Complete guide for SSL, TLS and certificates

Latest — Jan 9, 2023

Since the time of the Roman Empire, people have been able to use encryption to keep their communications private. When the Roman emperor Gaius Julius Caesar was penning an important message, he would sometimes replace a letter in the source text with another letter that was positioned three characters to the left or right of the original letter in the alphabet. This practice dates back to well before our period. If the communication was intercepted by his adversaries, they would not be able to decipher it since they would think it was written in some other language. This method of concealment was known as the Caesar cipher, and it was categorized alongside the other substitution ciphers. The substitution ciphers' overarching strategy is to change the meaning of a character by using a different character.

However, in encrypted messages, common terms were replaced by a single letter, eliminating the possibility of substitution. In this manner, Mary Stuart, imprisoned in Sheffield Castle, communicated with Anthony Babington about the conspiracy and Elizabeth's death. This is a part of that letter.

Indeed, Elizabeth's counterintelligence department, commanded by Francis Walsingham, intercepted the letter, which was quickly decrypted by Elizabeth's greatest cryptanalyst, Thomas Fellipes. How did he manage it? Through an analysis of frequencies.

All letters appear in the language with varying frequency. As a result, you just need to define the percentage of characters in the text that will be replaced by a certain character, and it will take some time to substitute and test hypotheses. This is called frequency analysis. It only works on somewhat long texts, and the longer the text, the better.

Anthony Babington was hung, drawn and quartered, Mary Stuart was beheaded, and the process of letter replacement was no longer deemed secure. However, an antidote to frequency analysis was discovered immediately. It is sufficient to utilize several encryption methods: encrypt one string with one, and the other with another, and frequency analysis will be rendered ineffective.

Since then, there has been an ongoing race between encryption and cipher cracking.

The cracking of the Enigma cipher machine used by Nazi Germany to safeguard military and political communications is the most notable feat in breaking encryption algorithms. By the standards of the time, it was a superb encryption device, on which the brightest brains in Germany collaborated. But deciphering the encryption required no less of a force: a team of British cryptographers collaborated with the young scientist Alan Turing.

Despite the cloak of secrecy, his name is linked to the selection of the key that could unlock the Enigma. Indeed, the key was a seemingly mundane Hitler greeting, which had to be included at the conclusion of every piece of correspondence. Alan Turing accomplished the impossible by providing his country with a crucial advantage during World War II.

Modern algorithms like AES, Twofish, and Blowfish differ significantly from substitution or the displacement of letters, as well as Enigma ciphers. Furthermore, they have nothing to do with them and are immune to brute-force and frequency analysis attacks. One thing stays constant, however: there are still individuals who wish to hack them and decipher encrypted messages. Nowadays, the availability of such a dependable data protection instrument cannot help but bother those who wish to acquire access to any information of special services.

Methods of attacks on ciphers by intelligence agencies

Today, intelligence agencies use three primary methods to attack ciphers.

Direct key selection to ciphers

Data centers that use brute force to break encrypted data are being created for this purpose. You can crack practically any contemporary encryption by brute force; simply guess the key (which is generally logical: if there is any key, in theory, sooner or later it can be guessed). The only question is how much power you have and how much time you have. For example, whereas a single contemporary computer can check 10,000 keys per second on average, a data center of thousands of machines may match tens of millions of keys per second.

Fortunately, cracking a powerful cipher can take more than a dozen years in a contemporary data center, and it is impossible to envision what has to be done so that a whole data center is engaged in cracking your encrypted data. After all, a single day in a data center costs tens of thousands of dollars. Because of the expense of resources, a basic password selection using a dictionary is generally done.

This was the situation with Daniel Dantas, a Brazilian banker who was detained in Rio de Janeiro in July 2008 on accusations of financial fraud. Five hard discs with encrypted data were discovered during a search of his flat. Local specialists were unable to break them and went to the FBI for assistance. The FBI returned the CDs after a year of futile attempts. The method of picking a password using a dictionary was utilized for hacking. Daniel Dantas devised a strong password that would be immune to dictionary assaults. It is unclear whether this aided him in court, but access to his encrypted data was never acquired. He utilized TrueCrypt, an encryption application, by the way.

Aside from data centers, there is an ongoing development of a quantum computer that has the potential to drastically revolutionize modern cryptography. If cryptographers' forecasts come true, it will be easy to crack any current crypto container very fast following the advent of such a supercomputer. Some scientists believe that such a supercomputer has already been developed and is located someplace in the hidden cellars of the US National Security Agency.

The second attack method is a scientific study of modern encryption algorithms with the aim of breaking them

A lot of money is being invested in this business, and such decisions are truly invaluable for special services and intelligence. Here, researchers compete with intelligence agencies. If researchers break the protocol or discover a weakness early on, the rest of the world is likely to learn about it and switch to more secure methods. If they are discovered by intelligence agencies, they are discreetly utilized to obtain access to encrypted data.

A 768-bit RSA key was regarded as an entirely reliable solution ten years ago, and it was utilized by private users, huge corporations, and governments. However, a consortium of engineers from Japan, Switzerland, the Netherlands, and the United States successfully computed data encrypted using a 768-bit RSA cryptographic key at the end of 2009. The usage of 1024-bit RSA keys was suggested. However, 1024-bit RSA keys are no longer deemed strong enough either.

The third attack method is a collaboration with device, program, and encryption algorithm creators to weaken encryption and add backdoors

It is sufficiently difficult for special services to decrypt a correctly encrypted crypto container, so instead, they try to bargain with firms producing encryption tools so that the latter leaves decryption flaws or degrades the algorithms utilized. The US’ NSA is ahead of the rest of the world in this regard. According to Edward Snowden's allegations, the American creator of cryptographic technology RSA Security was paid $ 10 million by the NSA to build a backdoor into its software. RSA Security provided its clients with the notoriously flawed Dual EC DRBG pseudo-random number generation technique for this money. Because of this flaw, US spy services were able to readily decode communications and information.

