to potential attacks from cybercriminals. In 2022 alone, security solutions identified over seven million attacks related to popular children's games, marking a significant increase from the previous year. Games designed for younger children, such as Poppy Playtime and Toca Life World, were targeted.

The gaming environment often includes unmoderated voice and text chats, which can be a breeding ground for cybercriminals. These criminals can build virtual trust with young players, similar to how they would in person, by offering gifts or promises of friendship. Once trust is established, they can extract personal information, encourage clicking on phishing links, or even groom the children for more sinister purposes.

Moreover, when children can't find an app or game in their region, they might look for alternatives, which often turn out to be harmful copies. This danger exists even on trusted platforms like Google Play. Between 2020 and 2022, the research identified over 190 apps infected with the Harly Trojan on Google Play, secretly signing up users for paid services. The downloads of these apps are estimated at 4.8 million, but the real number of victims could be higher.

Both children and adults are vulnerable to this trend. Understanding cybersecurity basics is crucial. For instance, it's vital to examine the permissions an app seeks when you install it. Consider a basic flashlight app – it has no reason to request access to your text messages or camera. Being alert to these details is crucial for maintaining online security.

Fintech for kids: Opportunities and risks

One emerging trend is the development of financial products and services tailored for children as young as 12. These specialized offerings, such as bank cards and digital wallets designed for kids, present both promising opportunities and notable risks for young consumers and their parents.

Opportunities:

Financial Education: Fintech products for kids can be powerful tools for teaching financial literacy from an early age.
Parental Control: Fintech solutions designed for children often come with built-in parental control features. These features allow parents to monitor their child's spending, set spending limits, and receive real-time notifications of transactions.
Digital Payments: In an increasingly cashless society, introducing children to digital payments and financial technology at a young age can help them adapt to the changing financial landscape.

Risks:

Cybersecurity Threats: As fintech products for children gain popularity, they become attractive targets for cybercriminals. Cybersecurity risks include phishing scams, identity theft, and data breaches.
Social Engineering: Cybercriminals may use social engineering tactics to manipulate children into revealing sensitive information or making unauthorized transactions.
Financial Implications: While fintech products offer financial education opportunities, they also expose children to the risk of overspending or making unwise financial decisions.

Navigating online privacy with growing children

As children mature, they develop a greater understanding of personal space and privacy, which extends to their online activities. With the internet becoming more accessible, children are increasingly conscious of these aspects. Therefore, when parents decide to install digital parenting apps on their children's devices, the reaction from the kids might not always be positive.

This situation necessitates that parents develop the ability to effectively communicate with their children about their online experiences and the significance of using digital parenting tools for their safety, while also respecting their personal space. It's important to set clear boundaries and explain the purpose of these apps to the children. Regularly checking in with them and modifying the app's restrictions as the child grows and becomes more responsible is also crucial for maintaining a healthy balance.

A quick note on smart home devices

As a final thought, to ensure that this article is comprehensive, it’s important to note that the rise of smart home devices has made life more convenient but also more vulnerable to cyberattacks. Children, who are often users of these devices, can unknowingly become targets for cybercriminals. For example, some security studies on a popular smart pet feeder uncovered serious vulnerabilities that could allow unauthorized access and data theft. Parents must ensure the security of these devices and educate their children on safe usage practices.

Final thoughts

In conclusion, as technology continues to advance, so do the challenges and risks associated with its use, particularly for young users. Parents play a critical role in educating and protecting their children from these evolving cyber threats. By staying informed and engaging in regular discussions about online safety, parents can help ensure a safer digital environment for their children.

Guarding the digital playground: Parent's guide to cybersecurity

Oct 31, 2024 — 3 min read

The technology of virtual reality, which has spread relatively recently, is rapidly evolving and gaining popularity. Manufacturing companies are actively developing and experimenting with this new technology. Virtual reality is used not only in the entertainment industry but also in science, education, medicine, architecture, and others. For cybercriminals, access to such data can become an attractive target.

At present, cases of hacking VR headsets and glasses are not widespread, but as virtual reality technologies develop and their popularity increases, it can be expected that such attacks will become more relevant for cybercriminals. Examples of cases may include vulnerabilities in the software of VR devices, which can be used for remote control or for collecting confidential information. In the future, with an increase in the number of VR technology users, the likelihood of such device hacks may increase.

VR technology

Virtual reality is a technology that allows users to immerse in a three-dimensional virtual world using technical means. A person can either simply observe another reality through glasses—watching 360-degree videos—or interact with it by playing games using controllers.

A full VR set includes a headset, controllers, and cameras. The headset creates the sensation that the player is in another reality—he or she can see and hear it. Motion sensors and accelerometers provide additional opportunities to fully immerse in the game. With controllers, one can perform actions and control their movements in the game, while cameras additionally collect information—reading the player's movements and warning if the player approaches set boundaries in real life, for example, a wall or furniture.

