Imagine you’re trying to log in to your mobile app. You enter your password, but instead of being let in right away, you get a message saying, “Please enter the code we just sent to your phone number.” That code is an example of a One-Time Password, or OTP. It’s like a secret handshake that only you and your mobile app know at that moment, making sure it’s really you trying to access your account. In a world where security is more important than ever, OTPs have become the go-to method for keeping our digital lives safe, one code at a time.

In my bachelor’s thesis, I researched virtual passwords which will generate a random password by taking the user’s initial password as its seed, converting each character into 1-2 random alphanumeric characters, and using the converted password to validate the user’s login password. This converted password will be re-randomised again on each login attempt and thus generates a dynamic password during the login process. While the concepts of my past research are similar, I want to demystify the world’s most popular factor in MFA: OTP. In the process, I also fixed a minor bug in a Python library: PyOTP, which allows users to use a non-proper hashing function that will trigger IndexError on OTP generation.

Continue read

Early last year, I spent my Chinese New Year long holiday with something productive: pursuing the learning path for Google Professional Cloud Security Engineer (PCSE). While I did that, I compiled my learning process along with some useful resources related to the exam, stored deep in a multi-layered folder somewhere in my Google Drive. One and a half years later --last Sunday--, I stumbled upon this note and thought: this might help whoever to conquer the PCSE exam. Although the modules might be different today, the big concept should stay relevant.

PCSE certification validates your expertise in designing, implementing, and managing secure workloads on Google Cloud Platform (GCP). This certification demonstrates your ability to safeguard sensitive data and ensure regulatory compliance within the GCP ecosystem.

Continue read

Ngobrol "santai" sama Mas Sida Nala Rukma J , sambil bedah implementasi algoritma autentikasi virtual password di web application.

Demo site: https://apps.rahiemy.id/hashedvirtual/ 

Ketika seorang newbie diajak ngobrol sama Master, Mas Sida Nala Rukma J tentang paper yang ditulis kemarin. #bedahPaper

Tips super simpel bikin password random tapi mudah diingat, berhubung kasus-kasus peretasan makin marak:

1. Bikin satu kalimat, misalnya "Balonku Ada Lima Rupa Rupa Warnanya" Ambil huruf pertama dari tiap kata, bikin selang-seling huruf kapital-kecil. Dari contoh kalimat tadi jadi: "BaLrRw"

2. Tambahin satu (atau lebih) simbol. Misal kita pakai #, jadi: "BaLrRw#"

3. Ambil inisial (atau beberapa digit) dari nama aplikasi, misal bikin password buat "Twitter" ambil t-nya jadi: "BaLrRw#t"

4. Ambil angka bulan dan digit akhir tahun pembuatan password, misal bikin password ini di bulan ini: September => 9 2019 => 9 Tambahin ke password jadi "BaLrRw#t99"

Tada! Password random super simpel yang mudah diingat selesai dibuat! Jangan lupa buat ganti password setidaknya enam bulan sekali, cukup nomor bulan atau tahun yang diganti, di database password kita udah dianggap berubah sepenuhnya karena hasil hash-nya berubah jauh.

Tips lain, selalu aktifin two-factor authentication. Bisa OTP sms, google authenticator, atau lain-lain. Ini perlu untuk ngehindarin kalau password kita udah kecuri, kita masih punya pengaman cadangan.

Mau lebih aman lagi? Saranin pengelola web-nya biar pakai metode virtual password hasil penelitian aing wkwkwk https://ieeexplore.ieee.org/abstract/document/8528757

Sekian tips dari orang yang baru mendalami dunia security setahunan belakang ini. Boleh koreksi atau kasih saran lain biar temen-temen kita lebih aman ber-internet.

== Utas ==
Tips super simpel bikin password random tapi mudah diingat, berhubung kasus-kasus peretasan makin marak. https://t.co/Ym5RMxXY0c

— ᮖᮄᮐ᮪ ᮛᮠᮤᮈᮙ᮪ᮚ᮪ (@FaizRahiemy) September 3, 2019