Category Archives: EviPass

image_pdfimage_print
2024, Articles, Cyberculture, EviPass, Password

Human Limitations in Strong Passwords Creation

Posted on by FMTAD
Digital image showing a confused user at a computer surrounded by complex password symbols
22
Jan

How to Create Strong Passwords Despite Human Limitations

Human Limitations in Strong Passwords are crucial in safeguarding our personal and professional data online. But do you know how to craft a robust password capable of thwarting hacking attempts? In this article, we delve into the impact of human factors on password security. Furthermore, you will gain insights on overcoming these limitations and creating formidable passwords.

Shadowy hacker with a laptop in front of a digital map of Russia highlighted in red, symbolizing the origin of Kapeka Malware.

2024 Digital Security

Kapeka Malware: Comprehensive Analysis of the Russian Cyber Espionage Tool
April 18, 2024
A modern cybersecurity control center with a diverse team monitoring national cyber threats during the Andorra National Cyberattack Simulation.

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense
April 15, 2024
Illustration of an Apple MacBook with a highlighted M-series chip vulnerability, surrounded by symbols of data security breach and a global impact background.

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security
March 25, 2024
Digital world map with cybersecurity icons representing the Cybersecurity Breach at IMF.

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation
March 15, 2024
Digital world map showing cyberattack paths with Midnight Blizzard, Microsoft, HPE logos, email symbols, and password spray illustrations.

2024 DataShielder Digital Security PassCypher Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?
March 10, 2024
PrintListener technology concept with NFC security solutions.

2024 Digital Security

PrintListener: How to Betray Fingerprints
February 22, 2024
A visual representation of BitLocker Security featuring a central lock icon surrounded by elements representing Microsoft, TPM, and Windows security settings.

2024 Articles Digital Security News

BitLocker Security: Safeguarding Against Cyberattacks
February 10, 2024
Digital shield by Freemindtronic repelling cyberattack against Microsoft Exchange

2024 Articles Digital Security News

How the attack against Microsoft Exchange on December 13, 2023 exposed thousands of email accounts
February 8, 2024

For comprehensive threat assessments and innovative solutions, delve into “Human Limitations in Strong Passwords.” Stay informed by exploring our constantly updated topics..

Human Limitations in Strong Passwords,” authored by Jacques Gascuel, the visionary behind cutting-edge sensitive data security and safety systems, offers invaluable insights into the field of human-created password security. Are you ready to improve your understanding of password protection?

Human Limitations in Strong Passwords: Cybersecurity’s Weak Link

Passwords are essential for protecting our data on the Internet. But creating a strong password is not easy. It requires a balance between security and usability. In this article, we will explain what entropy is and how it measures the strength of a password. We will also explore the limitations and problems associated with human password creation. We will show that these factors reduce entropy and password security, exposing users to cyber attacks. We will also provide some strategies and tips to help users create stronger passwords.

What is Entropy and How Does it Measure Password Strength?

Entropy is a concept borrowed from information theory. It measures the unpredictability and randomness of a system. The higher the entropy, the more disordered the system is, and the harder it is to predict.

In the context of passwords, entropy measures how many attempts it would take to guess a password through brute force. In other words, entropy measures the difficulty of cracking a password. The higher the entropy, the stronger the password is, and the harder it is to crack.

However, entropy is not a fixed value, but a relative measure that depends on various factors, such as the length, composition, frequency, and popularity of the password. We will explain these factors in more detail later.

How Do Cognitive Biases Influence Password Creation?

Cognitive Biases in Password Creation

Cognitive biases, such as confirmation bias and anchoring bias, significantly influence how users create passwords. Understanding “Human Limitations in Strong Passwords” is essential to recognize and overcome these biases for better password security.

Cognitive biases are reasoning or judgment errors that affect how humans perceive and process information. They are often the result of heuristics, mental shortcuts used to simplify decision-making. These biases can have adaptive advantages but also lead to errors or distortions of reality.

In password creation, cognitive biases can influence user choices, leading to passwords that make sense to them, linked to their personal life, culture, environment, etc. These passwords are often predictable, following logical or mnemonic patterns, reducing entropy.

For example, humans are subject to confirmation bias, thinking their password is strong enough because it meets basic criteria like length or composition, without considering other factors like character frequency or diversity.

They are also prone to anchoring bias, choosing passwords based on personal information like names, birthdates, pets, etc., not realizing this information is easily accessible or guessable by hackers.

Availability bias leads to underestimating cyber attack risks because they haven’t been victims or witnesses of hacking, or they think their data isn’t interesting to hackers.

Human Factors in Strong Password Development: Cognitive Biases

Strategies to Overcome Cognitive Biases

To mitigate the impact of cognitive biases, consider adopting better password practices:

  • Utilize a different password for each service, especially for sensitive or critical accounts, such as email, banking, or social media.
  • Employ a password manager, which is a software or application that securely stores and generates passwords for each service. Password managers can assist users in creating and recalling strong, random passwords, all while maintaining security and convenience.
  • Implement two-factor authentication, a security feature that necessitates users to provide an additional verification method, such as a code sent to their phone or email, or a biometric scan, in order to access their accounts. Two-factor authentication can effectively thwart hackers from gaining access to accounts, even if they possess the password.
  • Regularly update passwords, but refrain from doing so excessively, in order to prevent compromise by hackers or data breaches. Users should change their passwords when they suspect or confirm a breach or when they detect suspicious activity on their accounts. It’s also advisable for users to avoid changing their passwords too frequently, as this can lead to weaker passwords or password reuse.

