P@$$w0rd Point3r$

Password Introduction

• Passwords are a key part of any security system : – Work or Personal

• Strong passwords make your personal and work data relatively secure.

• Weak passwords are often worse than not having a password as it gives someone a false sense of security.

• How long should your passwords be? • The length depends on the value of the data being protected, how

often the passwords must be changed, and the security of the authentication system.

• Passwords should be a minimum of eight to 10 characters to even begin to be considered non-trivial.

• A password of 15 characters or longer is considered secure for most general-purpose business applications. i.e. a “pass phrase”

Good example: callingGodisafreecall

Tip 1: Use a Pass Phrase

Tip 2: Disable LM Hashes

• Disable the storage of weak cached LM password hashes in Windows, they are simple to break

• Disable LM password hashes by using Group Policy, Local Security Policy or a Registry edit. In the former two, navigate to Computer – Configuration | Windows Settings | Security Settings |

Local Policies | Security Options and enable Network Security: Do not store LAN Manager hash value on next password change.

Tip 3: True Password Complexity

• Complexity makes passwords harder to guess and crack. • Complexity normally means inserting one or more non-

alphabetic characters into the password or pass phrase– Higher complexity involves requiring one or more non-alphabetic

and non-numeric symbols (e.g. !@#$%&, and so on).

• Password cracking tools know most people make the first letter uppercase.

• They know that typically numbers at the end and be either “1” of “2”.

• The common special symbols, are substitutions “@” for “a”, “$” for “s” and so on.

• True password complexity, do something unexpected– Example: “p7asswOrK” is more complex than “Password2

Tip 4: How Long? 15 Or More!

• Crackers say how easy it is to break dictionary-based passwords.

• When sent the password hashes for “browngrassbrowngrass” or “hash-thispassword-word” to crack, and they never seem to break them

• The secret: If you password is long enough, it doesn’t need to be complex. Going 15 characters or longer defeats most common password crackers

Tip 5: Password Diversity

• Many people use the same password to protect their online gaming or other fun site information that they use at work

• Most people have dozens of logons across a multitude of Web sites around the Internet

• Often their logon name to each Web site that is their e-mail address

• When one password is compromised then often many others are also known

• Most passwords can be discovered after watching someone logon 7 times

Tip 6: Rooting Around

• On work systems: Avoid using the same passwords on different systems.

• To make it simpler pick a common “root” password and make slight changes to it on the various systems

• Example: email, billing and accounting systems “greenemail32” “greenebill21” “greenaccount01”

Tip 7: Storing Passwords-Hint

• Good passwords are a balance between complexity and your ability to remember

• Make a hint file on your cell – Example, the passwords listed in the previous tip

might become “gemail32”, “gebill21_32” and “gaccount01_32”

– Switch things up a bit, for instance using “GEmail34” to indicate that the password includes capitalized letters and a different ending for that system (i.e. GreanEmail34). Notice Green is misspelled that is a good way to defeat dictionary attacks

• Never write down your password.

Tip 8 : Do’s and Don'ts

• Use a pass phrase like ; callingGodis1freecall • Don’t use passwords with all CAPS• Do not start with Capitol letters or end with a

number most cracking software know to how to crack that in seconds

• Don’t make it so hard you must right it down• DO NOT write it down on a stick note and put it

on the monitor in a drawer or under the keyboard

• Do not use family or pet names or your favorite team unless you put it in a phrase

Tip 9: Understand Wireless

• When on wireless your username is often broadcast in clear text even on a SSL site

• Several SSL sites also send passwords in clear text then your connection is encrypted after that but your user name and password are sent in clear text

• People can discover your user name and password without being on your wireless

• Public wireless access will often have someone running sniffing software on a regular basis

Tip 10: Social Engineering

• Never give out a password to anyone, even your IT staff. – They should have the ability to reset your passwords– Do not give out your naming scheme or the IT Staffer maybe

able to guess your password for your bank account or other accounts

– Use separate naming schemes for work and personal accounts• Never use Personal Identifiable Information (PII) in your

passwords – Birth date– SSN– Mother’s maiden name

• Never respond to emails requesting you to verify your (PII) or requesting you to logon to website.

Bad Passwords

• These kind of passwords can be cracked in under three minutes:

• A name associated with you or your organization (SDA)

• A date associated with you or your organization(1844 or 1888)

• A dictionary word (unless it is a pass-phrase) • Adding a number or a capital adds no more than a

few minutes to the time it takes to crack short passwords