Authentication Best Practices - Brief History of Security

We talk a lot about the digital age of warfare here at HackerAttacker.  It’s kind of the most popular aspect of the digital age today.  Just take a look at history; war is always resting at or about the pinnacle of the public forum.  Why mess with a classic? When it comes to security and authentication best practices, however, there are more avenues to peruse than simply the digital side of warfare.  In that element, we are going to take a look at some older forms of deception and how they play a role in the social relationships inherent in digital security and authentication.

The Lock Begets the Lock pick – The Unending Cycle

Slate.com has an excellent blog article on the History of Lock picking, and it got me to thinking about society and security and the relationships therein.  The article focuses on two locksmiths in particular: Joseph Bramah and his Bramah Safety Lock, and Jeremiah Chubb and his Chubb Detector lock.  Both locks served different purposes at the time of their invention: the Bramah was an {at the time} unpickable lock and the Chubb was a lock that announced the failure of anyone attempting to pick it by making the intended key fail to open the lock.  These locks were the height of authentication best practices at the time of their inception: they illustrated the best practices to adhere to in order to achieve what security experts call ‘perfect security.’ Both locksmiths created their locks for a specific purpose and, for a time, both locks succeeded in achieving their intended goals. 

Until A. C. Hobbs came along and beat them both. 

Alfred Charles Hobbs was an American locksmith and the first one to illustrate the need for the evolution of security and authentication best practices. Hobbs was the first person to break through first the Chubb and then the Bramah locks.  Hobbs became an expert lock pick through the process of creating and then selling his own version of high-end locks.  By beating other locks, Hobbs could convince his prospective customers to reach out and buy his. 

Wouldn’t you be more likely to trust a locksmith who knew how to beat the strongest locks out there? After all, you trust authentication best practices from experts who routinely study and denounce past practices.  That’s what our friendly white hat hackers are known for, and they have helped usher in the digital age as we know it today.

But that brings up a pretty major idea that people tend to forget about: when a new, strong security protocol or device is introduced to our society, there will always be those individuals out there who are capable of beating it.  That is how authentication and security evolve, protocols and practices are beaten, and we take that information and create a new, stronger protocol.

It’s a never-ending cycle.

What’s this got to do with Authentication Best Practices?

That’s a fair question.  Aside from an allegorical summary of how authentication works, what does lock picking have to do with authentication best practices?  Quite a lot, actually. 

Think about it like this: you always lock the door, and maybe even your windows, when you leave your house or your apartment, right?  You do that just incase some untrustworthy individual comes along and wants to take something that you’ve got sequestered away inside your home.  That is an example of security and authentication best practices right there!  It is a security best practice because you know to lock entry points to your private, personal belongings just in case, and it is an authentication best practice because you know only your key can bypass that lock.

Locks and lock picking have so much to do with the way we secure and authenticate ourselves in the digital age today.  The same social contracts and notions of ‘perfect security’ that prompted Bramah and Chubb to design their state of the art locking mechanisms are what drive authentication security experts to contrive new ways to help protect your digital information on the web. 

Authentication Best Practices – Defending against the Hobbs of Today

Hobbs wasn’t a bad guy, by all accounts.  He was a fantastic salesman, and a phenomenal locksmith.  Today, the digital locksmith takes the form of IT gurus and authentication experts, while the lock pick is the hacker who works either for or against the locksmith to find where that security is the weakest. 

In recent days, with the PCI SSC developing new requirements for securing consumer data, and more and more experts reaching towards multi-factor authentication, it is important to review authentication best practices in light of the constant evolution of digital authentication.

The digital age has rewritten the terms of security.  Today, the password you type in for each account is the lock on the door to protect what you’ve housed within.  The darker, malicious Hobbs’ of the digital era work tirelessly to determine the intricacies of that lock so that they can get their hands on what lies behind those doors. Authentication best practices serve to strengthen that lock against hackers and others with malicious intent. 

            The New Lock

One of the most common additions to security protocols in order to increase the strength of our digital locks today take the form of SMS authentication, or mobile authenticators.  Better than hoping that a hacker cannot steal a password, accounts may be secured by requiring additional input from a mobile source to allow access.  Mobile authenticators and SMS authentication are still viewed as strong forms of authentication, but it looks like 2015 has churned out a few A. C. Hobbs characters to make us reevaluate that claim. 

Courtesy of thehackernews.com, we now know of at least one Hobbs who has managed to tag vulnerabilities in mobile phones by way of an NFC (Near Field Communications) chip implanted directly into his body.  With this chip, an individual can gain access over an individual’s cell phone, and with that access could potentially circumnavigate all of those mobile-centric authentication and security protocols. 

With the evolution of this technology still underway, let’s review some basic, yet entirely necessary authentication best practices for the current digital age:

4 Authentication Best Practices to Consider

• Don’t Click on Suspicious Link

• In the same way that you wouldn’t let a stranger just waltz into your apartment, don’t open the door for malware or phishing attacks to get into your systems by clicking on strange or unrecognizable links.  If you are worried, try the old ‘hover’ trick: place your cursor over the link and wait, an image will appear by your cursor with the link address associated with the link.  If it looks at all suspicious, don’t click it!

• Make sure you, or your company, have up-to-date antivirus and anti-malware software

•  Most people are sick of hearing this kind of warning, but it is absolutely important.  If you do not constantly update your protection software, you are leaving many doors unlocked for potential intruders to use to gain access.  This goes for mobile phones and tablets too! You can no longer operate under the impression that your phone won’t become compromised.  Secure it so that you do not fall victim to attack!

• Make use of a strong password management program or solution for yourself or your company

• For individual users, try something like 1Password to secure your many passwords against prying eyes.  For companies, try something like PortalGuard to secure your passwords, and also gain access to a single sign-on solution to save your end users the hassle of managing their passwords on their own. 

•  Don’t install apps or programs from sources that you don’t recognize

•  This is a big one.  Even if you think that a program can be trusted because a friend has used it, or because it has never given you problems before, make sure it comes from a source you know and trust.  For your mobile devices, make certain that you are only installing applications directly from the app store, and from users that are respected.  Any malicious software could put you and your  company at risk for infiltration.  

Good Luck Out There

There you have it.  There is nothing wrong with a good A. C. Hobbs to show us where we have been found wanting, so long as we can evolve and grow in a beneficial way.  Part of authentication best practices is knowing that for every vulnerability we find, others will find another five to exploit.  It is the nature of security to protect against the unknown and unexpected.  By following certain practices online in your everyday interactions, you can combat the hackers attempting to use your information for their own nefarious needs.  Just learn from our security history and follow some of these authentication best practices to be the most secure in the ever-evolving digital age. 

Don’t forget to let me know what you think in the comments!