Addressing Human Challenges in Secure Password Creation with Freemindtronic’s Advanced Technologies

Understanding Human Constraints in Robust Password Generation

The process of creating strong passwords often clashes with human limitations. Freemindtronic’s EviPass NFC HSM and EviPass HSM PGP technologies, integral to the PassCypher range, acknowledge these human factors in strong password development. By automating the creation process and utilizing Shannon’s entropy model, these technologies effectively mitigate the cognitive biases that typically hinder the creation of secure passwords.

Password Security and the Fight Against Cyber Attacks

In the context of increasing cyber threats, the security of passwords becomes paramount. Freemindtronic’s solutions offer a robust defense against cyber attacks by generating passwords that exceed conventional security standards. This approach not only addresses the human challenges in creating strong passwords but also fortifies the digital identity protection of users.

Leveraging Entropy in Passwords for Enhanced Security

The concept of entropy in passwords is central to Freemindtronic’s technology. By harnessing advanced entropy models, these systems ensure a high level of randomness and complexity in password creation, significantly elevating password security. This technical sophistication is crucial in overcoming human limitations in generating secure passwords.

Cognitive Biases in Passwords: Simplifying User Experience

Freemindtronic’s technologies also focus on the human aspect of password usage. By reducing the cognitive load through features like auto-fill and passwordless access, these systems address common cognitive biases. This user-friendly approach not only enhances the ease of use but also contributes to the overall strategy for strong password management.

Adopting Strong Password Strategies for Digital Identity Protection

Incorporating strong password strategies is essential in safeguarding digital identities. Freemindtronic’s technologies empower users to adopt robust password practices effortlessly, thereby enhancing digital identity protection. This is achieved through the generation of complex passwords and the elimination of the need for manual password management.

Elevating Password Security in the Digital Age

Freemindtronic’s EviPass NFC HSM and EviPass HSM PGP technologies are at the forefront of addressing human limitations in strong password creation. By integrating advanced entropy in passwords, focusing on user-centric design, and combating the risks of cyber attacks, these technologies are setting new benchmarks in password security and digital identity protection. Their innovative approach not only acknowledges but also effectively overcomes the human challenges in secure password creation, marking a significant advancement in the field of digital security.

Human Constraints in Robust Password Generation

There are various methods to help users create strong, memorable passwords. These methods have pros and cons, which should be understood to choose the most suitable for one’s needs.

Mnemonic Passwords: Balancing Memory and Security

Mnemonic passwords are based on phrases or acronyms, serving as memory aids. For example, using the phrase “I was born in 1984 in Paris” to create the password “Iwbi1984iP”.

Advantages of mnemonic passwords:

  • Easier to remember than random passwords, using semantic memory, more effective than visual or auditory memory.
  • Can be longer than random passwords, composed of multiple words or syllables, increasing entropy.

Disadvantages of mnemonic passwords:

  • Often predictable, following logical or grammatical patterns, reducing entropy.
  • Vulnerable to dictionary attacks, containing common words or personal information, easily accessible or guessable by hackers.
  • Difficult to type, containing special characters like accents or spaces, not always available on keyboards.

The Trade-Off Between Mnemonics and Entropy

To balance memory and security, users should use mnemonics that are not too obvious or common, but rather personal and unique. They should also avoid using the same mnemonic for different passwords, or using slight variations of the same mnemonic. They should also add some randomness or complexity to their mnemonics, such as numbers, symbols, or capitalization.

Random Passwords: Entropy and Ease of Use

Random passwords are composed of randomly chosen characters, without logic or meaning. For example, the password “qW7x#4Rt”.

Advantages of random passwords:

  • Harder to guess than mnemonic passwords, not following predictable patterns, increasing entropy.
  • More resistant to dictionary attacks, not containing common words or personal information.

Disadvantages of random passwords:

  • Harder to remember than mnemonic passwords, not using semantic memory.
  • Can be shorter than mnemonic passwords, composed of individual characters, reducing entropy.

Phrase-Based Passwords: Entropy and Ease of Use

Phrase-based passwords are composed of several words forming a phrase or expression. For example, the password “The cat sleeps on the couch”.

Advantages of phrase-based passwords:

  • Easier to remember than random passwords, using semantic memory.
  • Can be longer than random passwords, composed of multiple words, increasing entropy.

Disadvantages of phrase-based passwords:

  • Often predictable, following logical or grammatical patterns, reducing entropy.
  • Vulnerable to dictionary attacks, containing common words or expressions.
  • Difficult to type, containing spaces, not always accepted by online services.

Evaluating Phrase-Based Password Effectiveness

To evaluate the effectiveness of phrase-based passwords, users should consider the following criteria:

  • Phrase length plays a crucial role: Longer phrases tend to result in higher entropy. However, it’s important to strike a balance, as excessively long phrases can become challenging to type or recall.
  • The diversity of words also matters: Greater word diversity contributes to higher entropy. Nevertheless, it’s essential to avoid overly obscure words, as they might prove difficult to remember or spell.
  • Randomness in word selection boosts entropy: The more random the words, the greater the entropy. Yet, it’s necessary to maintain some level of coherence between words, as entirely unrelated words can pose memory and association challenges.