We don't know what additional backdoors exist in encryption algorithms today, but we do know that decrypting information is one of intelligence services' top goals. High-level professionals are continually working on it, and governments are pouring money into it. It is well known that the majority of efforts are focused on cracking SSL protocols, 4G security technologies, and VPNs.

The history of encryption. Confrontation of encryption and intelligence agencies.

Dec 16, 2022 — 4 min read

The creation of a file made out of human DNA that is capable of retaining terabytes of information is a very real future for scientists.

To this day, humanity has produced around 10 trillion gigabytes of data, and on a daily basis, people generate emails, photographs, films, and other information that add up to another 2.5 million gigabytes. A significant portion of this information is kept in exabyte data centers, which have the footprint of several football fields and have an annual operating cost of one billion dollars. However, researchers have developed an alternate strategy, which consists of a section of DNA that is able to store vast quantities of information in a compact shape.

According to Mark Bath, a professor of biology at the Massachusetts Institute of Technology, you could hypothetically put all of the data in the world into a coffee cup full of DNA.

The DNA molecule is an ideal storage device for digital data

"We need innovative methods to store the massive volumes of data that are growing throughout the world," says Mark Bath. "DNA is a thousand times denser than any flash drive, and it also has the fascinating virtue of not using energy. Anything may be written into DNA and stored indefinitely " he continues.

Text, images, and any other type of information are all encoded as a series of zeros and ones when saved to digital storage devices. The same information may be encoded in DNA using the four nucleotides that make up the genetic code, which is designated by the letters A, T, G, and C. For instance, the numbers 0 and 1 can be represented by the letters G and C, respectively.

DNA possesses various characteristics that make it a good information carrier:

•  DNA is very stable

•  DNA is relatively simple to synthesize and sequence

•  DNA is highly dense, each nucleotide corresponding to two bits is around 1 cubic nanometer. An exabyte can fit in the palm of your hand.

However, there is a drawback. The expense of producing such enormous amounts of DNA is huge. Recording one petabyte of data (1 million gigabytes) now costs $1 trillion. According to Bath, the cost of synthesis needs to be decreased by around six orders of magnitude before creating archives based on a biological polymer becomes economical. According to the expert, this is entirely feasible in 10-20 years.

Another difficulty is obtaining the needed file.

"What happens if technology advances to the point where it is economically feasible to write an exabyte or zettabyte of data into DNA? You'll have a pile of DNA containing millions of photographs, texts, videos, programs, and other data, and you'll need to locate a certain file: how will you accomplish it?" Bath inquires.

It's like looking for a needle in a haystack.

How are files encoded?

At this time, the PCR is the most common method for obtaining DNA files (polymerase chain reaction). Each file contains a sequence that is designed to bind to a particular PCR primer (a primer is a short piece of nucleic acid). Each primer is introduced to the sample individually in order to locate the necessary sequence in order to extract a particular file. However, one of the drawbacks of using this method is that it increases the likelihood of a phenomenon known as crosstalk occurring between the primer and the DNA sequences, which can lead to the loss of some files. In addition, the synthesis process of PCR calls for enzymes and results in the loss of a considerable amount of DNA. You sort of have to burn a haystack to locate a needle.

The problem was solved by Professor Bath and his colleagues when they encapsulated each file in a silica particle measuring 6 micrometers and included a brief DNA sequence that indicated what was contained within the file. The researchers were able to retrieve individual photos that were saved as DNA sequences from a batch of 20 files by using this method, which resulted in an accuracy rate of one hundred percent. It is conceivable to scale up to a sextillion files given the number of potential labels that may be utilized. By the way, a sextillion is a number that consists of one and 20 zeros following it.

Hack DNA to find the right file

The team at MIT devised a novel extraction approach by isolating each file in a silica particle as an alternate option. Each such "capsule" is labeled with a single string of "barcodes" relating to the file's contents, such as "cat", "airplane", and so on. The researchers encoded 20 distinct pictures into DNA segments around 3,000 nucleotides long, which is comparable to about 100 bytes, to show their method in a cost-effective manner. (They also demonstrated that data as large as a gigabit might fit within the capsules).

When the researchers sought to extract a specific image, they deleted the DNA sample and replaced it with primers that matched the labels they were seeking — "cat", "red", and "wild" for a tiger shot, or "cat", "orange", and "domestic" for a domestic cat photo. The primers are then tagged with fluorescent or magnetic particles, making it simple to extract and identify any files while leaving the remainder of the DNA intact for eventual storage. This strategy is comparable to looking for terms on Google.

"So far, the search speed is one kilobyte per second. The size of the data per capsule determines the search speed of our file system. It is also worth mentioning that the speed is constrained by the prohibitively high cost of writing even 100 gigabytes of data per DNA, as well as the number of sorters that may be used concurrently.

"If DNA synthesis gets cheap enough, we can optimize the quantity of data stored", said scientist James Banal.

The researchers created their barcodes using single-stranded DNA sequences from a library of 100,000 sequences, each around 25 nucleotides long, established by Stephen Elledge, a genetics and medicine professor at Harvard Medical School. If you place two of these labels on each file, you may label each one uniquely.

Final words

While DNA may not be extensively employed as a data carrier for some time, there is currently a large need for low-cost, high-volume storage solutions.

The DNA encapsulation approach can be effective for archiving data that is only sometimes accessed. As a result, Professor Bath's laboratory is already hard at work on the formation of a business called Cache DNA, which will provide a method for the long-term storage of information in DNA.

How soon will we be able to store files in our DNA?

Dec 8, 2022 — 4 min read

The most frequently-used password globally is "123456”. However, analyzing passwords by country can yield some quite fascinating results.

We frequently choose weak passwords such as "123456" since they are easy to remember and input. The differences between such passwords can sometimes be found in the language itself. For example, if the English have "password" at the top of their list, the Germans prefer "passwort", and the French use "azerty" instead of "qwerty" due to the peculiarities of the French keyboard layout, which has the letter A instead of the usual Q.

When a weak password is driven by culture, things get much more intriguing. The password "Juventus" is likely to appeal to fans of the Italian football team Juventus. This password is also the fourth most popular option among Italian Internet users. The club is from Turin, Piedmont, and is supported by about 9 million people. At first look, the unique password "Anathema" appears to be a typical occurrence in Turkey, where the British band Anathema's name is among the top ten most common passwords.

