Module 2.3 Passwords And Encryption" Study Guide

Lesson 2.3 “Passwords And Encryption” Objectives

• 6.3 Explain password best practices.

• 6.4 Identify common use cases for encryption.

Encryption Basics (2.3.1)

Encryption - Scrambling the characters used in a message so that the message can be seen but not understood or modified unless it can be deciphered. Encryption provides for a secure means of transmitting data and authenticating users. It is also used to store data securely. Encryption uses different types of cipher and one or more keys. The size of the key is one factor in determining the strength of the encryption product.

• Encryption transforms clearly understood writing into ciphertext, which is unreadable.

• Encryption protects the data and only lets authorized people, people with the key, to read the message.

• The key to decoding the material is an encryption algorithm, or the specific steps to uncover the hidden meaning.

• The Caesar cipher is one of the best known early uses of encryption.

• It was a simple system in which letters were transposed to make a message look like nonsense, but if you had the key and could accurately rearrange the letters.

• This encryption method works by shifting each letter in the alphabet a certain number of spaces to the right or left.

• To decrypt the message, the reader must know how many spaces to shift the letters.

-------------------------------------------

Modern Encryption

• Today's encryption is so complex that not even the biggest and fastest supercomputers can figure them out.

• The modern process of encrypting data involves taking the raw data, in an easily readable form, and changing it into a form that prevents unauthorized people from reading or using it. Computers use complex mathematical algorithms to create the encryption keys. Encryption keys are commonly 128 bits, or characters long. This is another way of saying 128-bit encryption, the most common type of encryption today. It is 2 to the 128th power, written as 2¹²⁸.

Encrypting Data (2.3.2)

Encrypting Data at Rest

Data at Rest - Information that is primarily stored on specific media, rather than moving from one medium to another.

• Data at rest is when data is sitting still, saved somewhere such as on a computer or in the cloud. In this state, data is held in some form of persistent storage.

• When data is just sitting there, it is possible to encrypt it.

• you can also set up special permissions, such as a list of who's allowed to look at or change the data.

• Another part of storing data is keeping encrypted information for only a short time. When you log into a website, it will keep a session token or session ID. This special code shows who you are while you're logged in. But when you log out, the token disappears. The next time you visit the site, a new token is generated and held in this non-persistent storage.

-------------------------------------------

Encrypting Data in Transit

Data In Transit - Information that is being transmitted between two hosts, such as over a private network or the Internet. Also referred to as "data in motion."

• This can happen when you're sending an email, visiting websites, logging into your computer remotely, or when files are being moved between online storage spaces.

• One type of protocol is the HyperText Transfer Protocol Secure (HTTPS) | Application protocol used to provide web content to browsers. HTTP uses port 80. HTTPS(ecure) provides for encrypted transfers, using TLS and port 443.

• Many online shopping sites and mobile apps use HTTPS, making your credit card information unreadable when you make a purchase.

• A virtual private network (VPN) is another way of encrypting information as it flows from point to point across networks | A secure tunnel created between two endpoints connected via an unsecure transport network (typically the Internet).

• Using a VPN prevents threat actors from reading your data. The VPN protocol creates a safe tunnel, kind of like a secret passage, to keep everything you do online private. This means that even when your Internet activity goes through equipment belonging to Internet service providers, nobody can peek at what you're doing.

What Needs A Password? (2.3.3)

Strong passwords include all the following elements:

• Uppercase letters, or capital letters.

• Lowercase letters, or small letters.

• Numbers.

• Symbols, such as #@+_$%^.

• Length.

-------------------------------------------

Changing Passwords

• As a general rule, if a device connects to a network or if it handles sensitive information, you need to turn on the password feature.

-------------------------------------------

Beyond Passwords

Two-Factor Authentication (2FA) - Strong authentication mechanism that requires a user to submit two different types of credential, such as a fingerprint scan plus PIN. Often, the second credential is transmitted via a second trusted device or account. This is also referred to as 2-step verification.

• The app will ask to confirm that you are logging into a website or account.

-------------------------------------------

Passwords Best Practices

• Avoid sharing passwords: Don't give your password out to anyone for any reason.

• Avoid reusing passwords: If you use the same password in more than one place, such as for both your bank app and your streaming service account, your password is more vulnerable to attack.

• Avoid incrementing passwords: This practice uses a base password and adds a number every time you need to change your password. For example, “password1” followed by “password2.”

• Avoid using birthdates, pets' names, and other easily guessed details: Especially if you share this type of information on social media, you should stay away from using it as part of your password.

• Avoid using only dictionary words: If your password has a regular or common sequence of only letters, like "balloon" or "marigold" or "photograph" then they are much easier to break.

• Avoid using common patterns and sequences: Don't use repetitive strings, such as “1234” or “xoxo” or "abc123.”

Password Management (2.3.4)

Some of the most common ways to manage multiple passwords and usernames include:

• Password managers

• Physical documentation

• Digital records

-------------------------------------------

Password Managers

• A password manager is a digital organizer for multiple passwords.

• The password manager encrypts the password for that site, or generates one that's complex. These generated passwords might be readable, meaning you can recognize each character, but they won't be a words or phrases you recognize. This makes it harder to crack.

• best practices would be to change your personal passwords to one randomly generated by the manager, to increase the security for your accounts.

-------------------------------------------

Physical Documentation

• write down passwords in a physical notebook and keep them in a safe place, such as a locked cabinet or a home safe. This extra layer of security can prevent losing your password collection to a home robbery. Overall, though, this physical type of password manager can provide peace of mind for those who are not comfortable leaving their passwords on the Internet.

-------------------------------------------

Digital Records

• Keeping track of passwords in a document on your phone or computer is another option.

• actual hackers write scripts that automate the process. These scripts look for keywords, including the word ‘password.’ Don't name your file "My Passwords," and be sure to set some kind of password control settings on the document itself.

Should I Change My Password (2.3.5)

Is it time to change your password? This depends on several factors:

• Is your password very short?

• Does your password include only letters, and doesn't include any numbers or symbols?

• How much of your sensitive information does the website or app have?

• Are you using the same password on more than one site or app?

• Have you heard about any data breaches at the organizations for which you have a password?

-------------------------------------------

Account Types

• if you use the same questionable password on other sites, ones where you do share sensitive data, you should update your passwords.

-------------------------------------------

Data Breaches

• If you hear about a hack it's important to change your password right away.

• Also, check if you used the same password on other websites or apps.

• If you notice anything suspicious happening with your account, such as messages you didn't send, that's another sign you should change your password.