Abstract
Based on security best practices for passwords, the credential is a confidential pin for authenticating system users, but there are instances where users share a common password for resources. Credentials sharing necessitates the passing of sensitive private information between individuals, thus creating a litter of sensitive data across email boxes and other forms of communication. To mitigate security vulnerabilities resulting from the transmission of passwords from one person to another, information security experts recommend using password management applications. On the contrary, there have been researched studies revealing vulnerabilities in password management applications.
The main objective of the research was to develop a process model for password sharing using asymmetric cryptography. In addition, part of the objectives was to build and test a prototype that facilitates the secure sharing of passwords over the internet using the redefined process model. The research was an exploratory study consisting of two phases. The first phase involved the design and implementation of a system prototype. The prototype was used for managing shared credentials, whereby passwords were stored in an encrypted database. A pair of public and private keys were used to encrypt and decrypt the data during transmission and owner's access for usage. The second phase of the study included a focus group discussion, which was used to evaluate the developed prototype.
The result of the study was a prototype of a system that facilitated the secure sharing and storage of passwords over the internet using asymmetric cryptography. The prototype was also used to model how the vulnerabilities exhibited in the current password management applications can be avoided.
Table of Contents
Declaration i
Dedication ii
Acknowledgment iii
Abstract iv
Chapter One: Introduction
1.1 Background 1
1.2 Problem statement 2
1.3 The research objectives 2
1.3.1 General objective 3
1.3.2 Specific objectives 3
1.4 Research questions 3
1.5 Scope and limitation of the study 3
1.6 Significance of the study 3
Chapter Two: Literature Review
2.1 Best security practices for passwords 4
2.2 The state of password usage as a daily activity 5
2.3 Overview of Cryptography 8
2.3.1 Public key cryptography 9
2.3.2 Hash Functions 10
2.3.3 Digital Signatures 10
2.4 Related systems - Current password storage and sharing tools 11
2.4.1 LastPass password manager & security architecture 12
2.4.2 Dashlane password manager & security architecture 14
2.4.3 KeePass password manager & security architecture 14
2.5 Other password sharing techniques and tools 15
2.5.1 Use of notebook or paper 15
2.5.2 Storing passwords unencrypted in a file on a connected device 15
2.5.3 Storing passwords using browsers 15
2.6 Conceptual model 15
2.6.1 Authentication process 16
2.6.2 Encryption and decryption process 17
2.6.3 Data sharing process 17
Chapter Three: Methodology
3.1 Research design 19
3.2 Phase 1: System design and development 19
3.2.1 System requirements definition and analysis 19
3.2.2 System Design or architecture 21
3.2.3 Implementation phase – GUI screens 23
3.2.4 Integration and testing 26
3.2.5 Deployment and system maintenance 29
3.3 Phase 2: Focus group discussion 30
3.3.1 Sources of data, population, and sample size 30
3.3.2 Data collection 30
3.4 Data analysis 30
Chapter Four: Results and discussions
4.1 Techniques for protecting data at rest, in motion, and use 31
4.2 Redefined process model for storing and sharing passwords 33
4.3 Developed system 34
4.3.1 Keys generation 34
4.3.2 Keys encryption and storage 35
4.3.3 Data protection: In local storage 35
4.3.4 Data protection: During transmission 36
4.3.5 Email notification payload 37
4.3.6 Account recovery mechanism 37
4.4 Results from the focus group 37
4.5 Discussion from the results 39
Chapter Five: Conclusion and recommendations
5.1 Conclusion 41
5.2 Limitations 42
5.3 Future work 42
References 42
Appendix 44
Appendix A: Project schedule 44
Appendix B: Survey questionnaire – System evaluation 44
Appendix C: List of tables and figures 45
List of figures 45
List of tables 45
Appendix D: System installation instructions 46
Chapter One
Introduction
1.1 Background
Despite well-defined ICT policies about sensitive information sharing, credentials sharing is one of the main scourge that waters down the effectiveness of security policies in organizations. It starts with simple implementations, such as a shared password for wireless network access to credentials for sensitive resources, such as data center servers. Usually, employees infringe on simple policies, such as not writing down the credentials to sending sensitive data to their colleagues through email, short messages, and other forms of communication. For example, a study to determine how prevalent medical practitioners use their colleagues' private accounts to access patients' electronic medical records (Hassidim, et al., 2017) established that at least 57% of their respondents had accessed sensitive health records using colleague's accounts. They cited reasons, such as the colleague wanting to act while away, technical malfunction, and limited user account privileges.
One of the critical aspects of authentication is the ability of the system to uniquely identify an entity or a principal accessing or making requests within the system. Authentication can be achieved with a token, certificate, or biometric-based authentication. Password credential is one of the most popular token-based authentication mechanisms. Over the years, the world has witnessed increased password users due to utilities such as bank accounts, email accounts, credit card accounts, social media, and many other forms of information system platforms. These users vary in terms of age and information security awareness. The increase in password users has also elevated the authentication mechanism as one of the most targeted security vulnerabilities in information systems (Standridge, 2019). (Higgins, 2014) reported that two out of three cybersecurity breaches at Verizon (an American telecommunications company) involved password attacks through stolen or misused credentials. The report indicates that most internet and other information systems users do not follow or are unaware of safe password management practices (Rubenking, 2015).
