Abstract
This project analysis is about analyzing and developing a new password visualization and authentication system for the “DataBank” service of the Datamatix, a leading knowledge provider in UAE. This project also intends to provide guideline for users regarding strong password selection. This project analysis describes in detail the client requirements, client constraints, number of meetings required, stakeholder perspective, analysis and discussion on that analysis. This project analysis report also discusses, possible solutions or the selection of the methodologies on the basis of the analysis. At the end of the project a small discussion section is also added for team members to be aware of the project requirements.
Introduction
The rise of the internet has resulted in the increase used of computers at a large scale and in almost every aspect of life. Nearly every task has been replaced by a computer, interconnected, making it easier to perform even those tasks that were once difficult. This widespread use of computer and the internet, while easing everyday life also caused some major problems. One of these problems that are specifically related to the internet is the security and privacy of the information or data spread across the internet. The key object, that is still widely used for restricting the unauthorized access, is passwords. These small sets of characters are designed to secure the information and the system and are the key responsibility of the user. Despite this clear truth, a lot of people still consider it to be a corporate responsibility (Cole, 2002) and are right to some extent. Organizations are actually the ones that are responsible for ensuring that their infrastructure is so secure that it can stand off any security breaches or attacks (Shah and Mehtre, 2014). In order to provide that level of security, they have to take key measures and develop strong guidelines regarding unauthorized access.
Datamatix is one of the leading global knowledge providing a group of the world having more than thirty years of experience. Besides providing the training and education to the individual organization in order to make them excel in their business, the group also provides them with IT solutions. One of the IT services provided by Datamatix group is the “Data Bank”, a secure online place for the information and data for different client groups and firms. The information given by the Datamatix about their “Data Bank” service, the security of the data stored at their servers is one of the primary aspects of their data privacy policy (“DataBank”, 2019). But since passwords play an important role in the security of any electronic information and data, the need for password visualization and authentication is importantly required. This paper is therefore analyise the techniques and methodologies that can be used with the proposed systematic plan, so that it can be used to identify the weaknesses in the “Data Bank” service of the Datamatix and provide solutions for them, especially in terms of passwords.
Client Requirements and Constraints
The key purpose of any project is to accomplish the aims and objectives of the project that are based on client requirements. The requirements actually help in better understanding of the project itself and are a crucial part of any project management plan. Since the key client or stakeholder of this project is Datamatix, the identification and understanding their need is therefore required. The best method for identifying and understanding the basic needs and requirements of the client is to ask them by having a direct meeting with them (Sharma, 2013).
Client and Team Meetings
There will be multiple meeting between the team members and with the clients. The very first meeting will be with the client, i.e. Authorities of Datamatix, especially the ones managing the “DataBank” service. This meeting will help in understanding the actual objectives of the project, their budget and the time span they have. The second meeting will be a team meeting, intended to understand that minutes of the first client meeting and to develop a strategy for the project execution. This meeting will also act as the task distribution platform. The third meeting will again be with team members, it will be held after the thorough study of the current system of the “DataBank” and the preparation of the report on the needs of the project. It will act as the actual project planning team meeting. A fourth meeting will also be conducted but this time it will be a client meeting discussing the client’s perspective on the proposed project plan discussed earlier in the third meeting. The final and the last meeting will be a team meeting that will be conducted at the end of the project to wind up all the things and to discuss the project success.
Client Requirements
Some of the key client requirements that are identified so far against their objective and policies are as follows:
| Requirements | Description | Priority |
| In-depth analysis of the current security system of “DataBank” | The key aim and objective of this project are to identify any loopholes in the security of the “DataBank” especially the one that is related to the passwords, therefore an in-depth analysis of the current password visualization system of “DataBank” is needed. | Very High |
| Provide alternative password visualization and authentication system | Not only to identify the loopholes in the security system of “DataBank” but also to provide them with a solution of alternative password visualization and authentication system that can help them in maintaining their services as per their policies. | Very High |
| Setting up guidelines for users | Since securing the passwords are not only the responsibility of organizations but also the key duty of users, therefore describing a guideline for setting up an unbreakable password is a key requirement | High |
| Cost and time management | Cost and time are two must have consideration of a successful project therefore timely and on budget completion of the project is required | Moderate |
Stakeholder Perspectives
The key stakeholder of this project is Datamatix, one of the industry’s leading knowledge provider (“Datamatix – The Power of Trust”, 2019), the project objectives and requirements revolves around them. Besides them there are some other stakeholders as well, such as users and the team members of “DataBank” and since their perspective is also of equal importance (Cekic, Surlan & Kosic, 2017) therefore an understanding of the project in terms of their standpoint is also required.