A weak password is widespread

ExpressVPN together with Pollfish interviewed 1,000 customers about their password preferences in order to learn more about how individuals approach password formation.

Here are some of their findings:

•  The typical internet-goer uses the same password for six different websites and/or platforms

•  Relatives are likely to be able to guess their passwords from internet accounts, according to 43% of respondents

•  When generating passwords, two out of every five people utilize different variants of their first and/or last name

These findings demonstrate a lack of cybersecurity knowledge, despite the fact that 81% of respondents feel confident in the security and privacy of their existing passwords.

According to the survey results, passwords frequently contain personal information. Below, you will find the most shared personal information with the percentage of respondents who revealed that their passwords contained personal information.

•  First Name (42.3%)

•  Surname (40%)

•  Middle Name (31.6%)

•  Date of birth (43.9%)

•  Social security number (30.3%)

•  Phone number (32.2%)

•  Pet name (43.8%)

•  Child's name (37.5%)

•  Ex-partner's name (26.1%)

The most common passwords in various countries

Based on an infographic from ExpressVPN, the picture below illustrates the most often used passwords in various nations, practically all of which are in the top ten in their respective countries. Many are exclusive to these nations and demonstrate how cultural influences impact password creation.

Much of the information presented comes from a third-party study of stolen credentials (which were made public by Github user Ata Hakç). These datasets are based on the language of the individual sites, allowing the information to be distributed by country.

Let's have a look at some interesting variations of passwords. For instance, the phrase "I love you forever" may be deciphered from the password "5201314," which is commonly used by people from Hong Kong. In contrast, users in Croatia make use of the password “Dinamo”, which is derived from the name of an illustrious football team based in Zagreb. Martin is the password that is used by people from Slovakia. In Slovakia, the name Martin has a position as the fourth most common name. The Greeks, on the other hand, chose not to put undue effort into themselves and instead went with the most straightforward password out of the list, which was 212121. On the other hand, Ukrainians use the pretty difficult password Pov1mLy727. Apart from Ukraine, there are other countries where users more often than not create strong passwords. Let’s take a look.

These 10 countries create the strongest passwords

According to the results of the National Privacy Test that was carried out by NordVPN, the greatest marks were obtained by Italians in regard to their understanding of robust passwords. The following is a list of the top ten nations in which people come up with the most complicated passwords.

1. Italy 94.3 (points out of 100)

2. Switzerland 94

3. Spain 93.5

4. Germany 93.3

5. France 92.3

6. Denmark 91.8

7. UK 90.7

8. Belgium 90.4

9. Canada 89.4

10. USA 89.3

The top 10 did not include Australia (88.9), South Africa (86.2), Saudi Arabia (85.7), Russia (81.4), Brazil (81.2), Turkey (73.9), and India (78.4).

"This study demonstrates that individuals from all around the world are aware of how to generate secure passwords. The information is there, but people aren't using it in the right ways," says Chad Hammond, a security specialist at NordPass.

Also in November 2022, NordPass published a study that found out which passwords network users use most often. According to the findings of the survey, the majority of individuals still rely on simple passwords such as their own names, the names of their favorite sports teams or foods, simple numerical combinations, and other straightforward options.

NordPass security specialist Chad Hammond also stated, "Using unique passwords is really crucial, and it's scary that so many individuals still don't." It is critical to generate distinct passwords for each account. "We put all accounts with the same password in danger when we reuse passwords: in the case of a data breach, one account at risk can compromise the others."To summarize, it is reasonable to state that it does not matter where you were born, where you live, or what you are passionate about; you must always use unique passwords. We recommend that you make your password difficult to guess by making it more complicated or by using a password generator. This will increase the level of security provided by your password. In addition to this, we strongly suggest that you take advantage of two-factor authentication wherever it is an option. If you add an additional layer of protection to your accounts, be it in the form of an app, biometrics, or a physical security key, you will notice a significant increase in their level of security.

How passwords differ around the world

Dec 6, 2022 — 4 min read

The truth is, the answer isn’t as straightforward as you might think. A ‘hacker’ is a name that can be ascribed to many different types of individuals — from North Korean crypto bridge drainers to a jealous 16-year-old trying to get into his girlfriend’s Facebook account. That’s why it’s important to understand exactly what a ‘real’ hacker is and what kinds of assaults may be carried out.

As a result of the controversy that surrounds the concept of hacking, hackers frequently get labeled as criminals. The process of obtaining and providing information or data is known as "hacking," and while there are numerous and less severe forms of hacking, "security hacking" is the most common type of hacking. Hacking is, in fact, an interesting component of computer operations that involves obtaining and presenting certain information or data.

The definition "individuals who utilize their knowledge or competence in computer operations to obtain access to systems or defeat Internet security barriers" describes the sort of hacking that falls under this category. "Gaining access" is the fundamental aspect of hacking. Some hackers do it for the thrill of it, while others do it for financial benefit. Some are even driven by political motivations.

Types of security hackers

Black Hat

The average hacker in the headlines and the greatest threat to your company is motivated by monetary gain. Their purpose is to enter your company and steal bank information, private data, and money. The stolen resources are utilized for extortion, illicit market sales, or personal benefit.

White Hat

These hackers are the antithesis of "black hat hackers," since they want to assist companies and support them in their cyber protection efforts either pro bono or in exchange for payment. A firm or an individual that assists with the protection of your organization — in other words. Cyberkite is analogous to a hacker who wears a white hat; they defend the data of your company.

Gray Hat

Personal pleasure drives these hackers. They are aware of everything that white and black hackers are aware of, and they are uninterested in attacking or safeguarding you. Usually, they merely have a good time breaking down fortifications for a test. They seldom do anything damaging, so they cut and go on. They constitute the vast majority of all hackers.

