Technology

More cybersecurity using the password

Today is “change your password day” again. A well-intentioned
initiative for more IT security. Coming originally from the military context of the 1960s, the recommendation to change your password regularly can still be found in many corporate policies today. Modern guidelines such as the current BSI Basic Protection Compendium and the NIST Digital Identities Guidelines drop this requirement because there are more effective strategies to increase password security:

Password length over complexity

First of all, a strong password needs to be changed only if there is a suspicion that it has been revealed.

Today, attackers can try out billions of passwords within a very short time using automated systems. Especially if these systems are accessible via the network or have access to the password hashes and can therefore be effectively tried offline. The complexity of the password is therefore completely irrelevant if it is too short. Recommendations for length vary from 8 to at least 14 characters. Advances in attack tools such as Hashcat, and faster, specialized password-guessing hardware, are driving these requirements ever higher.

Compliance policies today require individualized login credentials. This eliminates the risk a password is known to many people and thus the need to change it regularly. One long password for exactly one person for exactly one service. Pretty secure.

Passwords are no repeat parts

To be honest, haven’t you ever used the same or a very similar password for multiple services? You should get rid of this habit quickly because a successful attack on one service automatically leads to a successful attack on others. The use of already privately used passwords in a corporate environment is particularly critical.

Modern password policies ensure that passwords appearing in lists of captured passwords are rejected. The website haveibeenpwand, for example, indicates whether a password has been captured. Modern systems offer interfaces to check passwords in this way. In CONTACT Elements you can easily activate them:

from cdb.sig import connect
from cdb.authentication import check_pwned_password
connect(‘password_acceptable_hook’)(check_pwned_password)

Password manager instead of one-size-fits-all

Password repeating is bad, and so are short passwords. Users face the challenge of remembering a large number of long passwords in their heads. Writing it down on a piece of paper and hiding it under the keyboard or sticking it on the bulletin board is not a solution, because a camera can capture it.

It is better to use a password manager. It can create and manage long passwords and makes them easier to enter via copy and paste. Unfortunately, some companies, driven by the concern that a Trojan will intercept the passwords on the clipboard, block the copy and paste method in their applications, preventing the use of a password manager. However, in the case of a Trojan attack, this measure is usually ineffective and companies should instruct users to use a password manager to increase their IT security.

Beware of highwaymen and tricksters

Even the strongest password does not protect against attacks if it is intercepted. It’s often surprisingly easy to do. Connections without a minimum level of security like Transport Layer Security (TLS) are an open book for any attacker. Older network protocols such as Kerberos also offer numerous gateways. Ransomware exploits these to spread across the corporate network. As soon as an administrator logs on to a compromised computer, the attacker has the credentials, and shortly thereafter gold and silver tickets are created and the Windows domain is firmly in the attacker’s hands.

Here, too, security stands or falls with the password, because it is used in the calculation of the authentication tickets and, due to the symmetrical encryption, enables the attacker to calculate the password back from the ticket.

Increase security through multiple factors

One recommendation to get around the weaknesses of passwords is to include other factors. This works very well from a security perspective. A second factor significantly increases security in almost every case. In most cases, it is of secondary importance whether these are one-time passwords such as TANs via SMS, time-based codes such as Definition Time-based One-time Password (TOTP), or even simple confirmation emails with links.

The downside of second factors is the additional effort and the impact on usability. Helpdesk processes become more complicated, users need to be trained, and login processes often happen more slowly.

Single sign-on – both a curse and a blessing

Users love single sign-on (SSO), where you only have to enter a password and a second factor once to use numerous services. This minimizes the effort enormously – but also for the attacker. Particularly if access depends on a weak password only. A central login system also solves many problems for compliance when users are blocked or reports are generated. The costs for user administration are also reduced.

Single sign-on turns the “one password per service” argument above on its head. Again, only one password stands between the attacker and your system. If the attacker knows the password, he has access. And then the single sign-on system opens all doors for the attacker.