Human-Generated Random Passwords: Entropy and Ease of Use

Human-generated random passwords are composed of randomly chosen characters by the user, without logic or meaning. For example, the password “qW7x#4Rt”.

Advantages :

  • Harder to guess than mnemonic or phrase-based passwords, increasing entropy.
  • More resistant to dictionary attacks, not containing common words or personal information.

Disadvantages:

  • Harder to remember than mnemonic or phrase-based passwords.
  • Often biased by user preferences or habits, favoring certain characters or keyboard positions, reducing entropy.

The Risks of Low Entropy in Human-Created Passwords

Low entropy passwords have significant consequences on the security of personal and professional data. Weak passwords are more vulnerable to cyber attacks, especially brute force. Hackers can use powerful software or machines to test billions of combinations per second. Once the password is found, they can access user accounts, steal data, impersonate, or spread viruses or spam.

Consequences of Predictable Passwords on Cybersecurity

The consequences of predictable passwords on cybersecurity are:

  • Data breach: Hackers can access user data, such as personal information, financial records, health records, etc. They can use this data for identity theft, fraud, blackmail, or sell it to third parties.
  • Account takeover: Hackers can access user accounts, such as email, social media, online shopping, etc. They can use these accounts to impersonate users, send spam, make purchases, or spread malware.
  • Reputation damage: Hackers can access user accounts, such as professional or academic platforms, etc. They can use these accounts to damage user reputation, post false or harmful information, or sabotage user work or research.

Understanding the Vulnerability of Low Entropy Passwords

Password Length and Entropy

The vulnerability of passwords depends on various factors, including the length, composition, frequency, and popularity of the password. Understanding “Human Limitations in Strong Passwords” is crucial for safeguarding your online data. Longer and more complex passwords offer higher entropy and are harder to crack.

Composition Complexity

Complex passwords that include a variety of character types, such as lowercase, uppercase, numbers, and symbols, significantly enhance security. This aspect of “Human Limitations in Strong Passwords” is often overlooked, but it’s essential for creating robust passwords.

Common vs. Rare Passwords

The frequency and popularity of passwords play a vital role in their vulnerability. Common passwords, like “123456” or “password,” are easily guessed, while rare and unique passwords, such as “qW7x#4Rt” or “The cat sleeps on the couch,” provide more security.

Password Composition

The composition of a password is a critical factor. Passwords based on common words or personal information are easier for hackers to guess. Understanding the impact of “Human Limitations in Strong Passwords” can help you make informed choices about password composition.

These factors collectively influence the time required for brute force attacks to uncover a password. Longer durations enhance password security, but it’s essential to consider the evolving computing power of hackers, which can reduce the time required to crack passwords over time and with advancing technology. Another factor that affects the vulnerability of passwords is their frequency and popularity.

Recurring Password Changes: A Challenge to Password Entropy

Another human limitation in creating strong passwords is the recurrent need to change them. Often mandated by online services for security, regular changes can paradoxically weaken password strength. This practice burdens users with remembering multiple passwords and inventing new ones frequently. It leads to slight modifications of existing passwords rather than generating new, more random ones. This habit reduces password entropy, making passwords more predictable and vulnerable to cyber attacks.

Impact of Frequent Password Updates on Security

Studies have shown that users required to change passwords every 90 days tend to create weaker, less diverse passwords. Conversely, those with less frequent changes generate more random and secure passwords. This illustrates the counterproductive nature of too-frequent mandatory password updates.

The Counterproductive Nature of Mandatory Password Changes

Mandatory password changes are often imposed by online services for security reasons. They aim to prevent password compromise by hackers or leaks. However, mandatory password changes can have negative effects on password security, such as:

  • Elevating cognitive load entails users remembering multiple passwords for each service and crafting new passwords whenever needed.
  • Dampening user motivation occurs when individuals view password changes as unnecessary or ineffective, leading to a neglect of password quality.
  • Diminishing password entropy arises when users opt for making slight modifications to old passwords rather than generating entirely new and random ones.

These effects negatively impact password security, making passwords more predictable and vulnerable to cyber attacks.

Research Insights on Low Entropy in Human Passwords

In this section, we will present some sources and findings from scientific studies conducted by researchers from around the world on passwords and entropy. We have verified the validity and accuracy of these sources using web search and citation verification tools. We have also respected the APA citation style.

Analyzing Global Studies on Password Security

Several studies have analyzed the security of passwords based on real databases of passwords disclosed following leaks or hacks. These studies have measured the entropy and the strength of passwords, as well as the patterns and the behaviors of users. Some of these studies are:

Key Findings from Password Entropy Research

Some of the key findings from these studies are:

  • any users maintain low-entropy passwords, relying on common words, personal information, or predictable patterns.
  • Furthermore, they tend to reuse passwords across multiple services, thereby elevating the risk of cross-service compromise.
  • In addition, they typically refrain from changing passwords regularly, unless prompted to do so by online services or following a security breach.
  • Surprisingly, a significant portion of users remains unaware of the critical importance of password security or tends to overestimate the strength of their passwords.
  • Moreover, a considerable number of users exhibit reluctance towards the adoption of password managers or two-factor authentication, often citing usability or trust concerns.

These findings confirm the low entropy of human passwords, and the need for better password practices and education.

