Cyber Security: Passwords – Key Concepts & Best Practices

Passwords are a fundamental component of cybersecurity. They act as the first line of
defense against unauthorized access to systems, accounts, and data.

🔐 What is a Password?

A password is a secret string of characters used to authenticate a user's identity. When

paired with a username or ID, it allows access to digital resources.

🧠 Key Concepts in Password Security

Concept Description
Verifying user identity with credentials (username +
Authentication
password).
Converting passwords into a secure, unreadable format
Password Hashing
using algorithms (e.g., bcrypt, SHA-256).
Adding random data to passwords before hashing to
Salting
prevent attacks like rainbow tables.
Two-Factor Adding a second layer of verification, such as a code sent
Authentication (2FA) to your phone.
A tool that stores and generates strong passwords for
Password Manager
different accounts.

🔓 Common Password Threats

 Threat Type Description
Brute Force
Trying all possible combinations to guess a password.
Attack
Dictionary Attack Using common words and phrases to crack passwords.
Tricking users into revealing passwords via fake emails or
Phishing
websites.
Keylogging Malware records what you type, including passwords.
Credential Using leaked passwords from one breach to access other
Stuffing accounts.

✅ Strong Password Best Practices

Do Don't
Use at least 12 characters Use names, birthdays, or simple words
Include uppercase, lowercase, numbers, and
Reuse passwords across accounts
symbols
Use a password manager Share passwords via text or email
Change passwords regularly Leave devices unlocked
Save passwords in browser without
Enable 2FA when possible
protection

🔍 Examples of Strong & Weak Passwords

 Weak Strong
Why It’s Weak Why It’s Strong
Password Password
Common and
123456 T#9mP!2x$8kW Long, random, and complex
predictable
Combines words, numbers,
password Easily guessed Gr3eN_H0rse*42!
and symbols

🛡️ Extra Tips

• Avoid patterns like abcd1234 or qwerty.

• Don’t use personal information (e.g., pet names, phone numbers).
• Audit your accounts regularly for unusual activity.
• Use a unique password for each site or application.

Cyber Security: Wi-Fi Attacks Overview

Wi-Fi (Wireless Fidelity) networks are commonly used for internet access in homes,
offices, and public places. However, their wireless nature makes them vulnerable to
various cyber attacks. Here's a simple breakdown of common Wi-Fi attacks in cyber
security:

🔐 Common Wi-Fi Attacks

1. Evil Twin Attack

 • What it is: An attacker sets up a fake Wi-Fi access point that looks like a
legitimate one.
• Goal: Trick users into connecting to it, allowing the attacker to monitor and steal
data.
• Example: You connect to “CoffeeShop_WiFi” thinking it’s the café’s network, but
it’s a hacker's hotspot.

2. Man-in-the-Middle (MITM) Attack

• What it is: An attacker intercepts data between the user and the Wi-Fi router.
• Goal: Read, modify, or inject malicious data.
• Example: While using public Wi-Fi, someone captures your login credentials.

3. Wi-Fi Eavesdropping

• What it is: Intercepting data traveling over an unsecured Wi-Fi network.

• Goal: Collect sensitive data like passwords or emails.
• Tool used: Packet sniffers (e.g., Wireshark).

4. Wi-Fi Phishing

• What it is: When users are directed to fake login pages after connecting to a
rogue Wi-Fi.
• Goal: Steal credentials (like email, banking, or social logins).

5. WEP/WPA Cracking
 • What it is: Breaking the Wi-Fi encryption (WEP or WPA/WPA2).
• Goal: Gain unauthorized access to a Wi-Fi network.
• Tools used: Aircrack-ng, Reaver.

6. Deauthentication Attack

• What it is: Forcing a device to disconnect from Wi-Fi using forged deauth
packets.
• Goal: Interruption or to perform further attacks (like forcing reconnection to an
evil twin).
• Tool used: Aireplay-ng.

7. KRACK Attack (Key Reinstallation Attack)

• What it is: Exploits a flaw in WPA2 protocol.

• Goal: Allows attackers to decrypt Wi-Fi traffic.
• Impact: Especially dangerous on unpatched devices.

🛡️ Protection Against Wi-Fi Attacks

1. Avoid Public Wi-Fi for sensitive tasks.

2. Use VPN to encrypt your data.
3. Always verify Wi-Fi names (SSIDs) before connecting.
4. Use WPA3 (or at least WPA2) encryption at home.
5. Disable auto-connect to Wi-Fi networks.
6. Use HTTPS websites and browser security extensions.
7. Regularly update your router's firmware.
🔐 Cyber Security: Web Application Attacks

Web application attacks target the interfaces of web apps—usually through browsers—
to exploit vulnerabilities. These attacks can lead to data breaches, unauthorized access,
or even complete system compromise.

🚨 Common Web Application Attacks

1. SQL Injection (SQLi)

Definition: Injecting malicious SQL queries via input fields to manipulate the database.

