CIS 450 – Network Security

Chapter 8 – Password Security

Future of Passwords One-time passwords – users are given a device

that generates a new password at certain intervals which is keyed with the authentication server

Challenge response schemes http://www.securitysa.com/Article.ASP?pklArticleID=3

014&pklIssueID=412 http://www.trintech.com/PRO21212015050100411606

9.html Biometrics

Password Management

Why do we need passwords? Passwords provide a mechanism to uniquely identify

individuals and only give access to the information they need

Why do you need a password policy? Explains to the users what is expected of them and what

the company’s rules are regarding them Enforcement and repercussions if not followed should be

part of policy Enforcement must be consistent Legal reasons

Password Management

What is a strong password? Changes every 45 days Minimum length of 10 characters Must contain at least one alpha, one number, and one

special character Characters must be mixed and not appended to the

end Can not contain dictionary words Can not reuse the previous five passwords Minimum password age of ten days After five failed logon attempts, password is locked for

several hours

Password Management

How do you pick strong passwords? Use phrases instead of words Pick a phrase that relates to family or

personal interests First letter of each word becomes

character in password

Password Management

How are passwords protected? Can not be stored as plain text on the

system – must be encrypted Encryption

The process of converting plain text into ciphertext with the goal of making it unreadable

Symmetric Encryption Uses a single key to both encrypt and decrypt Need a secure way to exchange the key prior

to communicating

Password Management Encryption - continued

Asymmetric Encryption Uses two keys: a public and a private key The private key is known only to the owner and not shared with

anyone else Public key is given to anyone that wants to communicate with

you Keys are set up so they are inverse of each other

Anything encrypted with public key can only be decrypted with private key

Do not need a secure way to exchange keys prior to communication

Very slow Most systems use asymmetric encryption to initiate session

and to exchange a session key which then can be used for symmetric encryption

Password Management

Encryption - continued Hash Functions

Performs a one-way transformation of the information that is irreversible

Produces a fixed length output string from the input string with no way to determine the original input string

System compares takes the plain text password, computes the hash, and compares it to the stored hash.

A Salt is used to randomize the password to prevent two users with the same password to have the same encrypted password

Password Attacks

Password Attack Guessing someone’s plain text password when you

only have the encrypted password Manual method

If system has automatic lockout trying to access each account unsuccessfully can cause DoS attack

Automated method Obtain a copy of the encrypted passwords and try to

crack them offline Use a program that goes through a list of words to see

if there is a match

Password Attack Tools Pwdump2 - Tool that can obtain password hashes from the local

security accounts manager (SAM) database or the Active Directory http://www.doubleupsoftware.com/HowToGetPwdump2.asp

?AfId=&affiliateid=

Lsadump2 - Tool that exposes the contents of the local security authority (LSA) in clear text http://www.bindview.com/Support/RAZOR/Utilities/Windows/l

sadump2_readme.cfm LC5 - Password auditing tool that evaluates Windows NT,

Windows 2000, and Windows XP password hashes http://www.atstake.com/products/lc/

John the Ripper -Password cracking tool for several operating system http://www.openwall.com/john/

Why is Password Cracking Important

Auditing the Strength of Passwords – get a clear picture of the security of passwords and what needs to be fixed

Recovering Forgotten/Unknown Passwords Migrating Users To use as a checks and balance system

Types of Password Attacks Dictionary Attack

Takes a file that contains most of the words that would be used in a dictionary and uses these words to guess a user’s password

Helps if you understand your environment Urge users not to pick passwords that can easily be derived

from their environment Brute Force Attack

If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters you will eventually crack a password

If attacker knows minimum length of password they can start from there

General rule is to change password in less time than the time it would take to brute force a password

Types of Password Attacks

Distributed Attack Attacker breaks into several sites that have

large computers and use those to crack your company’s passwords

Hybrid Attack Takes dictionary words but concatenates a

couple of letters or numbers at the end Social Engineering Shoulder Surfing Dumpster Diving

Windows 2000 Password Attacks

http://sysadminnews.com/sysadminnews-32-20031117DetectingPasswordAttacksonWindows.html

http://www.microsoft.com/technet/security/news/efs.mspx#XSLTsection122121120120

How to Make Windows 2000 and NT 4 Passwords Uncrackable http://sysopt.earthweb.com/articles/win2kpass/

index.html Hacking for Dummies

http://searchsecurity.techtarget.com/searchSecurity/downloads/HackingforDummiesCh07.pdf