Blue Hat

This hacker is spiteful and hostile. They don't exist unless you make them. As a result, it is worthwhile to follow business ethics and treat consumers and other parties fairly. Because who knows, if you're not playing fair, you enrage them, and one of them turns into a hacker with a blue hat. They frequently modify off-the-shelf attack programs to suit their needs. They then utilize this code to exact vengeance on a company or individual.

Red Hat

Crusaders in cyberspace. They are vigilante superheroes who also serve as judges, juries, and executioners. Their mission is to eradicate black hat hackers from the internet. They employ a slew of black-hat cyberweapons against them. However, you are unaware of their existence since they resemble well-known comic book superheroes. The upside to your business is that they, like white hat hackers, try to defend you.

Green Hat

Inexperienced hackers. They are yet to become full-fledged hackers. They put programming to the test in order to learn. They normally do not assault businesses and instead learn from experienced hackers in internet groups. They don’t usually pose a hazard to your business.

Script Kiddie  

These guys are not like the rest. Of course, they sound like harmless hackers, but their purpose is to cause as much devastation and destruction as possible. They have no desire to steal. They concentrate on scripting and coding but do not create their own software. DoS (denial of service) or DDoS (distributed denial of service) attacks are widespread on their side. As a result, they’ll utilize any sort of assault that might create havoc within your firm, harm your reputation, or result in client loss.

The country with the highest number of hackers

With definitions out of the way, you can be sure of the kinds of hackers we’re talking about. Indeed, China is home to the world's highest number of hackers per capita. It is possible to fall into the trap of believing that everything is predicated just on the size of China's population, which is enormous. However, not everything is as it seems at first glance. The hacker networks or organizations that China employs are among the most advanced and sophisticated in the world. The People's Liberation Army of China (PLAC) backs some of these groups financially and logistically.

Also, in order to achieve domination over other nations in cyberspace, China is encouraging cybersecurity as a culture. This will ensure that its educated youth have an excellent level of cyber literacy. This has also resulted in a rise in the amount of cybercrime. Various estimates suggest that China is responsible for 41% of all cyber assaults that occur throughout the world.

The idea of "network warfare" in Chinese information operations and information warfare is approximately equivalent to the American concept of cyber warfare. According to Foreign Policy magazine, China's "hacker army" numbers between 50,000 and 100,000 members, in addition to other groups and individuals. Chinese hackers might be described as "patient dreamers and social engineers." Asia, the Pacific, and Australia are their favorite locations.

Chinese hackers' typical attacks

A common Chinese hack employs a viral SMS message including a link to gather or install keystroke monitoring software in search of bank account access. It is worth noting that the majority of China's cybercrime infrastructure is based outside the nation, owing to strict government rules. Another factor to consider is that, over the last 20 years, China has swiftly absorbed and overtaken Western nations in the latest technology — for example, the city of Shenzhen is regarded as the world's electronics capital. Furthermore, China's objective cannot be dismissed as a desire to acquire the intellectual property for use in both the business and public sectors. The other is the urge to spy on one's own citizens and those of other nations — yeah, that's right, the surveillance program includes, for example, eavesdropping on Americans online, according to an April 2021 Human Rights Watch report. Will the government take a more active role in combating and preventing cybercrime? Only time will tell.

What country has the most hackers per capita?

Nov 30, 2022 — 4 min read

In contrast to other forms of verification, such as passwords or tokens, biometric authentication relies on an individual's distinct biological traits to confirm their identity. Indeed, it’s harder to fake and is typically more user-friendly since users do not have to memorize passwords or carry about a physical token that may easily be lost or stolen. Additionally, it is more difficult to counterfeit. An essential component of identification is the authenticator.

Analysis of a person's speech may be used for identity verification using a process known as voice recognition, which is sometimes referred to as speech recognition or voice authentication. Airways and soft tissue cavities, in addition to the shape of the mouth and the movement of the jaw, all have an effect on speech patterns and help create a person's distinctive "vocal print."

There’s a kind of speech recognition technology available known as speaker recognition. It’s not the same as voice recognition, which is a technique that is utilized in applications that convert speech to text and in virtual assistants such as Siri and Alexa. Although speech recognition can comprehend spoken words, it cannot verify a speaker's identity based on the speaker's vocal characteristics; however, voice biometrics can.

Methods for recognizing the speaker

There are primarily two methods that may be used for voice authentication:

  • Text independent
    Any spoken passphrase or other types of speech material may be used to achieve voice authentication
  • Text-dependent
    In both the registration process and the verification process, you will use identical passphrases. This implies that the speaker will be asked to repeat a sentence that has already been decided upon, rather than being allowed to say anything that they would want to affirm. When using static text voice authentication, the password that is used for one verification is utilized for all of the verifications. The user is provided with a passphrase that is completely random, such as a series of numbers, through dynamic text-based voice authentication. Additionally, registration is required for this content.

Registration and confirmation of identity

It is necessary to capture the biometric speech sample and then register it with the microphone in order to generate a reference template that can be used for comparison with samples during subsequent authentication attempts. After that, distinctive aspects of the vocal performance are observed, such as:

  • Duration
  • Intensity
  • Dynamics
  • Innings

Examples of voice authentication

The hands-free mobile authentication use case is the most common use for voice authentication. This kind of identification is perfect for use on mobile phones or in other situations where other types of biometric verification, such as face recognition, fingerprint recognition, or iris recognition, are impractical. in automobiles.

Voice authentication may also be beneficial for voice recognition devices like Amazon Alexa and Google Home. There has been a recent uptick in the usage of virtual assistants to carry out activities such as placing orders and doing other tasks that would traditionally demand some kind of verification.

During help desk conversations, speaker recognition may also serve as an authenticator for callers. When compared to supplying personal information to verify identification, such as a driver's license or credit card number, users may discover that this method is not only more secure but also more convenient.

Advantages of voice recognition

Low operational costs

Voice authentication may result in cost savings for call centers as well as financial institutions. They are able to save millions of dollars because of the fact that this technology does away with many of the stages required by conventional verification procedures. During an end-to-end conversation, it is able to validate the customer's identification just by recognizing their voice, eliminating the need for the routine questions that are often asked.