Password Reuse and Its Impact on Entropy

Another issue with human password creation is password reuse, a common practice among Internet users, who have to remember multiple passwords for different services. Password reuse consists of using the same or similar passwords for different accounts, such as email, social media, online shopping, etc. Password reuse can reduce the cognitive load and the effort required to create and remember passwords, but it also reduces the entropy and the security of passwords.

The Risks Associated with Password Reuse

The risks associated with password reuse are:

  • Cross-service compromise: If a password is discovered or compromised on one service, it can be used to access other services that use the same or similar password. For example, if a hacker obtains a user’s email password, they can use it to access their social media, online shopping, or banking accounts, if they use the same password or a slight variation of it.
  • Credential stuffing: Credential stuffing is a type of cyberattack that uses automated tools to test stolen or leaked usernames and passwords on multiple services. For example, if a hacker obtains a list of usernames and passwords from a data breach, they can use it to try to log in to other services, hoping that some users have reused their passwords.
  • Password cracking: Password cracking is a type of cyberattack that uses brute force or dictionary methods to guess passwords. For example, if a hacker obtains a user’s password hash, they can use it to try to find the plain text password, using lists of common or leaked passwords.

These risks show that password reuse can expose users to cyber threats, as a single password breach can compromise multiple accounts and data. Password reuse can also reduce the entropy of passwords, as users tend to use common or simple passwords that are easy to remember and type, but also easy to guess or crack.

Addressing the Security Flaws of Reusing Passwords

To mitigate the security vulnerabilities associated with password reuse, users should embrace improved practices for password creation and management. Some of these recommended practices include:

  • Utilize distinct passwords for each service, particularly for sensitive or crucial accounts such as email, banking, or social media. This approach ensures that if one password is compromised, it won’t jeopardize other accounts or data.
  • Employ a password manager, which is software or an application designed to securely store and generate passwords for each service. Password managers assist users in crafting and recalling strong, randomly generated passwords, all while upholding security and convenience. Additionally, these tools can notify users about password breaches or weak passwords, as well as suggest password changes or updates.
  • Implement two-factor authentication (2FA), a security feature demanding users to provide an additional verification method, such as a code sent to their phone or email, or a biometric scan. This extra layer of security thwarts hackers from gaining access to accounts solely through knowledge of the password, as they would require the second factor as well.
  • Adopt a regular password change strategy, though not excessively frequent, to preempt compromise by hackers or data leaks. Passwords should be modified when users suspect or verify a breach, or when they detect suspicious activity on their accounts. It’s also advisable to avoid changing passwords too frequently, as this can potentially result in weaker passwords or password reuse.

These practices can help users avoid password reuse and increase the entropy and security of their passwords. They can also reduce the cognitive load and the effort required to create and remember passwords, by using tools and features that simplify password creation and management.

Behavioral Resistance in Secure Password Practices

Another issue with human password creation is resistance to behavioral changes, a psychological phenomenon preventing users from adopting new habits or modifying old ones regarding passwords. Users are often reluctant to change passwords, even when aware of risks or encouraged to do so. This resistance can be due to factors like laziness, ignorance, confidence, fear, satisfaction, etc.

Overcoming Psychological Barriers in Password Security

Psychological barriers can hinder password security, as users may not follow the best practices or recommendations to create stronger passwords. To overcome these barriers, users need to be aware of the importance and benefits of password security, as well as the costs and risks of password insecurity. Some of the ways to overcome psychological barriers are:

  • Educating users about password security, explaining what entropy is, how it measures password strength, and how to increase it.
  • Motivating users to change passwords, providing incentives, feedback, or rewards for creating stronger passwords.
  • Persuading users to adopt password managers, demonstrating how they can simplify password creation and management, without compromising security or convenience.
  • Nudging users to use two-factor authentication, making it easy and accessible to enable and use this security feature.

Conclusion: Reinforcing Password Security Amidst Human Limitations

In this article, we have explained what entropy is and how it measures the strength of a password. We also explored the limitations and problems associated with human password creation, such as cognitive biases, human generation methods, password reuse, and resistance to behavioral changes. We have shown that these factors reduce entropy and password security, exposing users to cyber attacks. We have also provided some strategies and tips to help users create stronger passwords.

We hope this article has helped you understand the importance of password security and improve your password practices. Remember, passwords protect your digital identity and data online. Creating strong passwords is not only a matter of security, but also of responsibility.

2024, Articles, Digital Security, EviKey NFC HSM, EviPass, News, SSH

Terrapin attack: How to Protect Yourself from this New Threat to SSH Security

Posted on by FMTAD
SSH handshake with Terrapin attack and EviKey NFC HSM
11
Jan

Terrapin Attack: How to Protect Your SSH Security

The Terrapin attack is a serious vulnerability in the SSH protocol that can be used to downgrade the security of your SSH connections. This can allow attackers to gain access to your sensitive data. In this article, we will explain what the Terrapin attack is, how it works, and how you can protect yourself from it.

Shadowy hacker with a laptop in front of a digital map of Russia highlighted in red, symbolizing the origin of Kapeka Malware.

2024 Digital Security

Kapeka Malware: Comprehensive Analysis of the Russian Cyber Espionage Tool
April 18, 2024
A modern cybersecurity control center with a diverse team monitoring national cyber threats during the Andorra National Cyberattack Simulation.

