Tuesday, July 23, 2013

Security+ Topic - AAA

AAA, no not alcoholics anonymous after-party! We are talking about Authentication, Authorization, and Accounting. These three things are the key components to how users and other services are able to work in conjunction with each other.


Authentication is the process where the server tries to correctly identify the user or system service in order to process further requests. This could be for secured information or services that require elevation to run. As of this writing there isn't anything as drastic as a blood sample to determine who you are but there are some cool technologies such as retina scanning that can provide for highly accurate detection of the correct authentication. Even still, the most basic way to provide the authentication is a simple username and password.


Authorization is the level of access that a user is given. The resources available at that level could be files or system processes.


Accounting is the process for which log files are created after events occur. Depending on the set detail level, the logs could contain simple timestamps or other more detailed actions that happened.


When it comes to the security of your credentials there are some basic rules to cover. They may seem redundant but in my history as a Network Administrator it astounds me that some people still don't see the importance of a complex password.
  • Never write it down!
  • Use a different password for different systems/websites
  • Minimum 8 characters long
  • Use at least one of each: Uppercase, Lowercase, Number, Special Characters
  • Change passwords ideally every 60 days, minimum twice a year
  • Never use the same password


The main issue that I run into when dealing with people setting passwords is that they cannot remember it very easily. The complexity requirements are so high that even after they type it in, they forget it almost right away. To help with this situation, try to remember a phrase or song that you like and base the password off of the that. “Mary had a little lamb, her fleece was white as snow” = mh@L1h5WW@$ It sure looks complicated when you look at it but try singing the song as you look at the characters. It becomes quite simple after that. Also notice that it has all the requirements listed above. It is the passwords like this that will keep people from guessing it, and brute force attempts at bay.


One thing to mention here is the use of substitution. In the password above I used some common substitutions such as @ for a and $ for s. While this is ok to certain extent, you wouldn't want to make something obvious into a substitution. Take my last name of McShinsky. M3$h1n$kY would be a poor choice as it would be easy for an attack to make substitutions of the letters in my name when attempting to guess my password.


Lastly I would like to comment on password managers. Are they right for you? In some cases they can be. It is possible for you to never know the password to your websites you visit. A password manager could generate a very complex password and then remember it for the next time you visit the site. The passwords would never be the same between sites and even if one site got compromised, there would be no way to use that password to log into any other sites you visit.

-- Joe McShinsky