Improved quality of life for the end customer

Voice biometric systems provide a number of benefits, one of which is that they have the potential to significantly enhance the customer experience. However, this potential is sometimes overlooked. It is no longer necessary for callers to provide passcodes, PINs, or answers to challenge questions in order to have their identities verified.

Because of this, speech biometrics are ideal for omnichannel and multichannel deployments. Once a client has been registered, their voiceprint may be utilized across all of a company's support channels, making speech biometrics suitable for omnichannel and multichannel deployments.

Increased accuracy

Voice authentication is more reliable and accurate than using passwords, which are simple to forget, change, or guess. Passwords are also easier to compromise. It's kind of like how fingerprints are the only thing that can identify you. To put it another way, in contrast to passwords, a voice is impossible to forget or imitate. In spite of the fact that the sound might be influenced by a number of factors, it is much more dependable and handy.

Technology that is simple to put into action

The ease of use and implementation that speech recognition biometrics provide is very valuable to a lot of different companies. It may be difficult to implement some forms of biometric technology inside an organization and to get started with these systems. However, due to the fact that speech biometric systems need so little, it is often possible to install them without the need for extra hardware or software.

Because this technology is so easy to use, businesses often have the ability to redeploy employees to other areas of the organization in order to improve both their efficiency and the level of pleasure they provide to their customers.

Conclusion

Voice authentication is an excellent method for verifying a user's identity since it offers extra levels of security, which manual passcodes may not be able to give. Voice authentication is a wonderful approach to verifying a user's identity. Voice authentication is advantageous for both the company and its consumers since it eliminates the annoyance that is associated with laborious login procedures.

The technologies behind voice recognition

Nov 24, 2022 — 4 min read

There is no good reason, from a technical standpoint, why passwords can't contain scripts in Chinese, Japanese, Korean, or any other language for that matter. If you are able to write in this script, then it is entirely appropriate for you to employ it in whatever endeavors you undertake.

However, if you put this theory to the test, you will discover that many websites, including well-known ones like Google, prevent you from entering a password that contains characters other than A-Z, 0-9, and common special characters.

This brings to mind the early days of the internet when certain websites forbade the use of capitalization and prohibited the use of Latin letters for no discernible reason.

Site issues with passwords including Chinese characters

Users often make use of passwords that are longer than 30 characters, include all of the various character kinds that are usually suggested, and are created at random. If you use a password manager, you should probably make the password as difficult and as lengthy as it can possibly be.

However, if you visit more than 150 websites and change your password each time, you may find that many websites have password rules that do nothing but lower their level of security rather than increase it. This is because these rules are designed to protect users from themselves.

For instance, several websites impose arbitrary restrictions on the maximum length of passwords. They will typically demand passwords with less than 20 characters, in many instances. In certain cases, you can only use a maximum of 12 characters.

Even though it makes the password less secure, certain websites require that you include a number and a special character. This is despite the fact that doing so decreases the entropy of the password. On other pages, one may be restricted to using just the Latin letters; numerals and punctuation are not allowed. On certain websites, one may use punctuation, but you have to choose it from a drop-down menu first, and characters like "&" are not permitted.

This last point ought to give you significant cause for worry. Are these websites capable of sanitizing the password before inserting it into the database? Your database should not be used to store passwords in any way. I'm curious how many times this has been the cause when we consider severe breaches of privacy. You are required to hash the password before saving it.

In any event, the end effect of all of this is that a significant number of websites still verify passwords in an erroneous manner, excluding characters that really should be fully allowed. There is no valid reason why "您未设置安保问题" can’t serve as your password.

So, how safe is such a password?

Entropy is a term used to describe both the difficulty of breaking a password and the complexity of the password itself. In the next paragraphs, we will examine how to compute the entropy of a password.

If we expand the character set to cover everything from a to Z, digits from 0 to 9, punctuation marks, and so on, then we have a pool of 90 characters. This results in an entropy per character of log2(90), which is equivalent to 6.49 bits. If, on the other hand, we expand our character pool to include all Chinese, Japanese, and Korean (CJK) characters (presuming that our character pool has 74,605 characters), then we can calculate the entropy of each character as log2 (74605) = 16.19 bits of entropy per character.

Therefore, a 7-character CJK password such as "正确的马电池钉" would give you 16.19 bits of entropy times 7, which equals 113.33 bits total. I would need a password consisting of 18 characters if I wanted to match this using Latin letters, numbers, and special characters.

The vast majority of people are Chinese-illiterate. They have decided against using any characters that include CJK in their passwords. On the other hand, the effectiveness of a complicated password is comparable to that of vaccination in that it confers herd immunity. Crackers will only conduct brute force or dictionary attacks based on the letter az if individuals only use passwords that include those letters. If people have a habit of using numbers and punctuation, it forces attackers to incorporate those elements into their vocabulary, which in turn slows down their attack. The attacker needs to try all of these additional possible combinations, regardless of whether or not your own password used any of them.

Because roughly one-third of the world's population is able to read and write CJK characters (the populations of China and Japan are enormous), if we permit people to use CJK characters in their passwords, then even if I don't use CJK characters myself, we can all benefit from the increased complexity that this provides.

To reiterate, knowledge of Chinese is not required in order to work with CJK characters. You can keep track of all of your passwords by using a password manager, as was previously suggested. It does not matter whether you are unable to read or write the password as long as the password manager is able to save it and accurately copy and paste it into the password box when it is required.

Conclusion

We’d like to remind everyone that your name, birth date, or any other identifying information should never be used as a password, regardless of the language you use.

In addition, the passwords that are established on other websites might somewhat vary from one another, which makes them easier to remember and prevents the same issue from occurring. In this scenario, it is essential to connect your mobile phone number or email address so that you may easily recover the account in the event that the mobile phone number is lost or stolen.

On the other hand, many people feel that passwords are becoming outdated and that there are now more efficient methods to handle computer security and authentication than by using passwords. Perhaps now is the moment for people to begin shifting their attention to other approaches. In the not-too-distant future, we will find out.

How secure is a password that uses Chinese characters?

