Implementing Secuity for Devices

These series of assignments looked into how devices and data is secured against online attackers. In focus, it investigated the art of passwords. What made them secure, what didn't, and what can be used with them to be extra secure. It also looked ways people mess up when they create passwords, and algorithms to generate passwords and avoid risk. to cap it off, it taught into MFA and even had us implement it onto our own virtual machines.

Planning and Development

Notes

In order to develop skills with passwords and MFA, it started with a note sheet. In the notes, it taught both about passwords and their alternatives--MFA. Passwords, in general, are secure based on how long they are. again, in general the complexity of the password doesn't matter, and a password made of 5 words slightly modified to not be in the dictionary will be way more secure then a 10 character even if that one is composed of completely random stuff. additionally, adding another factor of authentication, whether it be something you have, something you know, or something you are, will add another giant leap in security, and virtually unreachable

Changing Users

After learning about basic password hygiene, it also taught how to add a user and a custom password with ubuntu. Using the

sudo adduser username

sudo usermod -aG sudo username

a user could be created with the same power as the default ubuntu user account. After creating an account, using

passwd

to change the password, as long as the current/default (ubuntu) was known

Industry Guidelines

another part of the planning was looking through the NIST/OWASP guidelines. Put simply, their guidelines outline that

Password length is much more important that password complexity.

A hard to remember short complicated password is worse than a easier to remember long one, as the user is less likely to goof the longer easier one.

MFA should be used for anything but the least important accounts.

MFA authenticators should be renewed commonly and in a secure manner.

If an account is lost, recovery mechanisms should be used that are as hard to access as the original password itself, and generate severe notifications when activated.

Password Algorithm planning

The final thing planned out was the password algorithm. the goal was a secure password that also had easy to remember features. For mine, there were simple steps, done in a random order to form a unique password. The steps included favorite microwave brand, current minute(s) on the clock, last name initial, letter the pinky finger is resting on, and more.

Technical Development

Password Algorithm

Building on the simple plan of simple steps in random order, more "advanced" steps were added. the favorite was the "smash your keyboard" to add a speckle of truely random information, "last 2 characters of the web address your currently on" to make it more resistant to bots guessing it, while a human could put it together when trying to remember the password, and "object on your left" to further add more complete randomness to it.

The total document was:

Do these steps in random order

• First letter of your name

• Last letter of your last name

• Letter your ring finger is currently resting on

• First object you see when looking to your left

• Current hour

• Slam your keyboard twice

• Favorite letter

• Last 2 characters of the web address your currently on

• Favorite microwave brand

Using this, it generated the password "adjkiojaddnnh10toshibagreeno"

On ubuntu, the default user accounts password was changed to this. In order to allow me to actually use the computer in a timely manner, a second account was also made with a password generated with less steps of in order to keep it short, the password being 12 characters long but from the easier to remember (and type) portions

How this implements NIST guidelines

NIST states that for passwords, a little bit of complexity and a lot of length is the way. by making this easy to remember, and easy to fill with some steps adding a bunch of characters at one time (smash, microwave), the password successfully is using those guidelines.

using the passwd command with the generated password

Without locking (-l) the password, the default credentials (ubuntu) would of still worked.

My new user account, which used an easier version of the algorithm (less steps used)

MFA (Multi Factor Authentication)

While the benefits of MFA were discussed in the planning and development section, here is where it is actually implemented.

For MFA, on ubuntu a google authenticator was added, and used to authenticate into an ssh session.

MFA Installation Guide

Step by step, from commands in the command line, assuming you already have your own custom user, for Ubuntu.

sudo apt update (retrieve package lists)
sudo apt install libpam-google-authenticator -y (install google authenticator)
google-authenticator (run it, at this point you will see several questions, all of them increase security if enabled, but also make it harder to use)
after setting it up, you should see a qr code and secret key, save those securely
Download the google authenticator app, scan the qr code
Whenever authentication is required, look at the app to find the rolling code

Step 4, qr code and secret key

SSH with MFA

"SSHing" into a computer is opening a remote terminal session with all the power that brings. If a bad actor gets a SSH into your computer, you are utterly screwed. Setting up MFA earlier allowed the computer to be open to SSH, but still be secure from threats. By modifying SSH to require the rolling codes ontop of your password, you can allow remote control by only you.

Ubuntu has an official guide on setting this up, but it boils down to changing a argument in your ssh launch commands to make it require a 2nd factor authenticator, then setting that 2nd factor to google auth.

Using the SSH command prompts for both a verification code (rolling code from the authenticator app) and password, instead of just the password. Using the correct codes for both successfully connected.

Patches

After setting up MFA, the final lesson was working with patches, or small security updates that come in between big releases of software.

Installing patches on Ubuntu (therefore keeping it secure) is very simple, requiring only

sudo apt update (update the info of what is patchable)
sudo apt upgrade (patch)

Checking the system at the start of the day (with sudo apt list --upgradable), there were 23 upgrades available

Also, for security, the lesson included how to check previous updates, with the log files. Located in /var/log/apt/ were all of the logs for any apt (Ubuntu's package manager) command run

Checking different months, the frequency of patches was shown. These screenshots were from early October (2025-10), hence less updates run then.

Testing and Evaluation

Here is where everything was confirmed to be working.

Password Change

Changing the pasword

Using the new password, previous command output also shown to verify

Locking the old password, only new can be used

MFA

On the far left is an example code being generated, on a website as this was in school so no phones could be involved. In the middle is the full screenshot of connecting via ssh, including the very large success message.

Patches

For patches, device security through previous patches was confirmed using:

grep "Install:" /var/log/apt/history.log

to search through all the installed packages and get a general overview of updates

Or looking for specific pages to ensure they are up to date by replacing "Install:" with the package name, E.G.

Reflection

These assignments taught password guidelines, national/international password standards, and the reasons for and usage of MFA and patching. The password guide has been implemented for personal devices, as this brought the realization that the passwords on those were all short but complex with only minor variations. Now, long and (decently) easy to remember passwords with major variations are used on all high risk sites. NIST and OWASP guidelines also attributed to that, as they built the much more complex version of the simple password guidelines learned, and also called for the use of MFA wherever possible. Segueing into MFA, its also something that is used on all high risk personal accounts (steam, google, basically anywhere money is involved/other credentials can be found). By using MFA, even if it is a bit annoying at times, it makes accounts unbreakable. Patches were the final thing, but that doesn't mean that they were unimportant. They are what keep any system secure, and they come in differing frequencies. Ubuntu allows whenever just by running the apt update apt upgrade, while windows has their "Patch Tuesdays" where security issues are addressed. While security can be annoying (E.G. this video of a guy cursing out his computer for security updates this video Large Curse Warning), seeing it as being secure or being hacked makes the choice much more obvious.

Patches: on the subject of the risks of unpatched computers.

If a computer for a small business or a hospital (or a laser cutter in the fab lab) was never updated, the risk of a zero day able to affect the system (zero click exploit) gradually increases. Zero days are exploits that are unknown to the "good guys" (security researchers, software devs/publishers) and are the greatest threat. there was at one point a version of that had a active zero day against it that instantly ransomwared the device, and was able to be undetected as it was an older version that stopped receiving constant patches. Automatic updates prevent (or atleast shorten its runtime) this, as they keep the computer ahead of detected vulnerabilities an quickly patched out of newly released ones.

Page updated

Report abuse