Detect phishing

Even stronger mechanisms such as TOTP or hardware key generators do not protect if the password and access code are entered on a fake website. This practice is known as phishing. The solution, on the other hand, is channel or token binding and links (binds) the desired access to the channel through which the access is requested. This means that a token is only accepted for access to device A but not to device B of the attacker. This form of multi-factor authentication is very secure and easy to use with modern hardware or cell phones. For enterprise IT, integration with common platforms is relevant here. Windows Hello, Apple and Android support the FIDO2 / WebAuthn standard specified by the FIDO Alliance to detect phishing and make single sign-on secure.

Passwords are obsolete!?

Starting from the WebAuthn standard, there is a new initiative since 2022 with passkeys – driven by Apple, Microsoft and Google – to banish passwords from applications and single sign-on. You can change your password to a passkey today if your device supports it and use 2024’s “Change your Password Day” to delete your password and never have to use it again.

More Information on Cybersecurity

Learn everything you need to know about building a reliable IT security architecture for protection against cyberattacks in our free white paper “IT Security for Enterprises”.

Big, bigger, giant. The rise of giant AI models

The evolution of language models in the field of NLP (Natural Language Processing) has led to huge leaps in the accuracy of these models for specific tasks, especially since 2019, but also in the number and scope of the capabilities themselves. As an example, the GPT-2 and GPT-3 language models released with much media hype by OpenAI are now available for commercial use and have amazing capabilities both in type, scope, and accuracy, which I will discuss in another blog post. This was achieved in the case of GPT-3 by training using a model with 750 billion parameters on a data set of 570 GB. These are jaw-dropping values.

The larger the models, the higher the cost

However, the costs of training these models are also gigantic: Taking only the stated compute costs ¹ for a complete training run, the total amount for training GPT-3 is 10 million USD ^{2, 3}. In addition, there are further costs for pre-testing, storage, commodity costs for deployment, etc., which are likely to be in a similar amount. Over the past few years, the trend of building larger and larger models has been consistent, adding about an order of magnitude each year, i.e., the models are 10x larger than the year before.

Size of NLP models from 2018-2022. Parameter sizes are plotted logarithmically in units of billions. The red line represents the average growth: approx. 10-20 times larger models per year ².

The next model of OpenAI GPT-4 is supposed to have about 100 trillion parameters (100 x 1012 ). For comparison, the human brain has about 100 billion neurons (100 x 109) which is 1000 times less. The theoretical basis for this gigantism is based on studies which show a clear scaling behavior between model size and performance ⁴. According to these studies, the so-called loss – a measure for the error of the predictions of the models – decreases by 1, if the model becomes 10 times larger. However, this only works if the computing power and the amount of training are also scaled upwards.

In addition to the enormous amounts of energy required to calculate these models and the associated CO2 footprint, which is assuming worrying proportions, there are direct economic consequences: Apparently, not only smaller companies cannot afford the cost of training such models, but also larger corporations are likely to balk at costs of $10 million, or $100 million or more in the future. Not to mention the necessary infrastructure and staffing for such an endeavor.

Monopoly position of the big players

This has a direct impact on availability: while the smaller models are now open source until the end of 2019 and can be freely accessed via specialized providers, this no longer applies to the larger models from around the end of 2020 (the appearance of GPT-2). OpenAI, for example, offers a commercialized API and only grants access through an approval process. On the one hand, this is convenient for developing applications with these NLP models, as the work of hosting and administration is eliminated; on the other hand, the barrier to entry for competitors in this market is so steep that essentially the super-big AI companies participate there: Google with OpenAI, Microsoft with Deepmind, and Alibaba.

The consequences of these monopoly positions of the leading AI companies are, as with every monopoly, pricing models without alternatives and rigid business practices. However, the capabilities of the current large language models such as GPT-3 and Megatron Turing NLG are already so impressive that it is foreseeable that in 10 years every company will probably need access to the current models for the most varied applications. Another problem is that the origin of the models from the American or Chinese area brings a large bias into the models, which on the one hand is clearly expressed in the fact that English or Chinese is the language with which the models work best. On the other hand, the training datasets that come from these cultural areas bring with them the very cultural tendencies from these spaces, so it is to be expected that other regions of the world will be underrepresented and continue to fall behind..