Example:

sql
Input: ' OR '1'='1
Query becomes: SELECT * FROM users WHERE username = '' OR '1'='1';

Impact: Unauthorized access, data theft, or deletion.

Prevention:

• Use prepared statements

• Input validation

2. Cross-Site Scripting (XSS)

Definition: Injecting malicious scripts into web pages viewed by other users.

Example:
html
<script>alert('Hacked!');</script>

Impact: Stealing cookies, session hijacking, defacing sites.

Prevention:

• Escape user input

• Use Content Security Policy (CSP)

3. Cross-Site Request Forgery (CSRF)

Definition: Forces users to perform actions unknowingly while logged in.

Example:
User clicks a malicious link that submits a form to delete their account.

Impact: Unauthorized actions on behalf of users.

Prevention:

• Use CSRF tokens

• SameSite cookie attributes

4. Command Injection

Definition: Attacker injects system commands into a vulnerable application.

Example:

python
os.system("ping " + user_input)
Impact: System compromise, data loss, or malware deployment.

Prevention:

• Validate and sanitize input

• Avoid direct system command execution

5. File Inclusion Attacks

Types:

• Local File Inclusion (LFI)

• Remote File Inclusion (RFI)

Example (LFI):

php
include($_GET['page']); // page=../../etc/passwd

Impact: Accessing sensitive files, code execution.

Prevention:

• Validate file paths

• Use allowlists for file access

6. Session Hijacking

Definition: Stealing or guessing session tokens to impersonate users.

Impact: Full access to a user’s session.

Prevention:

• Use HTTPS
• Rotate tokens after login
• Secure and HttpOnly cookie flags

7. Directory Traversal

Definition: Gaining unauthorized access to files/folders by manipulating file paths.

Example:

bash
/app?file=../../etc/passwd

Impact: Data leakage, configuration file access.

Prevention:

• Restrict path inputs

• Sanitize and validate file access requests

8. Broken Authentication

Definition: Poorly implemented login/logout or session management functions.

Impact: Account takeover.

Prevention:

• Enforce strong password policies

• Implement multi-factor authentication
 • Secure session management

🛡️ General Best Practices

• Input validation & output encoding

• Use HTTPS
• Keep software updated
• Regular penetration testing
• Use Web Application Firewalls (WAFs)
• Secure coding practices

Web App Security Basics

Web apps are programs you use online for almost everything, like browsing or controlling smart
devices. Let's learn about keeping them secure.

1. HTTP: The Web's Messenger

HTTP is how your browser gets website content like text (HTML), styles (CSS), images, and videos
from servers.

2. URLs: Web Addresses

A URL is a web address (e.g., https://www.google.com/search?q=hello ).

• https : The Scheme (like http or https ) tells your browser how to connect. https is secure.

• www.google.com : The Domain (the website).

• /search : The specific script or page on the site.

 • ?q=hello : Query Parameters – extra info sent to the script. ? starts them, & separates
them (e.g., ?name=John&age=30 ).

3. HTTP Headers: Extra Info

When your browser asks for a webpage (a "request") or the server sends one back (a "response"),
they include "headers" – extra details:

• Request Headers (from your browser):

o GET /search... : What action you want (e.g., "get" a page).

o Host : Which website you're asking for.

o User-Agent : Your browser type (e.g., Chrome, Firefox).

o Cookie : Small bits of data the site saved on your browser from previous visits.
• Response Headers (from the server):

o 200 OK : A status code (e.g., "everything is okay").

o Content-Type : What kind of content it's sending (e.g., HTML text).

o Set-Cookie : Tells your browser to save a new cookie.

4. HTTP Verbs: Actions

These tell the server what to do:

• GET : Get data (like viewing a page).

• POST : Send data (like submitting a form).

• PUT : Update or replace something.

• DELETE : Remove something.

5. HTTP Response Codes: Server's Reply Status

The server replies with a code:

• 200 OK : Success!

• 301/302 Redirect : Page moved.

• 403 Forbidden : You're not allowed here.

• 404 Not Found : The page doesn't exist.

 • 500 Server Error : Something went wrong on the server.

6. REST: A Way to Use URLs and Verbs

REST is a common way to design web services (APIs). It uses simple URLs and standard HTTP
verbs to perform actions. For example, http://example.com/users/search/bob could mean
"search for user Bob."

7. Sessions & State: Remembering You

HTTP itself doesn't remember users between requests.

• Cookies: To keep track of you (like keeping you logged in), websites use cookies. These
are small pieces of data stored in your browser (e.g., PHPSESSID ). Your browser sends
the cookie back with each request.
• Security: Session cookies must be hard to guess, otherwise, attackers could pretend to be
you.
o (The cookies in the screenshot were masked so you can't copy them and try to
impersonate the user.)
• Sometimes, all info about your "state" (like login details) is sent to your browser, encrypted
(like with JWTs), and then sent back to the server.