It's also important to highlight the capabilities of devices operating in augmented reality mode, where a person simultaneously sees both the good old "analog" world and virtual interfaces with which they can also interact.

Risks and information security threats when using VR

Cybercriminals may be interested in users' confidential data. By finding vulnerabilities in a VR application and hacking it, they can gain access to cameras and microphones.

Hacking VR headsets is a serious violation of users' privacy and security. Hackers can exploit vulnerabilities in the software or hardware of devices to access users' personal data, including location information, physiological parameters, and even video and audio recordings of virtual reality sessions. This can lead to various negative consequences, including theft of personal information, blackmail, privacy breaches, and even physical danger.

Cybercriminals can also deploy VR exploits to gain control over players' devices. In this case, they have access to the PC, can activate the microphone to eavesdrop, monitor user actions, and collect various information, including bank transactions, logins, and passwords.

If malicious software replicates itself, it can infect all visitors in a virtual room. This allows for collecting data about many people at once, monitoring their actions, encrypting files on their PCs, and then blackmailing them for ransom to restore access. When using a VR headset or set in business, hacking will have more serious consequences. A computer connected to a VR device becomes an entry point for cybercriminals into the corporate network.

Data protection and ensuring virtual reality security

To protect devices from hacking, it's necessary to understand the threat level and take security seriously. Here are some recommendations for protection.

Regularly update the VR headset software to eliminate identified vulnerabilities and provide protection against new types of cyber threats. Connect only to secure Wi-Fi networks with data encryption (such as WPA2). Also, avoid open and unreliable networks to prevent interception of personal information.

It's important to protect access to the VR headset with a password or other authentication methods to prevent unauthorized access to the device. VR headset applications should be downloaded only from official stores to avoid installing malicious software. Finally, if possible, configure access rights to the device's data and functions to limit third-party applications' access to personal information. Following these measures will reduce the risk of cyber threats and ensure the safe use of VR headsets online.

Also important not to neglect updating your devices' software, as cybercriminals are constantly looking for new ways to access others' devices. Companies, in turn, promptly fix vulnerabilities in their products. For example, Apple released the first security patch fixing a zero-day vulnerability for Apple Vision Pro the day after journalists published reviews.

Conclusion

The use of virtual and augmented reality is rapidly evolving. New ways of applying it are found in various fields. There are not many cases related to the hacking of VR headsets and VR sets. However, experts predict an increase in attacks by cybercriminals in the future, proportional to the spread of VR technologies.

Using vulnerabilities in VR devices, cybercriminals can collect confidential data, record audio from microphones, and video from cameras, and even gain control over PCs and access corporate systems. To avoid this, it's necessary to take precautions: update software in time, not share access data with anyone, connect only through reliable Wi-Fi networks, and install VR applications only from official stores.

New reality, same threats: How to safely use VR headsets and glasses

Oct 25, 2024 — 4 min read

Neural networks are creeping into every area of our lives: from big data analysis, speech synthesis, and image creation to controlling autonomous vehicles and aircraft. In 2024, Tesla added neural network support for autopilot, AI has long been used in drone shows to form various shapes and QR codes in the sky, marketers and designers use AI to generate illustrations and text.

After the release of ChatGPT at the end of 2022 and its popularity, many companies have been actively developing their services based on GPT models. With various services and AI-based bots, neural networks have become accessible to a wide range of users. But if you don't follow information security rules, using these services and neural networks involves certain risks. Let’s talk about those.

Risks of using neural networks

The euphoria caused by the discovery of GPT chat for many people has been replaced by caution. With so many services based on language models, free and paid, users have noticed that chatbots can provide unreliable or harmful information. Especially dangerous is incorrect information about health, nutrition and finances, weapon manufacturing, drug distribution and more.

Moreover, neural networks are getting better and better and the latest versions can create incredibly realistic fakes, synthesizing voice or video. Scammers use these features to deceive their victims by forging messages and calls from acquaintances and videos with famous personalities.

The main threat is that many users trust neural networks and chatbots in general. Surrounded by an aura of accuracy and objectivity, people forget that neural networks can work with fictional facts, provide false info and generally make wrong conclusions. It has been proven many times that mistakes happen. If you ask silly questions, the damage will be minimal. But, if you use chatbots to solve finance or medicine issues, the consequences can be devastating. Plus, often to get an answer from a neural network, you need to provide some data.

A big question is what will happen to that data afterwards. No one guarantees that the information about you that you included in the queries will not subsequently appear somewhere on the darknet or become the basis for a sophisticated phishing attack.

In March 2024 bug hunters at Offensive AI Lab found a way to decrypt and read intercepted responses thanks to data encryption feature in ChatGPT and Microsoft Copilot. Regardless of how fast OpenAI patched this vulnerability, it’s a great example of how malicious actors can use API vulnerabilities to steal your data, including passwords or corporate info. And vulnerabilities can be used to DDoS the system and bypass protection.