What can be done?

In my opinion, it is important to keep a careful eye on the development and to be more active in shaping the development of AI in the European area. In any case, a greater effort is needed to avoid dependence on monopolized AI providers in the long term. It is perhaps conceivable to involve national computing centers or research alliances that, united with companies, train and commercialize their own models and form a counterweight to American or Chinese companies. The next 10 years will be decisive here.

¹ See here in section D as well as compute costs per GPU e.g. on Google Cloud approx. 1USD/hour for an NVIDIA V100
² Calculation approach: V100 = 7 TFLOPs = 7 10^12 / s, 3.14 10^23 flops => 3.14 10^23/7×10^12 / 3600 = 10^7 hours = 10 million USD, details of the calculation and research of the parameters here.
³ see also here for comparison graph with older data.
⁴ see arxiv and Deepmind

What is Quantum Computing good for?

When it comes to quantum computing (QC), after the quite real breakthroughs in hardware and some spectacular announcements under titles like “Quantum Supremacy“, the usual hype cycle has developed with a phase of vague and exaggerated expectations. I would like to briefly outline here why the enormous effort is being made in this area and what realistic expectations lie behind it.

To understand the fundamental differences between QC and Classical Computing (CC), we first need to take a step back and ask on what basis both computing paradigms operate. For the CC, the basis is the universal Turing machine expressed in the ubiquitous von Neumann architecture. This may sound a bit outlandish, but in principle it is easy to understand: An universal Turing machine abstracts the fact of programming any algorithm into a classical computer (universal) that is somehow (classically) algorithmically expressible (Turing machine).

The vast majority of “algorithms” that are implemented in practice are simple sequences of actions that react to external events such as mouse clicks on a web page, transactions in a web store or messages from other computers in the network. A very very small, but important, number of programs do what is generally associated with the word algorithm, which is to perform arithmetic operations to solve a mathematical problem. The Turing machine is the adapted thought model for programming these problems and leads to programming languages having the constructs we are used to: loops, branches, elementary arithmetic operations etc.

What is the computing paradigm for a quantum computer?

A quantum computer is built up of quantum states that can be entangled with each other and evolved via quantum gates. This is also a bit off the wall, but simply means that a quantum computer is set to have an initial (quantum) state that evolves in time and is measured at the end. The paradigm for a quantum computer is therefore the Schrödinger equation, the fundamental equation of quantum mechanics. Even without understanding the details, it should be clear that everyday problems are difficult to squeeze into the formalism of quantum mechanics and this effort probably does not bring any profit: Quantum mechanics is just not the adjusted model of thought for the most (“everyday”) problems and it is also not more efficient in solving them.

So what can you do with it?

The answer is very simple: QC is essentially a method for quantum computing. Now this sounds redundant, but it means that a quantum computer is a universal machine to calculate quantum systems. This vision, formulated by Richard Feynman way back in 1981, is still followed by the logic of research today. Thus, it is not surprising that publications on the subject dealing with applications are located either in quantum chemistry or in the basic research of physics [5][6].

Why does this matter?

Because the classical computer is very inefficient in calculating or simulating quantum systems. This inefficiency is basically due to the mathematical structure of quantum mechanics and will not be solved by classical algorithms, no matter how good they are. In addition to basic research issues, QC is likely to become important in the hardware of classical computers, where miniaturization is pushing the limits of designing transistors on chips using classical theories of electricity.

Besides, there are a lot of interesting connections to number theory and other various problems, which so far can be classified as interesting curiosities. Based on current knowledge, the connection to number theory alone could have a significant impact, because for historical reasons almost all practical asymmetric encryption schemes rely on algorithms that essentially assume (there is no proof) that prime number factorization cannot be solved efficiently with classical algorithms. Quantum computers can do this in principle but are far away from being able to do so in terms of hardware.