The users of “DataBank” will certainly find this project, a great help in their use if the project gives them easy understanding and integration of the newly proposed password visualization and authentication system. The will certainly feel more secure if they find the new proposed system up to the industry standards. The team members will, on other hand find this project as a success if and only if they do not need to restructure all the other security measures.
Analysis
There are different methods used for the security of the information systems. The most common one is the alphanumeric password authentication. At the same time, it is the easiest to be cracked, leaving the system to the vulnerability (Han, Wong, and Chao, 2014). In order to fulfil the client’s requirements, different methods will be used. These methods will help in analysing the project. As the first requirement of the client is the in-depth analysis of the system for any vulnerability, therefore the first analysis method used in this project will be about password cracking. The second requirement is to provide an alternative solution for the current password authentication system. For this requirement, one-time passwords will be used. In order to make the security of the system more strengthening, previously present alphanumeric password system will be left and used along with the one-time passwords. The new password visualization and authentication system will, therefore, be a two-step security system. The third and last requirement is to provide users with the knowledge and guideline of setting up a hard password. The last step of this analysis will, therefore, be about setting up an unbreakable password.
Password Cracking
Password cracking is the term used for the type of cyber-attacks or hacking techniques used for bypassing the password protected system (EC-Council, 2011). This is the key method used for password bypassing. There are multiple techniques that came under the password cracking. But the two main that are widely used and are related to our projects are dictionary crack and the brute-force crack. One of these two techniques will be used in order to identify the loopholes in the current password system of the “DataMatix”. The selected technique will also be helpful in identifying the user’s trend in setting passwords.
Dictionary Attack
In a “Dictionary Attack” model a dictionary is passed to the system in order to compare it with the password hash. If the entry in the dictionary matches with the password the system got cracked (Clercq, 2001). The Dictionary file may have words from a simple dictionary and even may have phrases and simple passwords combinations such as “iloveu”, “123456”, “abc123” etc. The dictionary attack can only detect simple passwords. But has a benefit of quick password guessing.
Brute-Force Attack
A “Brute-Force” is another method widely used for password cracking. It works just like the “Dictionary Attack”, but instead of comparing the password hash with the entries from the dictionary file, the brute-force tries to guess every possible combination of characters (Whitman & Mattord, 2018). It can crack almost every password but requires a lot of time and resources.
“Dictionary Attack” will be used as the password cracking methodology. The use of “Dictionary Attack”, over “Brute-Force” is given preference because of the quick guessing and the limitations. Since the project is not about cracking all passwords but just to find the weak ones, therefore, a dictionary attack is the most suitable password cracking methodology for this project.
User Authentication
The alphanumeric passwords are the easiest one to decode but widely used. Replacing them with other authentication techniques such as the graphical ones does not seem to be perfect. Graphical passwords, although are good for increasing the security they require more space on the server to store images (Radhika & Biswas, 2014). Images that are pre-known to the users, so that they can select or guess them. Instead of replacing the current password authentication system with the new one, another layer of the security will be applied to the system. The second layer of security will strengthen the “DataBank” information system.
One-Time Password (OTP)
. For “DataBank” service a new layer of the one-time password will be set, that will message the generated password to the user’s mobile phone. The user will then enter that password to authenticate the entry. A schema of the new proposed password authentication system for the “DataBank” is as follows:
| Steps | Function or Working |
| Step 1 | User goes to login page |
| Step 2 | He/She enters his/her credentials |
| Step 3 | The System sends back the newly generated one-time password to the user’s phone |
| Step 4 | User enters the OTP in the validation field |
| Step 5 | If the entered password matches with the system generated one, the user will be welcomed |
Guide for Strong Password
In order to make the primary password stronger, some rules and guidelines will be set. The guide will tell users about setting up passwords that are more secure and can stand to the “Dictionary Attack”. Since the dictionary attack method uses dictionary words to guess, therefore the first advice or rule will be about not using the dictionary word. Other guidelines and rules will be set on the basis of the results of the password cracking methodology. However, some of the possible rules will be as follows:
- More than 12 characters (min).