There are several types of attacks on AI and it is important to know the difference. For example, evasion attacks (modifying of input data) are potentially the most common. If the model requires input data to work, it can be modified appropriately to disrupt the AI. On the other hand, data poisoning attacks are long-term. A trojan in the AI model will remain even after retraining. All this can be combined into adversarial attacks — a way to fool a neural network to produce an incorrect result.

Neural networks are not yet protected from attacks, data falsification and interference in their work for malicious purposes, so users should be aware and follow certain rules when working with chatbots.

Precautions and recommendations

The technology of large language models is rapidly developing, penetrating deeper into our lives, and gaining more users. To protect yourself and your data from potential threats, follow some rules when working with neural networks:

Don’t share confidential info with chatbots;
Download neural network apps and services from reliable sources;
Verify the info provided by the chatbot.

Moreover, the main recommendation when working with public neural networks is not to assume that your dialogue with it is private. It's better to avoid a situation where the questions asked contain any private information about you or your company. The exception is if you are working with an isolated instance of a neural network, located in your environment and for which your company is responsible.

Also, check the services through which you interact with the neural network. An unknown channel im your messenger promising free work with all known LLM models definitely should't be trusted.

Companies, whose employees use neural networks at work, should be extra cautious. The interest of malicious actors in corporate data is higher, and they look for sensitive organizational information first and foremost.

The best way to protect against cyber threats is to have ongoing cybersecurity and AI training for employees. This is a must have in any workflow. Through training, it is possible to improve specialists' skills and, consequently, reduce the number of attacks by more than 70%.

Additional measures should also be taken to enhance the overall IT security of the company. First of all, you need to develop improved AI training algorithms considering its vulnerabilities, which will make the model more reliable by 87%. It is also necessary to "train" the neural network: to let it handle artificially created cyber attacks to improve the algorithm. This will help reduce the number of hacks by 84%. Moreover, it is necessary to constantly update software to reduce vulnerabilities by more than 90%.

Conclusion

Both companies and ordinary users already tasted the benefits of neural networks. In many areas, they help solve everyday tasks and save time and money. For example, generative neural networks affected the cost of making movies, TV series and other videos where graphics and processing are needed. At the same time, roughly the same neural networks have caused a wave of deep fakes, such as new variant of the Fake Boss attack.

Every user must understand that the neural network is vulnerable. Just like a messenger, mailbox, or work task planner — it can be hacked or fail, so it is important to work with it consciously.

Can neural networks keep secrets? Data protection when working with AI

Incognito mode Cybersecurity

Oct 24, 2024 — 3 min read

Web browsers stand as gatekeepers of information, offering a semblance of privacy through a feature widely known as "Incognito mode." This mode, known variably as "Private" in Opera, "InPrivate" in Internet Explorer and Microsoft Edge, and simply "Incognito" in Google Chrome, suggests a veil of confidentiality. These names suggest a level of confidentiality, which can mislead some users about the actual capabilities of this mode. In this article, we have shed light on what Incognito mode really does, how it protects data, and how to maintain privacy online.

Understanding incognito mode

Incognito mode is a browser feature designed to hide certain online activities from other users of the same device. When activated, the browser stops saving:

The history of search queries and visited pages;
Cookies and site data;
Information entered in forms;
Passwords for autofill purposes.

Moreover, files downloaded while in Incognito mode won't appear in the device's download history. However, it's important to note that the websites you visit, your system administrator, and your internet service provider can still track your actions.

Myths surrounding incognito mode

One of the most pervasive myths about Incognito mode is its supposed ability to render users invisible to internet service providers (ISPs), governments, and malicious software. Contrary to popular belief, Incognito mode does not make one's online activities invisible to ISPs or shield against government surveillance. Nor does it offer any protection against viruses or malware. The mode merely ensures that the local browsing history, cookies, and site data are not stored on the user's device once the session is ended.

Another dangerous misconception is the belief that Incognito mode can protect users from all forms of online tracking. While it does prevent the storage of cookies and browsing history on the device, it does not hide the user's IP address or encrypt their internet traffic. Websites visited, as well as network administrators and ISPs, can still track online activities. This misunderstanding can lead users to overestimate the protection Incognito mode offers, potentially engaging in risky online behaviors under the false assumption of complete anonymity.

Appropriate uses for incognito mode

Despite its name, Incognito mode cannot guarantee complete privacy or data protection on the internet. Users should keep this in mind when using it. However, Incognito mode does offer several convenient features:

It can keep your browsing interests hidden from family members or colleagues;
It allows you to log into multiple accounts simultaneously by opening additional sessions in Incognito mode;
It makes it harder for websites to collect information about your preferences for targeted advertising;
It enables you to access your accounts on shared devices without leaving your account open to others.