ICT security best practices stipulate that passwords must be complex by containing upper and lower case characters. It also requires passwords to include numbers and symbols. The policy also recommends that passwords should not be a word in any language, slang, dialect, and jargon. To further disassociate the credential from the owner, it is recommended that the credential should not be based on user personal information. Lastly, it should never be written down. On the contrary, the password scheme must be efficient and practical. Due to these stringent specifications, research by (Brown, Bracken, Zoccoli, & Douglas, 2004) shows that users tend to circumvent the difficulty in learning and remembering secure passwords by adopting their inappropriate methods of generating and storing passwords. A survey study conducted by Google shows that at least fifty percent of people prefer using their memory to keep track of their multiple passwords and usage. The fact that information systems users can remember their multiple passwords and usage is a testimony to either they are not using best password practices, or they are reusing their passwords on multiple accounts, or both (Ion, Reeder, & Consolvo, 2015).
Sharing information is one of the fundamental aspects of organizations; hence, security systems and policies should be designed with such preferences. To curb the practice of insecure password sharing, most information security experts recommend using password management applications (Standridge, 2019). Other than assisting in generating complex passwords that are hard to crack, existing password management applications, such as LastPass, is used by security experts to securely store, keep track and share passwords in cases where joint accounts are in use. Despite such applications, a study by (Ion, Reeder, & Consolvo, 2015) shows that most non-security experts do not make use of password management applications. The survey showed that seventy-three percent of security experts use password management applications compared to twenty-four percent of non-experts, even though both groups agree on recommended password best practices.
1.2 Problem statement
The current popular modes of password sharing, such as emails, SMS, and instant messaging, are not secure. In addition, the report by (Standridge, 2019) has revealed several vulnerabilities related to the model of communication or information sharing in the current password management applications such as LastPass, KeePass, and Dashlane.
Password best practices are critical to any information system. A fundamental principle in password utilization is that users in any particular system should own their credentials, which should be kept private (Schumacher, 2019). In a study to investigate security considerations in scenarios where credentials are team-based, (Schumacher, 2019) discovered that the principle of non-sharing might be rendered impractical due to the following reasons or situations:
The first scenario is that the account credentials might be for a simple system, which does not allow multiple accounts. A perfect example of single-user systems is phones, simple network devices with a non- centralized authentication system, and a thermostat.
As illustrated by (Schumacher, 2019), a second scenario is a local administrative account used to bypass the centralized authentication database. There are also cases where individual users are experiencing communication failures with the centralized authentication system, thus requiring a local account to avoid the central authentication server. Such credentials are usually shared among members of the team managing the subject system or device.
As mentioned earlier, a different study by (Hassidim, et al., 2017) indicated that at least 57% of corporate employees working in the health sector admitted having used colleagues' credentials to access information from the system. They cited reasons, such as colleagues wanting to work remotely, unavailability of a personal account, and limited authorization on their accounts to perform their assigned duties effectively.
Complete adherence to password best practices always results in cryptic passwords, which are hard to remember. Due to this factor, password users are usually forced to write down their passwords for remembrance. Unfortunately, the written passwords are traditionally stored in unencrypted text files or a piece of paper, thus creating a security vulnerability. For instance, unauthorized individuals can access the text files or the notes used to store the passwords, thus resulting in password theft, which is later used to compromise more sensitive systems.
In this light, I proposed to carry out a study and implement a system specifically meant to enhance the security of passwords shared between individuals over the network or internet. The proposed prototype enhances the security of transmitted data by re-writing the process model for sharing sensitive credentials, thus curbing the vulnerabilities presented by the current password management applications. Furthermore, the system ensures the confidentiality and integrity of the stored and transmitted data over a communication network using asymmetric cryptography.
1.3 The research objectives
The objectives have been broken down into specific and general goals, with the particular objectives drawn from the general objectives.
1.3.1 General objective
The primary objective of the research was to create a process model and prototype of a system that facilitates secure password sharing over the internet.
1.3.2 Specific objectives
i. To identify and study the vulnerabilities presented by current password management applications such as LastPass, Dashlane & Keepass.
ii. To assess the various data-centric approaches for protecting data at rest, in-use, and in transit using public-private-key encryption.
iii. To research and develop a process model that mitigates the vulnerabilities presented by the current password management applications.
iv. To design, develop, and test a prototype that validates the proposed process model.
1.4 Research questions
The following research questions were developed from the research objectives.
i. Which data-centric techniques are used to protect data at rest, in-use, and in transit?
ii. Which vulnerabilities are presented in current password management applications?
iii. How can asymmetric encryption be used to redefine the process model of password sharing over the internet?
iv. How can one apply an asymmetric encryption algorithm for generating public and private keys for encrypting and decrypting data?
1.5 Scope and limitation of the study
The study considered implementing a web-based portal, which served as a prototype for a system that facilitated secure password storage and sharing over a communication network. In addition, a study into secure asymmetric encryption assisted in implementing the prototype.
Several password management tools exist. They assist users in trying to achieve the entire suite of security best practices for passwords. This study was limited to redefining the process model of sharing sensitive data across the network, as implemented in the current password management applications.
1.6 Significance of the study
The existence of best security practices for passwords does not mean password users will adhere to them. (Bellovin & Merritt, 1992) Echoed that people will always use a simple password, forget them or even write them down. Due to these reasons, password misuse is one of the most extensively used forms of system breach (Keith, Steinbart, & P.J., 2007).
Studies have shown that encryption algorithms can be used to protect passwords, even if it is a bad one (Bellovin & Merritt, 1992). Thus, the study contributes to information security by ensuring passwords are stored in encrypted form within the users' selected storage location and championing the secure transmission of passwords, whether in encrypted or plain-text form. The research study is significant since it assists organizational employees and individuals operating joint accounts with a secure means of transmitting sensitive information securely over the internet.
Click “DOWNLOAD NOW” below to get the complete Projects
FOR QUICK HELP CHAT WITH US NOW!
+(234) 0814 780 1594
Login To Comment