Improving Password Based Security
-
Upload
rare-input -
Category
Education
-
view
502 -
download
0
description
Transcript of Improving Password Based Security
Improving Password Based Security
Brought To You by www.rareinput.com
What is a Password?• A password is a secret word or string of characters that is used for user
authentication to prove identity, or for access approval to gain access to a resource (example: an access code is a type of password). • The use of passwords is known to be ancient. Sentries would challenge
those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. • In modern times, user names and passwords are commonly used by
people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc.
Brought To You by www.rareinput.com
What is the need of a password?There are many reasons to use passwords. Here are some common reasons to use them:
to prevent unauthorized access to important informationto guarantee security of personal informationto prevent unauthorized access to user accounts, such as computer and email
accountsto be able to use various Internet services securely
Brought To You by www.rareinput.com
How does password work?Whenever we create a login on any website or any stand alone
system/application, we are generally asked for two things one is the username and other is the password.
The combination of these username and password is then saved into the database of the system/application.
And when the user tries to log in to that particular system or application, he is asked for these two things. If the username and the password entered by the user matches with the password and the username previously stored in the database, then he/she is granted the access, else the access is prevented.
Brought To You by www.rareinput.com
Challenges in password based security
Password CreationPassword strengthPassword storingPassword ProtectionPassword cracking
Brought To You by www.rareinput.com
How to Improve Password based security?A very simple answer to this question is “to improve the strength of the password”. But what actually is a good strength to ensure the proper security??
Well, there are some techniques and do’s and don'ts which may ensure a better security while using password security.
Some of them are discussed in the next slides.
Brought To You by www.rareinput.com
I. Creating a strong Password: We all must create strong passwords which are tough to guess and break. In order to create strong passwords we shall follow following points.
a) A minimum password length of 12 to 14 characters.b) Generating passwords randomly where feasiblec) Avoiding passwords based on repetition, dictionary words, letter or number sequences,
usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates).
d) Including numbers, and symbols in passwords if allowed by the systeme) If the system recognizes case as significant, using capital and lower-case lettersf) Avoiding using the same password for multiple sites or purposesg) Avoid using something that the public or workmates know you strongly like or dislike
Brought To You by www.rareinput.com
2. Storing Encrypted Password:
• When we are planning to authenticate users via passwords, we must ensure the security of the password in our database.
• If we store user passwords as plaintext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
• More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible.
• A common approach stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access.
Brought To You by www.rareinput.com
3. Random Passwords:
• Random passwords consist of a string of symbols of specified length taken from some set of symbols using a random selection process in which each symbol is equally likely to be selected. The symbols can be individual characters from a character set (e.g., the ASCII character set), pronounceable passwords, or even words from a word list (thus forming a passphrase).
• However, these are often not truly random, but pseudo random
• Random password programs often have the ability to ensure that the resulting password complies with a local Password Policy.
Brought To You by www.rareinput.com
4. Password longevity (ageing):
• "Password aging" is a feature of some operating systems which forces users to change passwords frequently (e.g., quarterly, monthly or even more often)
• There is often an increase in the people who note down the password and leave it where it can easily be found or Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable. Because of these issues, password aging is effective.
• Password aging is also required because of the nature of data of the IT systems.
Brought To You by www.rareinput.com
5. Limits on the number of password guesses:
• An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made.
• The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner.
Brought To You by www.rareinput.com
6. Transmission through encrypted channels:
• The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using cryptographic protection.
• The most widely used is the Transport Layer Security (TLS, previously called SSL) feature built into most current Internet browsers.
• Most browsers alert the user of a TLS/SSL protected exchange with a server by displaying a closed lock icon, or some other sign, when TLS is in use.
Brought To You by www.rareinput.com
Do’s of a password
• DO pick a password you will remember• DO change your password regularly• DO use a mix of uppercase and lowercase
characters and special characters such as #, $, %.
• DO use random passwords.• DO use a password that you can type quickly
without having to look at your keyboard. This makes it harder for someone to notice your password if they happen to be watching over your shoulder.
• DO use a password with 8 or more characters. More is better.
• DO create different passwords for different accounts and applications.
Don’ts of a password
• DON'T write your password down.• DON'T make obvious choices like your last
name, first name, nickname, birthdate, spouse name, pet name, make/model of car, or favorite expression.
• DON'T choose your username as your password.
• DON'T share your password with anyone. Once it is out of your control, so is your security.
• DON'T use a word contained in English or foreign language dictionaries, spelling lists or commonly digitized
• DON'T use an alphabet sequence (lmnopqrst), a number sequence (12345678) or a keyboard sequence (qwertyuop).
Do’s and don’ts of a password
Brought To You by www.rareinput.com
By using these mentioned techniques we can significantly improve our password based security and can save ourselves from the numerous threats of this cyber world.
Brought To You by www.rareinput.com
References• http://www.google.com• http://www.securepasswords.net/site/Password-Dos-and-Donts/page
/25.html• http://en.wikipedia.org/wiki/Password_strength• http://en.wikipedia.org/wiki/Password
Thank You
Saurabh Kumar JhaCTO and Co Founderwww.rareinput.com