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense
April 15, 2024
Illustration of an Apple MacBook with a highlighted M-series chip vulnerability, surrounded by symbols of data security breach and a global impact background.

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security
March 25, 2024
Digital world map with cybersecurity icons representing the Cybersecurity Breach at IMF.

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation
March 15, 2024
Digital world map showing cyberattack paths with Midnight Blizzard, Microsoft, HPE logos, email symbols, and password spray illustrations.

2024 DataShielder Digital Security PassCypher Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?
March 10, 2024
PrintListener technology concept with NFC security solutions.

2024 Digital Security

PrintListener: How to Betray Fingerprints
February 22, 2024
A visual representation of BitLocker Security featuring a central lock icon surrounded by elements representing Microsoft, TPM, and Windows security settings.

2024 Articles Digital Security News

BitLocker Security: Safeguarding Against Cyberattacks
February 10, 2024
Digital shield by Freemindtronic repelling cyberattack against Microsoft Exchange

2024 Articles Digital Security News

How the attack against Microsoft Exchange on December 13, 2023 exposed thousands of email accounts
February 8, 2024

Terrapin attack: CVE-2023-48795 SSH security vulnerability articles for in-depth threat reviews and solutions. Stay informed by clicking on our scrolling topics.

Shield Your SSH Security from the Sneaky Terrapin Attack written by Jacques Gascuel, inventor of sensitive data safety and security systems. Are you safeguarding your SSH connections? Stay vigilant against the Terrapin attack, a stealthy vulnerability that can compromise your SSH security and expose your sensitive data.

Protect Yourself from the Terrapin Attack: Shield Your SSH Security with Proven Strategies

SSH is a widely used protocol for secure communication over the internet. It allows you to remotely access and control servers, transfer files, and encrypt data. However, SSH is not immune to attacks, and a recent vulnerability OpenSSH before 9.6 (CVE-2023-48795) has exposed a serious flaw in the protocol itself. This flaw, dubbed the Terrapin attack, can downgrade the security of SSH connections by truncating cryptographic information. In this article, we will explain what the Terrapin attack is, how it works, and how you can protect yourself from it.

Why you should care about the Terrapin attack

The Terrapin attack is not just a theoretical threat. It is a real and dangerous attack that can compromise the security of your SSH connections and expose your sensitive data. The consequences of a successful Terrapin attack can be severe, such as:

  • Data breaches: The attacker can access your confidential information, such as passwords, keys, files, or commands, and use them for malicious purposes.
  • Financial losses: The attacker can cause damage to your systems, services, or assets, and demand ransom or extort money from you.
  • Reputation damage: The attacker can leak your data to the public or to your competitors, and harm your credibility or trustworthiness.

Therefore, it is important to be aware of the Terrapin attack and take the necessary measures to prevent it. In the following sections, we will show you how the Terrapin attack works, how to protect yourself from it, and how to use PassCypher HSM PGP and EviKey NFC HSM to enhance the security of your SSH keys.

A prefix truncation attack on the SSH protocol

The Terrapin attack is a prefix truncation attack that targets the SSH protocol. It exploits a deficiency in the protocol specification, namely not resetting sequence numbers and not authenticating certain parts of the handshake transcript. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

This manipulation allows the attacker to perform several malicious actions, such as:

  • Downgrade the connection’s security by forcing it to use less secure client authentication algorithms
  • Bypass the keystroke timing obfuscation feature in OpenSSH, which may allow the attacker to brute-force SSH passwords by inspecting the network packets
  • Exploit vulnerabilities in SSH implementations, such as AsyncSSH, which may allow the attacker to sign a victim’s client into another account without the victim noticing

To pull off a Terrapin attack, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer. This makes the attack more feasible to be performed on the local network.

Unveiling the SSH Handshake: Exposing the Terrapin Attack’s Weakness

The SSH Handshake Process

The SSH handshake is a crucial process that establishes a secure channel between a client and server. It consists of the following steps:

  1. TCP connection establishment: The client initiates a TCP connection to the server.
  2. Protocol version exchange: The client and server exchange their protocol versions and agree on a common one. Then, the algorithm negotiation takes place.
  3. Algorithm negotiation: The client and server exchange lists of supported algorithms for key exchange, encryption, MAC, and compression. Then, they select the first matching algorithm.
  4. Key exchange: The client and server use the agreed-upon key exchange algorithm to generate a shared secret key. They also exchange and verify each other’s public keys. Then, the service request is sent.
  5. Service request: The client requests a service from the server, such as ssh-userauth or ssh-connection. Then, the client authenticates itself to the server using a supported method, such as password, public key, or keyboard-interactive.
  6. User authentication: The client authenticates itself to the server using a supported method, such as password, public key, or keyboard-interactive. Then, the channel request is sent.
  7. Channel request: The client requests a channel from the server, such as a shell, a command, or a subsystem. Thus, encrypted communication is enabled.

The Terrapin Attack

The Terrapin attack exploits a vulnerability in the SSH handshake by manipulating the sequence numbers and removing specific messages without compromising the secure channel integrity. This stealthy attack is difficult to detect because it doesn’t alter the overall structure or cryptographic integrity of the handshake.

For example, the attacker can eliminate the service request message sent by the client, which contains the list of supported client authentication methods. This forces the server to resort to the default method, typically password-based authentication. The attacker can then employ keystroke timing analysis to crack the password.

