CS50: Securing Accounts || June 10, 2025

 

CS50: Securing Accounts

  • EQ: 

    • What are the threats to online accounts?

    • What are the defenses to keep online accounts secure?

  • Building Blocks of Security:

    • Authentication: The digital process of proving who you are

      • Not enough alone to keep a system secure

      • User may not need access to the specific item

    • Authorization: Should said person have access to said item once they’ve proven who they are

      • Works in tandem with Authentication

    • Usernames: A name to uniquely identify a user

      • Often public

    • Passwords: Allows users to authenticate themselves, by knowing both username and password.

      • Should be distinct and not reused

  • Types of Attacks:

    • Dictionary Attacks: Testing several plain words as a password in an attempt to gain access to a restricted account

    • Brute-Force Attacks: Using software to try all possible passwords.

      • Passwords that are too short are vulnerable to these

        • Ex. 4 digit passwords

          • Only about 10,000 possible combinations

          • Takes only a few milliseconds to crack

          • Could be improved by using 4 letters instead of numbers:

            • Lowercase + Uppercase letters = 52^4 possible combinations

            • However, can still be broken in a few seconds

          • Using special characters, numbers, and both letter forms can make it even more secure:

            • 94^4 possible combinations

            • This could take several minutes

        • 8 characters is now the standard

          • 94^8 possible combinations when including special characters, numbers, and both letter forms

            • Too long to try and brute force quickly

      • Adding complexity to a password raises the bar for attackers to brute-force systems.

        • However, the longer and more complex a password is, the harder it is to remember

          • Needing to balance usability and security is the difficult part

      • Defenses:

        • National Institute of Standards and Technology (NIST)

          • Issues recommendations for how consumers and companies can secure accounts more effectively.

            • “Memorized secrets SHALL be at least 8 characters in length…”

            • “Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.” (Websites should allow passwords as long as 64 characters)

              • Users could use a sentence that would be much easier to remember.

              • Not followed by many websites

            • “...verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised…”

            • “Memorized secret verifies SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information when choosing memorized secrets.”

              • Not followed by many websites

            • “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily”

              • Violated by many companies

              • Causes passwords to be easily forgotten

              • Minimal amount of energy will be used, so if past passwords are leaked, newer passwords will be easier to guess

            • “Verifiers SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account…”

              • Used often by many companies (ex. Apple “iPhone is disabled”)

                • Usually activated after 10 failed attempts

                • Slows down attackers and increases the risk of the attack

      • Two-Factor Authentication (2FA):

        • AKA. Multi-Factor Authentication

        • Factors are different types:

          • Knowledge Factor: Something you know and is kept secret

            • (ex. password)

          • Possession Factor: Something that you have.

            • (ex. Sms verification through iphone)

          • Inherence Factor: Something that is unique to you specifically

            • Most commonly biometrics

              • (ex. Fingerprint or FaceID)

        • One-Time Password (OTP):

          • Send via a text, notification, app, or keychain

          • Some are more secure than others

        • Threats:

          • Text messages are less secure than an app

          • SIM Swapping

            • Attackers can figure out your unique ID and convince your phone provider that you have acquired a new SIM card, giving them access to all of your text messages and phone calls.

          • Keylogging

            • Software can record every keystroke on your keyboard and upload them to system.

            • This allows them to access not only your username and password, but also any OTPs that get sent.

            • More sophisticated attack to deal with

    • Credential Stuffing:

      • Attackers will use a list of Usernames and Passwords that were previously leaked and putting them into a different application or website

        • In order to be immune to these attacks, use different credentials on every account.

          • Usernames can be duplicated, but passwords should change

    • Social Engineering:

      • Creating a circumstance where the person that is asking for a password can be trusted, then using the passwords maliciously

        • Immunization to these attacks requires skepticism

          • Don’t answer questions about personal matters (ex. “What was the name of your first pet?” “What’s your mother’s maiden name?”

      • Phishing:

        • Pretending to be someone else in order to get you to click a link and give them all of your personal information

          • Can be seen on Social Media as well

            • Ex. a post saying “What was your favorite song as a child?” may be hoping that you’ve used it as a password

        • Always check the url bar to make sure the link is correct before typing in any personal information

          • Instead of clicking the link, open a new tab and manually type in the website you need to go to.

    • Machine-in-the-Middle Attacks:

      • Using a machine in the middle of a communication maliciously to steal, store, or view data

        • Ex. Routers

      • More sophisticated attack

  • Solutions:

    • Single Sign-On (SSO):

      • The ability to log into a website using an account from another website

        • Often google, facebook, or maybe twitter(x)

      • If you already have an account with another website, have 2FA enabled, and have a strong password, it is easier for the user to log in with said account.

        • This increases Usability and Safety, as more effort can be put into protecting just the main 1-3 accounts that you actually use.

      • The password of the original account is not given to the host website, but only the username and the confirmation signal (via encryption)

    • Password Managers:

      • If you’re not using a password manager, you should be

      • All accounts would have unique and stronger passwords, but they’re remembered by a system rather than the user.

      • They also prevent phishing scams, because they will only paste usernames and passwords into recognized urls.

      • However, if the one password used for the password manager is forgotten, the User is locked out of all accounts.

        • But the password is too weak, attackers have access to ALL user passwords

      • Becoming increasingly standard

        • Apple iCloud Keychain

        • Google Password Manager

        • Microsoft Credential Manager

    • Passkeys:

      • 2 values (Private and Public) generated by a phone, or computer used to log in

      • IOS integrates with biometrics to generate a passkey unlocked via FaceID

Comments

Post a Comment

Popular posts from this blog

Introduction

About Me Name: Lauren N. Grant High School: Winthrop College Preparatory Academy  Graduation Year:  Class of 2026 Intended Major:  Cybersecurity / Information Security SAT Score: 1190 Class Rank:  29/213 State GPA:  3.8947 District GPA:  5.4947 Who I Am Hi! My name is Lauren, and I’m a high school senior with a growing passion for cybersecurity . I created this blog to document my journey, the projects I’ve built, the concepts I’ve learned, and even the setbacks that helped me grow. Whether it’s hands-on labs, vulnerability research, or note-taking, everything here reflects my commitment to learning more about how systems work and how to secure them. What You’ll Find Here This blog is my digital notebook. You’ll find: Personal cybersecurity projects Notes from online learning (like TryHackMe, YouTube, or courses) Study logs and goal tracking Mistakes I’ve made, and how I’ve fixed them Why This Blog Exists I made this space to help me...
Read more