Nov 23, 2022 — 1 min read

In the new version of Passwork, we have completely redesigned the System settings. They are now divided into three sections:

  1. Global — organization settings that determine the operations of most of the Passwork functions
  2. Default — the values of the settings that will be used if no other custom settings are specified
  3. Custom — settings that can be set for individual users and roles

Now you can set up different interface languages, configure authorization methods, and enable mandatory two-factor authentication for individual users and roles.

To do this, click "Create a new settings group" in Сustom settings, add users or roles and select your desired settings. The newly created group will be added to the top of the list and will get the highest priority.

The following settings are now available:

  • Ability to create organization vaults and private vaults
  • Ability to create links to passwords
  • Mandatory 2FA
  • Time of automatic logout when inactive
  • Authorization method (by local password, LDAP password or SSO)
  • API usage
  • Interface language

We're already working to add new settings.

If you are already using Passwork — update your Passwork
Or request a free demo at passwork.pro

Introducing Custom settings

Nov 10, 2022 — 5 min read

Multi-factor authentication (often known as MFA for short), refers to the process of confirming the identity of a user who is attempting to log in to a website, application, or another type of resource using more than one piece of information. Indeed, multi-factor authentication is the difference between entering a password to gain access to a resource and entering a password plus a one-time password (OTP), or a password plus the answer to a security question. Another example of multi-factor authentication is entering a password plus the answer to a security question.

Multi-factor authentication provides greater assurance that individuals are who they claim to be by requiring them to confirm their identity in more than one way. This, in turn, reduces the risk of unauthorised access to sensitive data. Multi-factor authentication requires individuals to confirm their identity in more than one way. After all, entering a stolen password to get access is one thing; it is quite another to enter a stolen password and then be needed to additionally input an OTP that was sent to the smartphone of the real user.

Multi-factor authentication can be achieved through the use of any combination of two or more factors. Two-factor authentication is another name for the practice of using only two factors to verify a user's identity.

How Does MFA work?

MFA is effective because it necessitates the collection of extra verification information (factors). One-time passwords are one of the multi-factor authentication mechanisms that consumers encounter most frequently (OTP). OTPs are the four-digit to eight-digit codes that you frequently receive through email, SMS, or a mobile application of some kind. When using OTPs, a fresh code will be created at predetermined intervals or whenever an authentication request is sent in. The code is created based on a seed value that is assigned to the user when they first register and some other component, which might simply be a counter that is incremented or a time value. This seed value is used in conjunction with some other factor to generate the code.

The three categories of multi-factor authentication methods

Generally speaking, a technique of multi-factor authentication will fall into one of these three categories:

•  Something you are familiar with: a PIN, password, or the solution to a security question

•  Something you own: an OTP, a token, a trusted device, a smart card, or a badge

•  Something you are, such as your face, fingerprint, retinal scan, or other biometric information

Methods of multi-factor authentication

In order to accomplish multi-factor authentication, you will need to utilise at least one of the following methods in addition to a password.

Biometrics

A method of verification that depends on a piece of hardware or software being able to recognize biometric data, such as a person's fingerprint, facial characteristics, or the retina or iris of their eye.

Push to approve

A notice is shown on someone's smartphone that prompts the user to tap their screen in order to accept or deny a request for access to their device.

One-time password (OTP)

A collection of characters that are created automatically and are used to authenticate a user for a single login session or transaction only.

An SMS

A method for sending a One-Time Password (OTP) to the user's smartphone or other devices.

Hardware token

A compact, portable OTP-generating device that is sometimes referred to as a key fob.

Software token

A token that does not exist in the form of a physical token but rather as a software program that can be downloaded onto a smartphone or other device.

The advantages of multi-factor authentication

Enhancing the level of safety

Authentication that takes into account many factors is more secure. After all, when there is only one mechanism defending a point of access, such as a password, all a malicious actor needs to do to get admission is figure out a means to guess or steal that password. This is the only thing that needs to be done in order to acquire access. However, if admittance additionally needs a second (or perhaps a second and a third) element of authentication, then it becomes far more difficult to obtain access, particularly if the requirement is for something that is more difficult to guess or steal, such as a biometric characteristic.

Providing support for various digital initiatives

Multi-factor authentication is a key enabler in today's business world, where more companies are keen to deploy remote workforces, more customers want to purchase online rather than in shops, and more companies are migrating apps and other resources to the cloud. In this day and age, it can be difficult to ensure the safety of organisational and e-commerce resources. Multi-factor authentication can be an extremely useful tool for assisting in the protection of online interactions and financial transactions.

Are there any disadvantages to multi-factor authentication?

It is feasible to establish a less easy-to-access environment while building a more secure one — and this might be a disadvantage (this is especially true as zero trust, which sees everything as a possible threat, including the network and any apps or services running on it, gains acceptance as a safe access basis). No employee wants to spend additional time each day dealing with several impediments to getting on and accessing resources, and no consumer wants to be slowed down by multiple authentication procedures. The objective is to strike a balance between security and convenience so that access is secure but not so onerous that it causes excessive hardship for those who legitimately require it.

The role of risk-based authentication in multi-factor authentication

One technique to achieve a balance between security and convenience is to increase or decrease authentication requirements based on the risk associated with an access request. This is what risk-based authentication entails. The risk might be associated with either what is being accessed or who is requesting access.

The risk presented by what is accessed

For example, if someone seeks digital access to a bank account, is it to initiate a money transfer or simply to verify the status of an existing transfer? Or, if someone interacts with an online shopping website or app, is it to place an order or to monitor the progress of an existing purchase? For the latter, a username and password may be sufficient, but multi-factor authentication makes sense when a high-value item is at stake.

The risk is presented by the person requesting access

When a remote employee or contractor seeks access to the corporate network from the same city, on the same laptop, day after day, there's little reason to assume it's not that person. But what happens when a request from Mary in Minneapolis arrives from Moscow unexpectedly one morning? A request for extra authentication is warranted due to the possible danger – is it really her?