Alternatively, the attacker can target the algorithm negotiation message sent by the server, which lists the supported server authentication algorithms. By removing this message, the attacker forces the client to use the default algorithm, usually ssh-rsa. This opens the door for the attacker to forge a fake public key for the server and deceive the client into accepting it.

To illustrate the process of a Terrapin attack, we have created the following diagram:

Hackers exploit OAuth2 flaw to bypass 2FA on google accounts google account security flaw
Hackers exploit OAuth2 flaw to bypass 2FA on google accounts google account security flaw

As you can see, the diagram shows the steps from the interception of the communication by the attacker to the injection of malicious packets. It also highlights the stealthiness and the difficulty of detection of the attack.

Summery

The Terrapin attack is a serious threat to SSH security. By understanding how it works, you can take steps to protect yourself from it. Here are some tips:

  1. Make sure your SSH server is up to date with the latest security patches.
  2. Use strong passwords or public key authentication.
  3. Enable SSH key fingerprint verification.

How to protect yourself from the Terrapin attack: Best practices and tools

The Terrapin attack is a serious threat to SSH security, and it affects many SSH client and server implementations, such as OpenSSH, PuTTY, FileZilla, and more. Here are some steps you can take to protect yourself from it:

  • Update your SSH client and server to the latest versions. Many vendors have released patches that fix the vulnerability or introduce a strict key exchange option that prevents the attack. You can check if your SSH software is vulnerable by using the Terrapin vulnerability scanner.
  • Use strong passwords and public key authentication. Avoid using weak or default passwords that can be easily guessed by the attacker. Use public key authentication instead of password authentication, and make sure your public keys are verified and trusted.
  • Use secure encryption modes. Avoid using vulnerable encryption modes, such as ChaCha20-Poly1305 or AES-CBC with default MACs. Use encryption modes that use authenticated encryption with associated data (AEAD), such as AES-GCM or Chacha20-Poly1305@openssh.com.
  • Use a VPN or a firewall. If possible, use a VPN or a firewall to encrypt and protect your SSH traffic from being intercepted and modified by the attacker. This will also prevent the attacker from performing other types of attacks, such as DNS spoofing or TCP hijacking.
  • Implement a strict security policy on your local networks. Limit the access to your SSH servers to authorized users and devices, and monitor the network activity for any anomalies or intrusions.

How to use PassCypher HSM PGP and EviKey NFC HSM to protect your SSH keys: A secure and convenient solution

A good way to enhance the security of your SSH keys is to use PassCypher HSM PGP and EviKey NFC HSM. These are products from PassCypher), a company specialized in data security. They offer a secure and convenient solution for generating and storing your SSH keys.

PassCypher HSM PGP is a system that embeds a SSH key generator, allowing you to choose the type of algorithm – RSA (2048, 3072, 4096) or ECDSA (256,384, 521), and ED25519. The private key is generated and stored in a secure location, making it inaccessible to attackers.

EviKey NFC HSM is a contactless USB drive that integrates with PassCypher HSM PGP. It provides an additional layer of security and convenience for users who can easily unlock their private SSH key with their smartphone.

To show how PassCypher HSM PGP and EviKey NFC HSM can protect your SSH keys from the Terrapin attack, we have created the following diagram:

SSH handshake process with Terrapin attack illustration
This image illustrates the Terrapin attack, a stealthy attack that exploits a vulnerability in the SSH handshake. The attacker can manipulate the sequence numbers and remove specific messages without compromising the secure channel integrity. This can lead to a variety of security risks, including password cracking and man-in-the-middle attacks.

As you can see, the diagram shows how this solution effectively protects your SSH keys from the Terrapin attack. It also shows the benefits of using a contactless USB drive, such as:

  • Enhanced security: The private key is physically externalized and protected with a contactless authentication mechanism.
  • Convenience: Easy unlocking with a smartphone.
  • Ease of use: No additional software required.
  • Industrial-grade security: Equivalent to SL4 according to the standard IEC 62443-3-3.

Safeguarding Your SSH Keys with a Contactless USB Drive: A Comprehensive Guide

If you’re seeking a comprehensive guide to securely store your SSH keys using a contactless USB drive, look no further than this detailed resource: [Link to the article ([https://freemindtronic.com/how-to-create-an-ssh-key-and-use-a-nfc-hsm-usb-drive-to-store-it-securely/])]

This guide meticulously walks you through the process of:

  1. Generating an SSH key pair leveraging PassCypher HSM PGP
  2. Protecting the private SSH key within the EviKey NFC HSM USB drive
  3. Unlocking the private SSH key employing your smartphone
  4. Establishing a secure connection to an SSH server using the EviKey NFC HSM USB drive

Alongside step-by-step instructions, the guide also includes illustrative screenshots. By adhering to these guidelines, you’ll effectively safeguard and conveniently manage your SSH keys using a contactless USB drive.