We recommend considering more reliable protection measures than just Incognito mode. If you're the sole user of your device, Incognito mode might not be particularly useful. Focusing on more effective measures such as antivirus protection, using a VPN, and controlling app permissions is advisable. If you're concerned about your data, consider regular backups and encryption.

Built-in VPNs and incognito mode

Some browsers offer built-in VPNs when using Incognito mode. Unfortunately, these are only partial measures that provide relative security for user information online. While Incognito mode can hide your browsing history within the browser, a built-in VPN might not be as reliable as a standalone application. For instance, a VPN provider can be hacked, or it might share user data with third parties.

Free VPN services might collect user data for analytics or severely limit the performance of such solutions. It's also important to be wary of "dangerous" VPN servers that steal personal data, as they sit between the user and the web resource. Additionally, some VPNs may come bundled with malicious modules (e.g., miners) that financially benefit the VPN or browser owner at the expense of unsuspecting users.

Wrapping up – maintaining privacy online

For robust data protection and complete confidentiality, Incognito mode is insufficient. Additional tools are necessary. One solution for ensuring anonymity online is using a VPN from trusted vendors. A Virtual Private Network encrypts your data and hides your IP address. Other protective measures include:

Using secure, up-to-date browsers;
Installing and regularly updating antivirus software on your devices, as well as antivirus plugins for browsers to prevent visiting malicious sites and downloading suspicious files;
Using complex and unique passwords for each account, along with two-factor authentication where possible;
Exercising caution when opening and downloading files from unreliable sources to avoid malware;
Only using VPN services from trusted vendors;
Carefully reviewing the privacy policies of websites and services to understand how they handle user data.

Remember the importance of common sense and digital hygiene. Avoid downloading files indiscriminately, clicking on unknown links, or entering sensitive information on suspicious websites. While Incognito mode is a convenient feature, it's most effective when used correctly and with an understanding of its limitations.

The hidden truths and myths of incognito mode: Privacy in the digital age

Company

Roadmap Feature requests Changelog Blog

Browser extension

Google Chrome Mozilla Firefox Microsoft Edge Apple Safari

Mobile application

iOS Android

Links

Password generator Passwork cloud SLA

Help

Passwork user manual Help center

Complete guide for SSL, TLS and certificates

Table of contents

What is the Advanced Encryption Standard (AES)?

Where is AES encryption used?

How AES encryption works?

Advantages of AES encryption

Attacks on AES encryption

How to prevent attacks on AES encryption

How does AES compare to other encryption?

AES-128 vs. AES-256

AES vs. RSA

AES vs. DES

AES encryption FAQ

Is AES symmetric or asymmetric?

What is AES 128 vs. 192 vs. 256?

Is 128-Bit AES secure?

Is AES the best encryption method?

How Passwork can help with encryption

Further reading:

What is the Advanced Encryption Standard

Table of contents

Introduction

What is a cybersecurity risk assessment?

Key components of a cybersecurity risk assessment

Analogy: Cybersecurity risk assessment is like a home security audit

The risks of neglecting cyber risk assessments

The importance of cyber risk assessment

Why businesses must conduct cyber risk assessments

Who should perform a cyber risk assessment?

Internal IT teams vs. third-party assessments

Different approaches to cyber risk

Common cybersecurity risks and threats

How to perform a cybersecurity risk assessment

Benefits of cybersecurity risk assessments

Conclusion

Further reading:

What is a cybersecurity risk assessment?

Understanding password hashing

Common hashing algorithms

What is salting?

Benefits of salting

Best practices for salting passwords

What is peppering?

Benefits of peppering

Challenges of peppering

How salting and peppering work together

Best practices for implementing salting and peppering

User education and password management

Compliance and regulatory landscape

The Future of Password Security

Password security: Understanding salting and peppering

Key risks to consider

Aspects of safe AI deployment

Organizational measures

Technical measures

Adaptation and compliance

Practical implications

The road ahead

Recommendations for the safe integration of AI systems

Jonathan James

Gary McKinnon

Julian Assange

Edward Snowden

Case of Jack Teixeira

Curious Cases

Pentagon and ethical hackers

Conclusion

The unshakable fortress: Hacks, leaks, and pentagon bug bounty programs

The challenge: Finding a secure and user-friendly solution for global teams

The solution: Switching to Passwork for improved security and simplified user access

The implementation: Gradual rollout and building a secure infrastructure

The results: Increasing operational efficiency for cross-border teams

Kindernothilfe: Simplifying global employee collaboration with Passwork

AI and its impact on young users

The world of gaming and its hidden dangers

Fintech for kids: Opportunities and risks

Navigating online privacy with growing children

A quick note on smart home devices

Final thoughts

Guarding the digital playground: Parent's guide to cybersecurity