The future of Multi-Factor Authentication: AI, Machine Learning and more

Multi-factor authentication is always improving to provide enterprises with access that is both more secure and less unpleasant for individuals. Biometrics is an excellent example of this concept. It's more secure, since stealing a fingerprint or a face is difficult, and it's more convenient because the user doesn't have to remember anything (such as a password) or make any other substantial effort. The following are some of the current advancements in multi-factor authentication.

Machine learning (ML) and artificial intelligence (AI)

AI and ML may be used to identify characteristics that indicate if a particular access request is "normal" and as such, does not require extra authentication (or, conversely, to recognize anomalous behaviour that does warrant it).

Online Quick Identity (FIDO)

The FIDO Alliance's free and open standards serve as the foundation for FIDO authentication. It facilitates the replacement of password logins with safe and quick login experiences across websites and applications.

Authentication without a password

Rather than utilising a password as the primary means of identity verification and complementing it with alternative non-password methods, passwordless authentication does away with passwords entirely.

Be certain that multi-factor authentication will continue to evolve and develop in the pursuit of methods for individuals to show they are who they say they are — reliably and without having to jump through an endless number of hoops.

What exactly is multi-factor authentication (MFA) and how does it work?

Nov 10, 2022 — 4 min read

It's possible that you've become familiar with the term "time-based one-time passwords" (TOTP) in relation to "two-factor authentication" (FA) or "multi-factor authentication" (MFA).

However, do you really understand TOTP and how they work?

The Meaning of TOTP

"Time-Based One-Time Passwords” refer to passwords that are only valid for 30-90 seconds after they have been formed with a shared secret value and the current time on the system.

Passwords are almost always composed of six-digit sequences that are changed every thirty seconds. On the other hand, some implementations of TOTP make use of four-digit codes that become invalid after a period of 90 seconds.

An open standard is used in the TOTP algorithm, and this standard is detailed in RFC 6238.

What is a shared secret?

TOTP authentication uses a shared secret in the form of a secret key that is shared between the client and the server.

To the naked eye, the Shared Secret seems to be a string with a representation in Base32 that is similar to the following:

KRUGS4ZANFZSAYJAONUGC4TFMQQHGZLDOJSXIIDFPBQW24DMMU======

Computers are able to comprehend and make sense of information even if it is not legible by humans in the manner in which it is presented.

The client and the server both have a copy of the shared secret safely stored on their respective systems after a single transmission of the secret.

If an adversary is able to discover the value of the shared secret, then they will be able to construct their own unique one-time passcodes that are legitimate. Because of this, every implementation of TOTP needs to pay particular attention to securely storing the shared secret in a safe manner.

What is system time?

There is a clock that is integrated into every computer and mobile phone that measures what is referred to as Unix time.

Unix time is measured in terms of the number of seconds that have passed since January 1, 1970, at 00:00:00 UTC.

Unix time appears to be nothing more than a string of numbers:

1643788666

This small number, however, is excellent for the generation of an OTP since the majority of electrical devices using Unix time clocks are sufficiently synced with one another.

Implementations of the TOTP Authentication Protocol

The use of passwords is not recommended. However, you may increase security by combining a traditional password with a time-sensitive one-time password (TOTP). This combination is known as two-factor authentication or 2FA, and it may be used to authenticate your accounts, virtual private networks (VPNs), and apps securely.

TOTP can be implemented in hardware and software tokens:

•  The TOTP hardware token is a physical keychain that displays the current code on a small screen

•  The TOTP soft token is a mobile application that displays a code on a phone’s screen

It makes no difference whether you use software tokens or hardware tokens. The purpose of using two different forms of authentication is to increase the level of protection afforded to your online accounts. You have access to a one-time password generator that you may use during two-factor authentication to obtain access to your account. This generator is available to you regardless of whether you have a key fob or a smartphone with an authentication app.

How does a time-based one-time password work?

The value of the shared secret is included in the generation of each time-based one-time password (TOTP), which is dependent on the current time.

To produce a one-time password, the TOTP method takes into account both the current Unix time and the shared secret value.

The counter in the HMAC-based one-time password (HOTP) method is swapped out for the value of the current time in the time-based one-time password algorithm, which is a version of the HOTP algorithm.

The one-time password (TOTP) technique is based on a hash function that, given an input of indeterminate length, generates a short character string of fixed length. This explanation avoids getting too bogged down in technical language. If you simply have the result of a hash function, you will not be able to recreate the original parameters that were used to generate it. This is one of the hash function's strengths.

It is essential to keep in mind that TOTP offers a higher level of security than HOTP. Every 30 seconds, a brand new password is produced while using TOTP. When using HOTP, a new password is not created until after the previous one has been entered and used. The fact that the one-time password for HOTP continues to work even after it has been used for authentication leaves hackers with a significant window of opportunity to mount a successful assault.

Authentication using Multiple Factors (MFA)

A user must first register their TOTP token in any multi-factor authentication (MFA) system that supports a time-based one-time password before they can use the device to connect to their account.

Some TOTP soft tokens need the registration of a different OTP generator for each account. This effectively implies that if you add two accounts to your authenticator app, the program will produce two temporary passwords, one for each account, every 30 seconds. A single TOTP soft token (authenticator program) may support an infinite number of one-time password generators. Individual one-time password generators safeguard the security of all other accounts in the case where the security of an account is compromised.

To use 2FA, a secret must be created and shared between the TOTP token and the security system. The security system's secret must then be passed to the token.

How is the shared secret sent to the token?

Typically, the security system creates a QR code and requests that the user scan it using an authenticator app.

A QR code of this type is a visual depiction of a lengthy string of letters. The shared secret is, roughly speaking, part of this lengthy sequence.

The software will string the image and extract the secret when the user scans the QR code using the authenticator app. The authenticator program may now utilize the shared secret to generate one-time passwords.

When registering a TOTP token, the secret is only sent once. Many of the concerns about stealing the private key are alleviated. An adversary can still steal the secret, but they must first physically steal the token.

It works even when you're not connected to the internet!

To use the TOTP technique, you do not need an active internet connection on your smartphone or a physical key.