- Must have numbers, letters, and symbols.
- Should not be a dictionary word (Hoffman, 2018).
Discussion and Reflection
Although, passwords are the most widely used security barrier at the same time are the most breached ones, despite the fact that every system requires hard to crack the password to be set. Several alternative techniques have been so far developed in order to minimize the password lost (Schweitzer et al., 2009). This project analysis describes the brief process for defining and developing different new password visualization and authentication techniques for the region’s leading knowledge providing organization, Datamatix. These techniques, that not only are found to be efficient and beneficial for the project but also provide the team with the ability to achieve the aims and the objectives of the project by fulfilling the requirements of the client.
The first solution for this project is the use of password cracking technique, especially the “Dictionary Attack”. This will help the team in understanding the current security level of the “DataBank” security and provide them with the knowledge for designing the guidelines for a stronger password. The second methodology that is selected during the analysis phase is the use of the one-time password. The one-time password will increase the security level of the system without bringing in any major changes, with minimum cost and within minimum time, making the project a true success. Using these methodologies will not only cut the cost and the time of the project but will also minimize the risk associated with the loss of information during the project.
Although these methodologies that are selected and analyzed in this phase are good enough, there are still some chances for the challenges. The challenges that the team may face while using these methodologies are related to the ethical as well as technical nature. The ethical challenge is the one that will arise during the password cracking phase while the technical one will be related to the selection and installation of the equipment for generating one-time passwords and messaging them to the user at the time of login in.
In order to make this project a success, team members of this project are required to have specific knowledge. Proper identification of the current system and the client’s need besides the recent trends in both password visualization and authentication techniques and password cracking techniques are needed. The team members are also required to be ethically reliable for avoiding any privacy issues such as data theft and misuse. Team members also required to have sound knowledge of project management i.e. identification and mitigation of risks, time and cost management and objective accomplishment to make this project a successful one.
References
Cekic, Z., Surlan, N., & Kosic, T. (2017). Value Perspective of Project Stakeholders. IOP Conference Series: Materials Science And Engineering, 262, 012078.
Clercq, J. (2001). L0phtCrack’s Password-Cracking Methods. Retrieved from https://www.itprotoday.com/security/l0phtcracks-password-cracking-methods
Cole, E. (2002). Hackers beware. Indianapolis, Ind.: New Riders.
DataBank. (2019). Retrieved from http://datamatixgroup.com/Services/DataBank.aspx
Datamatix – The Power of Trust. (2019). Retrieved from http://datamatixgroup.com/Profile.aspx
EC-Council. (2011). Penetration testing. Clifton Park, N.Y.: Course Technology, Cengage Learning.
Han, A., Wong, D. and Chao, L. (2014). Password Cracking and Countermeasures in Computer Security: A Survey. Amsterdam: University of Amsterdam.
Hoffman, C. (2018). How to Create a Strong Password (and Remember It). Retrieved from https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
Kushwaha, B. (2012). An Approach For User Authentication One Time Password (Numeric And Graphical) Scheme. Journal Of Global Research In Computer Science, 3(11), 54-57.
Radhika, & Biswas, S. (2014). Comparative Study of Graphical User Authentication Approaches. International Journal of Computer Science and Mobile Computing, 3(9), 361-375.
Schweitzer, D., Boleng, J., Hughes, C. and Murphy, L. (2009). Visualizing keyboard pattern passwords. 2009 6th International Workshop on Visualization for Cyber Security.
Shah, S. and Mehtre, B. (2014). An overview of vulnerability assessment and penetration testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1), pp.27-49.
Sharma, G. (2013). 7 Best Practices For Building Client Relationships. Retrieved from https://www.forbes.com/sites/gaurisharma/2013/10/04/7-best-practices-for-building-client-relationships
Whitman, M., & Mattord, H. (2018). Principles of information security. Boston, Mass.: Cengage Learning.
