CIS 450 – Network Security Chapter 8 – Password Security.
-
Upload
jonas-parker -
Category
Documents
-
view
216 -
download
2
Transcript of CIS 450 – Network Security Chapter 8 – Password Security.
CIS 450 – Network Security
Chapter 8 – Password Security
Future of Passwords One-time passwords – users are given a device
that generates a new password at certain intervals which is keyed with the authentication server
Challenge response schemes http://www.securitysa.com/Article.ASP?pklArticleID=3
014&pklIssueID=412 http://www.trintech.com/PRO21212015050100411606
9.html Biometrics
Password Management
Why do we need passwords? Passwords provide a mechanism to uniquely identify
individuals and only give access to the information they need
Why do you need a password policy? Explains to the users what is expected of them and what
the company’s rules are regarding them Enforcement and repercussions if not followed should be
part of policy Enforcement must be consistent Legal reasons
Password Management
What is a strong password? Changes every 45 days Minimum length of 10 characters Must contain at least one alpha, one number, and one
special character Characters must be mixed and not appended to the
end Can not contain dictionary words Can not reuse the previous five passwords Minimum password age of ten days After five failed logon attempts, password is locked for
several hours
Password Management
How do you pick strong passwords? Use phrases instead of words Pick a phrase that relates to family or
personal interests First letter of each word becomes
character in password
Password Management
How are passwords protected? Can not be stored as plain text on the
system – must be encrypted Encryption
The process of converting plain text into ciphertext with the goal of making it unreadable
Symmetric Encryption Uses a single key to both encrypt and decrypt Need a secure way to exchange the key prior
to communicating
Password Management Encryption - continued
Asymmetric Encryption Uses two keys: a public and a private key The private key is known only to the owner and not shared with
anyone else Public key is given to anyone that wants to communicate with
you Keys are set up so they are inverse of each other
Anything encrypted with public key can only be decrypted with private key
Do not need a secure way to exchange keys prior to communication
Very slow Most systems use asymmetric encryption to initiate session
and to exchange a session key which then can be used for symmetric encryption
Password Management
Encryption - continued Hash Functions
Performs a one-way transformation of the information that is irreversible
Produces a fixed length output string from the input string with no way to determine the original input string
System compares takes the plain text password, computes the hash, and compares it to the stored hash.
A Salt is used to randomize the password to prevent two users with the same password to have the same encrypted password
Password Attacks
Password Attack Guessing someone’s plain text password when you
only have the encrypted password Manual method
If system has automatic lockout trying to access each account unsuccessfully can cause DoS attack
Automated method Obtain a copy of the encrypted passwords and try to
crack them offline Use a program that goes through a list of words to see
if there is a match
Password Attack Tools Pwdump2 - Tool that can obtain password hashes from the local
security accounts manager (SAM) database or the Active Directory http://www.doubleupsoftware.com/HowToGetPwdump2.asp
?AfId=&affiliateid=
Lsadump2 - Tool that exposes the contents of the local security authority (LSA) in clear text http://www.bindview.com/Support/RAZOR/Utilities/Windows/l
sadump2_readme.cfm LC5 - Password auditing tool that evaluates Windows NT,
Windows 2000, and Windows XP password hashes http://www.atstake.com/products/lc/
John the Ripper -Password cracking tool for several operating system http://www.openwall.com/john/
Why is Password Cracking Important
Auditing the Strength of Passwords – get a clear picture of the security of passwords and what needs to be fixed
Recovering Forgotten/Unknown Passwords Migrating Users To use as a checks and balance system
Types of Password Attacks Dictionary Attack
Takes a file that contains most of the words that would be used in a dictionary and uses these words to guess a user’s password
Helps if you understand your environment Urge users not to pick passwords that can easily be derived
from their environment Brute Force Attack
If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters you will eventually crack a password
If attacker knows minimum length of password they can start from there
General rule is to change password in less time than the time it would take to brute force a password
Types of Password Attacks
Distributed Attack Attacker breaks into several sites that have
large computers and use those to crack your company’s passwords
Hybrid Attack Takes dictionary words but concatenates a
couple of letters or numbers at the end Social Engineering Shoulder Surfing Dumpster Diving
Windows 2000 Password Attacks
http://sysadminnews.com/sysadminnews-32-20031117DetectingPasswordAttacksonWindows.html
http://www.microsoft.com/technet/security/news/efs.mspx#XSLTsection122121120120
How to Make Windows 2000 and NT 4 Passwords Uncrackable http://sysopt.earthweb.com/articles/win2kpass/
index.html Hacking for Dummies
http://searchsecurity.techtarget.com/searchSecurity/downloads/HackingforDummiesCh07.pdf