Authentication

An introduction to modern user account protection

Who is the material made for?

This course is aimed at all employees in a company.

From office employees, to developers, to managers all will be able to draw from this course.

All employees will learn what attacks on passwords and user accounts exist, how they are performed, and how to defend against them.

Additionally, they will learn what alternatives to passwords exist and how to use them. Security professionals will learn how to create policies to mitigate risks of social engineering attacks and guide employees to secure behaviour. Developers will learn how to securely implement password storage, which hashes should be used, and when alternatives can be helpful.

Introduction

Passwords are the most prevalent means of user authentication today. They are used to protect people’s bank accounts and companies’ assets. Yet, for many people, it is unclear what a strong password looks like and what modern password policies should look like. For example, regular password expiry (e.g., after 30 days) has been shown to actually be a hindrance to security rather than a benefit.

7

The course will cover the latest strategies attackers use to guess passwords, what makes passwords easy to guess, and how to make them stronger. Specifically, the course will look at different ways to create passwords and their effect on guessing resistance. Additionally, the course will cover what the benefits good password policies can hold and what harms bad password policies can bring.

The course will also look at technologies that can enhance account security, such as multi–factor authentication, and alternatives, such as Passkeys/WebAuth. These technologies allow users to protect their accounts from guessing and observation attacks but come with trade–offs in the assumptions about account security, that most might not be aware of.

From a developers’ perspective, the course will cover how to implement password storage securely, such that guessing attacks are made more difficult. Additionally, the course will cover the best practices as outlined by institutions such as the Danish CFCS and US NIST.