Interview: Passwords and IT Security – Digital


School lessons take place via webcam, work is done on a private laptop. During the corona pandemic, people are using more and more devices, logging into countless web shops and online services – and increasingly losing track of their passwords. Sven Bugiel, head of the “Trustworthy Systems” research group at the Cispa Helmholtz Center for Information Security in Saarbr├╝cken, knows how to protect yourself from cyber attacks.

SZ: In the past year, not only conferences were shifted to digital – but also school lessons, private meetings or discussions like this one. Has the corona crisis made the attack surface for hackers bigger?

Sven Bugiel: Definitely. People who previously rarely surfed the Internet now have to deal with all kinds of IT problems. Phishing campaigns have therefore become much more successful and malware spreads faster. Normally you would talk to your boss between the door and the hinge in the office. That no longer applies. It’s getting harder to tell a real boss email from a phishing email. After all, both can come from the usual address.

Should you change your password regularly or only after it has been stolen?

It used to be said that you should change your password regularly. Many assumed that it would be cracked anyway and that it would be better to change it proactively. However, this has proven counterproductive. Because it only confronts us more often with the question: How do I create a new secure password? With every change, users become less creative. For example, you only vary the number after a basic password. 2020 will become 2021. It makes sense to change the password if there has been a security incident or if it was already too weak. But changing your password once a year just out of regularity is nonsense.

Once you have changed to a better password, it still has to be stored properly. What do you think when you see scratch slips with login details?

The slip of paper is not condemned per se. It depends on who has access to such a piece of paper. If you trust the people who have access to it, such as your partner or roommate, at least nothing can be hacked. Unfortunately, it happens again and again that such pieces of paper can be seen in the background during video conferences.

Would you prefer a digital password manager?

Exactly, because it not only collects the passwords, it can also create passwords for us. These passwords are then unique, long and complex. In other words, everything that many of the invented passwords are usually not. If I have to manually enter 20 characters that I have written on a piece of paper each time, it will eventually appear on the pointer. A password manager does more than just store the data. It inserts them directly when logging in and can be synchronized across different devices. Password managers only make sense if I store secure passwords in them. Often times, they’ll alert you when your password is weak.

How does the program decide which passwords are weak and which are strong?

Among other things, these programs know which passwords have already appeared in data leaks. So which passwords have been used and stolen before. They also point out passwords that are used multiple times, which should be avoided. Words that are also in the Duden or have only eight characters are easy to crack. A computer can create a password that is unique in the world. If a user unconsciously reveals this password in the context of phishing, catches a keylogger or sends the password over an insecure connection, a password generated by the computer will not help either. In that case two-factor authentication should be used. A strong password alone is not enough. I also advise against copying the password from the manager and pasting it on the website. The risk is too great that it will be cached and still end up somewhere else.

Which password managers are recommended?

That depends on the habits. The program and its functions should suit the lifestyle. There are some who synchronize via their own services or via Dropbox. Others have plug-ins for all browsers. Many browsers also have pre-installed password managers, such as Google Chrome. This or Apple’s password manager are free programs that definitely serve their purpose. The differences between such programs are no longer that great, almost all of them are quite good now. With the paid programs, you tend to pay for additional functions such as device support.

That sounds practical. And yet only about a third of German internet users use a password manager. Why?

The cost is certainly a factor. Or the poor usability is a deterrent. In addition to the technical reasons, there are the psychological ones. After all, you give a password manager a certain leap of faith. You entrust your data to software that can never be error-free. Before, I only knew which password I set for which service in my head. Some fear this loss of control.

How long will the password chaos be with us, be it digital or on the scrapbook?

There are new initiatives that give hope for a passwordless future. For example, new web standards such as WebAuthn or FIDO2. These are procedures for multi-factor authentication that can also be used without passwords. In our surveys at the Helmholtz Center for Information Security, many participants said that they found such a procedure convenient. Especially because they often already know how to log in with a fingerprint from their smartphone. However, it also triggers discomfort because users now have to entrust themselves to biometric processes or hardware such as a security USB stick and are no longer allowed to lose or misplace this hardware. This is where the loss of control comes into play again.

Especially since, unlike a password, biometric data cannot simply be changed. What happens if, for example, the fingerprint ends up on the Internet?

That is problematic. A fingerprint is not as easy to reset as a password. But even if the fingerprint is stolen, it is relatively difficult with modern smartphones to log in to someone. Biometric factors are usually stored in order to unlock another secret, such as a secret key. Only this is then used to log on to the server. That means: even if someone had my fingerprint, they would still have to physically get to my device on which this secret is stored. This is possible, but it would be a targeted attack against the user and could not be used on a large scale against hundreds of thousands of users. This type of authentication can often put a stop to mass phishing.

Where do you see the greatest point of attack among private Internet users?

With the primary email account. It gives the hacker direct access to other accounts. No matter which service I use, if I want to reset my password, I need this account. This would enable the hacker to better imitate me in communication. If a fake message comes from several of my accounts, it becomes more believable. Social engineering attacks – methods in which users are supposed to be tricked into in order to reveal their data themselves – fell on fertile ground last year: the fear of the pandemic, the switch to the home office, new data protection regulations tempt users to move faster Click on links or attachments in mail.

Leave a Reply

Your email address will not be published. Required fields are marked *