8. Virtual Hosts: Many Sites, One Server

A single web server can run many different websites. The Host header in your request tells the
server which website you want.

9. URL Encoding: Making URLs Safe

Some characters (like spaces or % ) have special meanings in URLs. To send them safely, they are

"encoded" (e.g., a space becomes %20 ).

• (The encoded message %48 %65 ... decodes to: "Hello dear w3schools student. Hope you
are learning something today!")

10. JavaScript: Making Websites Interactive

JavaScript is code that runs in your browser. It makes websites dynamic and interactive (e.g.,
animations, forms that check input). It can also be used in web attacks.
11. Encryption with TLS (HTTPS): Secure Connections

• HTTP is not secure; data is sent as plain text.

• HTTPS (HTTP Secure) uses TLS (Transport Layer Security) to encrypt the data between
your browser and the server. This keeps your information private and safe. (TLS is the
modern version of SSL).

Cyber Security
Firewalls
Cyber Security Firewalls are security systems designed to prevent unauthorized access
to or from a private network. They act as a barrier between a trusted internal network
and untrusted external networks (like the internet), monitoring and controlling incoming
and outgoing network traffic based on predetermined security rules.

🔒 What Is a Firewall?

A firewall is either a hardware device, software application, or a combination of both

that filters traffic entering or leaving a network. It enforces security policies by blocking
or allowing data packets based on a set of rules.
🔧 Types of Firewalls

1. Packet-Filtering Firewalls
o Analyzes packets individually.
o Checks source/destination IP, port, protocol.
o Simple and fast, but limited context.
2. Stateful Inspection Firewalls
o Tracks the state of active connections.
o Makes more informed decisions.
o More secure than packet-filtering.
3. Proxy Firewalls (Application-Level Gateways)
o Acts as an intermediary between users and the services they access.
o Filters traffic at the application layer (e.g., HTTP, FTP).
o Slower but offers deeper inspection.
4. Next-Generation Firewalls (NGFWs)
o Combines traditional firewall with advanced features like:
▪ Intrusion Prevention System (IPS)
▪ Deep packet inspection
▪ Application awareness
▪ Malware protection
o Highly effective for modern threats.
5. Network Address Translation (NAT) Firewalls
o Masks internal IP addresses.
o Adds a layer of anonymity and protection.
6. Cloud-Based Firewalls
o Also known as Firewall-as-a-Service (FWaaS).
o Scalable and ideal for distributed networks and cloud environments.

⚙️ How Firewalls Work

 1. Monitoring traffic: Inspect all inbound and outbound data.
2. Enforcing rules: Allow/block data based on predefined rules.
3. Logging and alerts: Record events and notify admins of suspicious activity.
4. Blocking attacks: Prevent unauthorized access, DDoS, port scanning, etc.

✅ Benefits of Firewalls

• Prevent unauthorized access.

• Protect sensitive data.
• Monitor network traffic.
• Enforce security policies.
• Help meet compliance requirements.

🔐 Best Practices

• Keep firewall firmware/software updated.

• Define strict access control policies.
• Use firewalls alongside other security tools (antivirus, IDS/IPS).
• Monitor logs and configure alerts.
• Segment networks using internal firewalls (e.g., between departments).

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework used to secure digital

communication using cryptographic key pairs—a public key and a private key. It
provides mechanisms to create, manage, distribute, use, store, and revoke digital
certificates and public keys.
🔐 Core Components of PKI:

1. Public and Private Keys

o Public key: Shared openly, used for encryption or verifying signatures.
o Private key: Kept secret, used for decryption or creating digital
signatures.
2. Certificate Authority (CA)
o A trusted entity that issues digital certificates that validate the ownership of
public keys.
3. Registration Authority (RA)
o Assists the CA by authenticating users or entities before certificates are
issued.
4. Digital Certificate
o An electronic document that binds a public key with an identity, signed by
the CA.
5. Certificate Revocation List (CRL)
o A list of certificates that have been revoked before their expiration dates.
6. Public Key Cryptography Standards (PKCS)
o A set of standards developed to support PKI and secure communication.

🛡️ How PKI Works (Simplified):

1. A user generates a key pair.

2. The public key is sent to the CA.
3. The CA verifies the user (with help from an RA) and issues a digital certificate.
4. The user can now use the certificate to authenticate, sign, or encrypt.
5. Others can use the public certificate to verify signatures or encrypt messages
to the user.
📦 Applications of PKI:

• SSL/TLS for HTTPS websites.

• Email security (e.g., S/MIME).
• Digital signatures for documents.
• Authentication (e.g., smart cards, two-factor login).
• Code signing (verifying software integrity).
• VPNs and secure access systems.

✅ Advantages:

• Strong data confidentiality and integrity.

• Authentication of users and systems.
• Supports non-repudiation (cannot deny actions).

⚠️ Challenges:

• Complexity in setup and management.

• Trust must be maintained in the CA.
• Key and certificate management can be resource-intensive.