Passwords ultimately only serve the purpose of proving that access has only come from a person who knows this "secret". In principle, it is therefore only a matter of protecting data that is to be accessed from unauthorized access.
By the way, there is a great project from the Hasso Platner Institute - the Identity Leak Checker. Here you can enter your private e-mail address and you will then receive all providers who have been hacked and your password was affected! You can find the service here.
"IT security experts" always recommend using at least 9 characters, capital letters, small letters, special characters of any kind, numbers and as many characters as possible. I've seen password policies of at least 14 characters - just insanely stupid.
The consequence is, and if you smile right away, you know that I'm right, that there are compound words - Hund123+, NamevomKind27! and so forth.
A treat for hackers – with tools like Cewl and Crunch we build word lists in our pentests that are individual, ie we build these from social networks like Facebook from employees, the company website etc. and yes – we also put words together and add numbers for patterns in these compositions. In this way, the supposedly secure passwords mentioned above are cracked in seconds.
Passwords are outdated – by the way, my “password” is only 4 characters long! How sure is that?
There are alternatives and useful additions that make life much easier. You've probably heard of two-factor authentication, adding a second device for security.
With PayPal, for example, you can use your mobile phone to log in in addition to your password – PayPal sends an SMS code for every login, the second factor.
First of all, the following scenario is just one possibility out of many others; However, the right method and the right concept must be determined and designed for each of our customers individually according to their needs - there is no one-size-fits-all solution.
Windows systems offer the option of authentication using a SmartCard, which means that the user receives a PIN code – similar to a bank card – and a chip card with his card.
This is then z. B. pulled through the keyboard or plugged into a reader. You then log into the system with your PIN and “key”, which is stored on the card.
To put it simply, MS AD and Kerberos then give you a ticket, which you then use to authenticate yourself to other services. In order not to bore you with technical details: You log in once in the morning and then have secure access to all company services (intranet portals, file shares, etc.) without having to enter a password again.