Statistics on the Terrapin attack: Facts and figures

Statistics on the Terrapin attack: Facts and figures

The Terrapin attack is a serious cybersecurity threat that affects SSH connections. We have collected some statistics from various sources to show you the scale and impact of this attack. Here are some key facts and figures:

  • The Shadowserver Foundation reports that nearly 11 million SSH servers exposed on the internet are vulnerable to the Terrapin attack. This is about 52% of all IPv4 and IPv6 addresses scanned by their monitoring system.
  • The most affected countries are the United States (3.3 million), China (1.3 million), Germany (1 million), Russia (704,000), Singapore (392,000), Japan (383,000), and France (379,000).
  • The Terrapin attack affects many SSH client and server implementations, such as OpenSSH, PuTTY, FileZilla, Dropbear, libssh, and more. You can see the complete list of known affected implementations here).
  • You can prevent the Terrapin attack by updating your SSH software to the latest version, using secure encryption modes, and enabling strict key exchange. You can also use the Terrapin vulnerability scanner, available on GitHub, to check your SSH client or server for vulnerability.
  • A team of researchers from the Horst Görtz Institute for IT Security at Ruhr University Bochum in Germany discovered and disclosed the Terrapin attack. They published a detailed paper and a website with the technical details and the implications of the attack. Conclusion: How to stay safe from the Terrapin attack

The Terrapin attack is a serious threat to SSH security. It lets hackers break into SSH servers by exploiting a vulnerability in the protocol. To protect yourself effectively, you need to do the following:

  • Update your SSH software to the latest version
  • Use two-factor authentication
  • Store your SSH keys securely
  • Use PassCypher HSM PGP and EviKey NFC HSM

Conclusion: How to stay safe from the Terrapin attack

The Terrapin attack is a serious threat to SSH security. It allows hackers to break into SSH servers by exploiting a vulnerability in the protocol. To protect yourself effectively, you need to update your SSH software, use two-factor authentication, store your SSH keys securely, and use PassCypher HSM PGP and EviKey NFC HSM. If you found this article useful, please feel free to share it with your contacts or leave us a comment.

2021, Articles, Cyberculture, Digital Security, EviPass, EviPass NFC HSM technology, EviPass Technology, Technical News

766 trillion years to find 20-character code like a randomly generated password

Posted on by FMTAD
A server rack filled with multiple GPUs connected by yellow and black cables, illustrating the complexity and power needed to crack a 20-character code in 766 trillion years.
16
May

766 trillion years to find randomly generated 20-character code like randomly generated password

766 trillion years to find randomly generated 20-character code is the result of a simulator to find a 20-character generated by technology EviPass.

The age of the universe is estimated at only 14 billion years, this gives you an idea of comparison.

How did I find this result that you can control on your own?

We used the Password Strength Calculator developed by Bob Beeman [1] which was last updated on January 4, 2013.

This simulator is freely available on the www.bee-man.us website as well as the source code used.

Why We Chose Bob Beeman’s Simulator

In our quest to estimate the time it would take to crack a random 20-character code, we had several simulation tools at our disposal, including lastbit.com [2], password-checker.online-domain-tools.com [3], and ANSSI’s [4] simulator from ssi.gouv.fr. However, we ultimately opted for Mr. Bob BEEMAN’s simulator due to its transparent calculation method and its technical approach to brute force attacks.

Acknowledging Mr. Bob BEEMAN

Before delving into the details of our simulation, we must extend our gratitude to Mr. Bob BEEMAN for making his code freely accessible and copyable while upholding his copyrights, as explained on his website. We hope our research can contribute to his already impressive achievements, including a record-breaking 15-millisecond feat.

Reference to Ultra-Powerful Computers

To provide you with a comprehensive understanding of the state-of-the-art technology for brute force attacks in 2013, we examined Bob Beeman’s simulator’s reference to an ultra-powerful computer designed in 2012 specifically for password cracking.

Considering Computational Capacity

Bob Beeman’s simulator takes into account the computational capabilities of computers, including the 2012 design, for executing brute force attacks on passwords. It allows for adjustments in the “Values of Hacker: Axes/Second,” providing a valuable point of reference and comparison.

Staying with Default Parameters

For the sake of consistency, we maintained the default example provided by Bob Beeman, which assumed a rate of 60-109 (billion) attempts per second.

Radeon City: Revolutionizing Password Security

In this section, we’ll delve into the incredible story of Radeon City, a game-changing password-cracking cluster boasting 25 AMD Radeon graphics cards. Discover how it was built, what it can achieve, and why it’s reshaping the world of password security.

Building Radeon City

Jeremi Gosney, the visionary behind Radeon City and the CEO of Stricture Consulting Group, sought to create a powerhouse capable of cracking passwords with unprecedented speed and efficiency. His solution? Virtual OpenCL (VCL), a groundbreaking virtualization software.

Gosney assembled five servers, each armed with five AMD Radeon HD7970 graphics cards, interconnected through VCL. The cluster, aptly named Radeon City, was born at a cost of approximately $30,000 in 2012.

Unleashing Radeon City’s Power

Radeon City is a juggernaut, capable of generating an astounding 350 billion guesses per second when cracking NTLM cryptographic algorithm hashes. In just 5.5 hours, it can test every combination of eight-character passwords, including uppercase and lowercase letters, digits, and symbols.

But it doesn’t stop there. Radeon City can crack a range of cryptographic algorithms, from MD5 and SHA1 to SHA2 and even SHA3, at unprecedented speeds. It employs various attack types, including brute force, dictionary, rule-based, combinator, and hybrid attacks, using extensive wordlists and intricate rules.

Radeon City isn’t confined to offline attacks. It can also perform online attacks through distributed cracking, where passwords are guessed on live systems.