The TOTP token only needs to obtain the shared secret value once. The security system and the OTP generator may thus produce successive password values without needing to communicate. As a consequence, time-based one-time passwords (TOTP) operate even when the computer is turned off.

All about Time-Based One-Time Passwords (TOTP)

Oct 27, 2022 — 5 min read

Facial recognition is a technology-based method of identifying a human face. Such a recognition system maps facial characteristics from an image or video using biometrics. To identify a match, it compares the information gained to a database of known faces. Facial recognition may aid in the verification of a person's identification, but it also presents privacy concerns.

The facial recognition industry is predicted to expand from $4 billion in 2017 to $7.7 billion in 2022. This is due to the fact that such technology holds several business uses including monitoring and marketing.

But here's where things become difficult. If you value your privacy, you undoubtedly want some say over how your personal information (your data) is utilised. The truth is, your "faceprint" is your personal information.

How does facial recognition work?

You might be adept at identifying people's faces. You probably have no trouble recognizing the face of a family member, friend, or acquaintance. You recognize their facial characteristics — their eyes, nose, and mouth and their facial movements.

That is exactly how a face recognition system operates but on a much larger, computational scale. Recognition technology sees data where you see a face. That information may be saved and retrieved. According to Georgetown University research, half of all American adults have their photos recorded in one or more facial-recognition databases that law enforcement authorities may consult should they wish to.

So, how does facial recognition really work? Although certain technologies differ, most follow a standard procedure:

•  A photograph or video of your face is obtained. Your face might be scanned alone or in a crowd. Your photo might show you gazing straight ahead or almost in a profile view.

•  The geometry of your face is scanned by facial recognition software. The distance between your eyes and the distance from your forehead to your chin are important considerations. The program recognizes facial landmarks — one system even recognizes 68 of them – which are all important in differentiating your face. As a consequence, your facial signature is created.

•  A database of known faces is matched to your facial signature, which is a mathematical formula. Consider the following: At least 117 million people in the United States have photos of their faces in one or more police databases. The FBI has access to 412 million of such pictures for searches, according to a May 2018 report.

•  A decision is made. Your faceprint could match one in a database bringing back a positive result.

How effective is facial recognition?

Experts are concerned that face recognition might result in incorrect identifications. What if a police agency wrongly identifies someone smashing a shop window during a riot as someone who was nowhere near the incident using facial recognition technology? How probable is it that such an incident will occur?

It depends. According to the National Institute of Standards and Technology tests, the top face recognition algorithm has an error rate of under 0.08% as of April 2020. This is a significant improvement from 2014 when the best algorithm on the market had an error rate of 4.1%.

According to a 2020 report by the Centre for Strategic & International Studies (CSI), accuracy is greater when identification algorithms are used to match persons to clear, static photos, such as passport photos and mugshots. When applied in this manner, face recognition algorithms achieved up to 99.97% accuracy on the National Institute of Standards and Technology's Facial Recognition Vendor Test.

In practice, however, accuracy rates are often lower. According to the CSI report, the Facial Recognition Vendor Test discovered that the mistake rate for one algorithm increased from 0.1% when faces were matched to high-quality mugshots to 9.3% when faces were matched against images of people caught in public. When individuals were not looking straight at the camera or were partly concealed by shadows or objects, error rates increased.

Another issue is ageing. According to the Facial Recognition Vendor Test, middle-tier facial recognition algorithms exhibited mistake rates that increased by roughly a factor of ten when attempting to match photographs of participants shot 18 years earlier.

Who employs facial recognition?

Many individuals and organisations utilise face recognition in a variety of settings. Here are a few examples:

Airport administration

In airports, facial recognition technologies can monitor persons entering and exiting. The technology has been utilised by the Department of Homeland Security to identify persons who have overstayed their visas or are under criminal investigation.

Product manufacturers of mobile phones

Apple originally employed facial recognition to unlock the iPhone X, and since, the technology has been carried over to all subsequent models. Face ID authenticates — it ensures that you are who you say you are when you access your phone. According to Apple, the likelihood of a random face unlocking your phone is one in one million.

Websites for social networking businesses

When you post a picture to Facebook, an algorithm is used to detect faces. If you wish to tag others in your images, the social media firm will ask you. If you answer yes, a connection to their profiles is created. Facial recognition on Facebook is 98 percent accurate.

Entrance businesses and restricted zones

Some businesses have abandoned security badges in favour of facial recognition technologies.

Religious congregations at places of worship

Face recognition has been used by churches to scan their congregations to see who is there. It's a fantastic method to keep track of regulars and irregulars, as well as to adapt contribution requests.

Campaign marketers and advertisers

When targeting groups for a product or concept, marketers often consider factors such as gender, age, and ethnicity. Even during a performance, facial recognition may be used to determine such audiences.

The use of facial recognition in police enforcement

Today, facial recognition databases play an important role in law enforcement. According to an Electronic Frontier Foundation investigation, law enforcement agencies frequently collect mugshots from jailed people and compare them to local, state, and federal face recognition databases.

Law enforcement organisations may use these mugshot databases to identify persons in images collected from a number of sources, including closed-circuit television cameras, traffic cameras, social media, and photos taken by police officers themselves.

According to the Electronic Frontier Foundation, police officers may also use their mobile phones, tablets, or other devices to take images of cars or pedestrians and instantaneously match their photos to the faces in one or more facial recognition databases.

In addition, police enforcement has utilised face recognition to identify persons who may be sought in connection with crimes at huge events such as concerts, sports events, or the Olympics.

Several face recognition technologies are available to the federal authorities. Its primary database, however, is the FBI's Next Generation Identification system. This collection comprises over 30 million images.

Conclusion

Opponents of face recognition systems argue that although they give some protection, it is not enough to outweigh a feeling of independence and freedom. Many people believe that the usage of these technologies violates their privacy, but their worries don't stop there. They also emphasise the dangers of identity theft. Even face recognition companies recognize that as the technology becomes more widely used, the probability of identity theft or fraud increases.

As with many emerging technologies, the enormous promise of facial recognition has its downsides, but manufacturers are working to improve the usability and accuracy of their systems every day.

All about facial recognition