To Password or Not To Password

Authentication: Why?

Source: The Northrop Grumman Fan
  • Perimeter: Honeywell, Bosch Security Systems
  • Network: Palo Alto Networks, Fortinet
  • Endpoint: McAfee, Symantec, Cylance, CrowdStrike
  • Application: Veracode, Checkmarx, Qualys
  • Data/IAM: Okta, Duo, Auth0, BeyondTrust
Source: Experian, 3/11/2019

Authentication: How?

Password-based Authentication

You could watch the clip here:

Password Hashing

  • Resist to collision: two different messages should generate two different hashes; m and m’ are two distinct messages, hence hash (m) <> hash (m’)
  • Difficult to reengineer: given a hash h, it should be difficult to find a message m that hash (m) = h
  • SHA-256: convert into a 256-bit hash, 64 hexadecimal characters
  • SHA-512: convert into a 512-bit hash, 128 hexadecimal characters

Hashing can also be cracked!

Hashing with Salts

Password-based Authentication: ZKP comes to the rescue!

Passwordless Management: Distributed Authentication

Passwordless is a fictional passwordless authentication vendor 😜

Passwordless Management: Decentralized Blockchain-based Authentication

AuthChain is a fictional decentralized authentication protocol with a front-end interface 😜
StorageChain is fictional decentralized storage on blockchain 😜

Enabler A: Randomness

The Blockchain Trilemma

Enabler B: Privacy-First Protocol

Enabling C: Decentralized Storage


  • Make sure customer/employee passwords are stored in hashes with salts
  • Implement 2-step user authentication: Once hackers gain access to the active directory, it’s just a matter of time before they crack some user accounts and passwords, especially the ones using common words and phrases. 2-step verification adds another level of security. Big Head’s account could be easily hacked. If he receives a text code to access his account, and he wasn’t the one asking for it, he’d know someone is trying to access his account without his permission. He could immediately log in and change his password, hopefully not password as password this time.😉
  • Keep personal and professional passwords separate: Dropbox’s incident where 60M+ user accounts were breached happened due to an employee password reuse. Hackers gained access to that employee’s password from the previous LinkedIn breach. As we cannot be sure every product/service is implementing a strong authentication protocol, we should at least separate work-related passwords from personal passwords to contain the damage.
  • Stay open-minded about the ZKP and passwordless based authentication approaches as the fundamental technology continues to evolve and mature

Approach go-to-market in the Enterprise space with patience

  • The current market might be hard to crack at this point as passwordless is quite disruptive to the existing centralized password management; there are also alternatives such as to shore up their network, endpoint and cloud security to protect their active directory from being hacked.
  • Some enterprises might be willing to do pilots for specific use cases with limited deployment; use them as your design partners to iterate on the product and to build credibility.
  • Build partnerships with existing IAM vendors. Secret Double Octopus, the password-free enterprise authentication vendor, recently announced a partnership with Okta. As part of the joint solution, Secret Double Octopus complements Okta’s solution by providing passwordless access to all enterprise’s services and applications.
  • SMBs are more likely to become early adopters as passwordless management is theoretically secure and simple to manage (the actual authentication is distributed to users’ devices at the edge).
  • Need to come up with a solution or back-up plan for edge cases like phone stolen/lost/broken
  • This approach requires a lot of evangelism to educate the market at the early stage. Make sure you have a talented, creative product marketer. 😄
  • Hats off to all of you that are involved in this Web 3.0 initiative that is to bring the Internet back to what it was supposed to be — to assure the open development, evolution and use of the internet for the benefit of all people throughout the world — and to return privacy and control to users.
  • Authentication is very likely to be tackled via Decentralized Identity (DID), a much broader initiative that enables users to own their own identity, control and protect their information, and share their information with entities that request it without being dependent on centralized third parties such as governments and banks.
  • The enabling technologies such as privacy methodologies, consensus, decentralized network and decentralized storage are critical to the development of Web 3.0 (aka decentralized web), and the front end of authentication or DID would sit on the application layer among many other decentralized applications.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Have you still not checked our website?!

#partyAnimal for following us on Twitter!

{UPDATE} Bieden met Berry Hack Free Resources Generator

Pega interview concepts in Security Management

[Announcement] BFC Bot v1.3 Update

COVID-19 and Cyber Attacks:- The Basic Protection Advices and Practices

Top 10 security tips to start 2018 off strong

RE: Emergency Access Accounts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
645 Ventures

645 Ventures

More from Medium

Web Application Penetration Testing

Build your own Decentralized platform like Pancakeswap

Task 14 Final task

Adidas Clone