Why Radeon City is a Game-Changer

Radeon City marks a seismic shift in password security. It reveals the vulnerability of passwords protected by fast algorithms like NTLM and challenges the belief that longer, complex passwords equate to greater security. The key takeaway? Truly secure passwords are random strings absent from dictionaries.

Moreover, Radeon City advocates for slow and salted algorithms like Bcrypt, PBKDF2, or SHA512crypt, and underscores the importance of password management tools like EviPass.

Radeon City Specifications

Jeremi Gosney, a data security researcher, engineered a groundbreaking desktop rig that can swiftly dismantle older protocols. Leveraging the Open Computing Language (OpenCL) framework and Virtual OpenCL Open Cluster (VCL), Gosney deployed HashCat—a dedicated password-cracking program. The system comprises five quad-core servers, each housing 25 AMD Radeon GPUs, providing the immense computational power required for the task. These servers are interconnected with a 10 to 20 Gbps transfer rate facilitated by an Infiniband switch.

server filled with 25 AMD Radeon HD 7970 GPUs

Here’s a snapshot of Radeon City’s technical specifications:

  • Servers: 5
  • Graphics Cards: 25 AMD Radeon GPUs
  • Model: AMD Radeon HD7970
  • Memory: 3 GB GDDR5
  • Clock Speed: 925 MHz
  • Compute Units: 32
  • Stream Processors: 2048
  • Peak Performance: 3.79 TFLOPS
  • Virtualization Software: Virtual OpenCL (VCL)
  • Password-Cracking Software: ocl-Hashcat Plus
  • Cost: $30,000 (2012)

This powerhouse enables Radeon City to achieve unprecedented speeds in password cracking, making it a game-changer in the realm of data security.

Advantages and Disadvantages of Radeon City

Advantages:

  1. Power: Radeon City cracks passwords using both fast and slow algorithms.
  2. Flexibility: It executes a variety of attacks with extensive wordlists and complex rules.
  3. Innovation: Using virtualization technology, it overcomes hardware limitations.

Disadvantages:

  1. Cost: Building and operating Radeon City can be expensive, including high electricity costs.
  2. Noise: It generates significant noise, requiring specialized cooling and soundproofing.
  3. Ethical Considerations: While powerful, its capabilities raise ethical and legal questions about its potential misuse.

Simulation Parameters and Results

To calculate the estimated time required to find a 20-character code with 94 symbols, we used the formula:

a^b / (c * 2)

Where:

  • “a” represents the number of possible characters,
  • “b” denotes the number of characters in the password,
  • “c” indicates the number of hash calculations achievable per second.

By selecting 94 symbols, a password length of 20 characters, and a 50% probability of success compared to the theoretical result, our simulation yielded an astonishing result: 766.076,000,000,000,000 years or 766 trillion [5] years.

Understanding the Financial Implications

This simulation approach not only provides insights into the time required but also sheds light on the financial investments necessary to establish a computer system capable of cracking such a password.

Consider this: The reference computer, as configured by Gosney, relies on a pool of 25 virtual AMD GPUs to crack even robust passwords. Yet, a single unit of this type, priced at approximately $30,000 in 2012, can generate just 348 billion hashes of NTLM passwords per second. To achieve results within the realm of 766 trillion years, one would need to acquire multiple such machines.

Hence, to decipher only a 20-character password generated with EviPass technology, residing within an EviTag NFC HSM or EviCard NFC HSM device, an investment of nearly $25 billion would be required. A remarkable comparison, given that global military expenses were estimated at 1.7 billion dollars [6].

Beyond Brute Force

It’s important to note that this test focused solely on brute force attacks without taking into account the activation and utilization of additional countermeasures, such as physical blockchain and jamming, which will be explored in future articles.

A Point of Reference: ANSSI’s Simulator

To provide further context, we examined the ANSSI website [7], whose simulator is limited to 20 characters and 90 symbols. This simulator yielded a score of 130, the maximum attainable. This score places passwords of this nature on par with the smallest key size of the standard AES (128-bit) encryption algorithm. Notably, our password generators exceed this maximum, boasting 20 characters with 94 symbols [8].

Forming Your Own Opinion

The aim of this article is to empower you to form your own assessment of the resilience of our password generators against brute force attacks. While we are not the sole providers of powerful password generators, our test stands as a benchmark against other comparable implementations.

Ensuring Ongoing Security

Our embedded password generator undergoes regular updates to maintain its complexity and withstand the evolving landscape of brute force attacks. Our commitment is to enhance security without compromising user convenience—a complex yet vital undertaking.

Diverse Password Generation Options

Our password creation options offer versatility. Users can either select passwords from the pool of 95 available characters, opt for a semi-automatic generation followed by modification, or automate the process entirely according to default criteria, allowing passwords of up to 20 characters.

Adaptability to Website Constraints

For websites that impose restrictions on symbols or character limits, users can customize their password generation preferences, choosing between identifiers, letters, and/or numbers, with or without symbols.

Hexadecimal Generator for Added Utility

We’ve also introduced a hexadecimal generator to facilitate programming of digital codes. This feature proves invaluable in various domains, including electronics, electromechanics, and maintenance services, enabling the creation and modification of digital access codes with ease. Furthermore, codes can be securely shared with building residents through functions like “scrambling” or encryption via a QR Code, all made possible by EviCore technologies from Freemindtronic.

To learn more about our solutions, please visit: