1 / 14

CIS 450 – Network Security

CIS 450 – Network Security. Chapter 8 – Password Security. Future of Passwords One-time passwords – users are given a device that generates a new password at certain intervals which is keyed with the authentication server Challenge response schemes

arama
Download Presentation

CIS 450 – Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 450 – Network Security Chapter 8 – Password Security

  2. Future of Passwords • One-time passwords – users are given a device that generates a new password at certain intervals which is keyed with the authentication server • Challenge response schemes • http://www.securitysa.com/Article.ASP?pklArticleID=3014&pklIssueID=412 • http://www.trintech.com/PRO212120150501004116069.html • Biometrics

  3. Password Management • Why do we need passwords? • Passwords provide a mechanism to uniquely identify individuals and only give access to the information they need • Why do you need a password policy? • Explains to the users what is expected of them and what the company’s rules are regarding them • Enforcement and repercussions if not followed should be part of policy • Enforcement must be consistent • Legal reasons

  4. Password Management • What is a strong password? • Changes every 45 days • Minimum length of 10 characters • Must contain at least one alpha, one number, and one special character • Characters must be mixed and not appended to the end • Can not contain dictionary words • Can not reuse the previous five passwords • Minimum password age of ten days • After five failed logon attempts, password is locked for several hours

  5. Password Management • How do you pick strong passwords? • Use phrases instead of words • Pick a phrase that relates to family or personal interests • First letter of each word becomes character in password

  6. Password Management • How are passwords protected? • Can not be stored as plain text on the system – must be encrypted • Encryption • The process of converting plain text into ciphertext with the goal of making it unreadable • Symmetric Encryption • Uses a single key to both encrypt and decrypt • Need a secure way to exchange the key prior to communicating

  7. Password Management • Encryption - continued • Asymmetric Encryption • Uses two keys: a public and a private key • The private key is known only to the owner and not shared with anyone else • Public key is given to anyone that wants to communicate with you • Keys are set up so they are inverse of each other • Anything encrypted with public key can only be decrypted with private key • Do not need a secure way to exchange keys prior to communication • Very slow • Most systems use asymmetric encryption to initiate session and to exchange a session key which then can be used for symmetric encryption

  8. Password Management • Encryption - continued • Hash Functions • Performs a one-way transformation of the information that is irreversible • Produces a fixed length output string from the input string with no way to determine the original input string • System compares takes the plain text password, computes the hash, and compares it to the stored hash. • A Salt is used to randomize the password to prevent two users with the same password to have the same encrypted password

  9. Password Attacks • Password Attack • Guessing someone’s plain text password when you only have the encrypted password • Manual method • If system has automatic lockout trying to access each account unsuccessfully can cause DoS attack • Automated method • Obtain a copy of the encrypted passwords and try to crack them offline • Use a program that goes through a list of words to see if there is a match

  10. Password Attack Tools • Pwdump2 - Tool that can obtain password hashes from the local security accounts manager (SAM) database or the Active Directory • http://www.doubleupsoftware.com/HowToGetPwdump2.asp?AfId=&affiliateid= • Lsadump2 - Tool that exposes the contents of the local security authority (LSA) in clear text • http://www.bindview.com/Support/RAZOR/Utilities/Windows/lsadump2_readme.cfm • LC5 - Password auditing tool that evaluates Windows NT, Windows 2000, and Windows XP password hashes • http://www.atstake.com/products/lc/ • John the Ripper -Password cracking tool for several operating system • http://www.openwall.com/john/

  11. Why is Password Cracking Important • Auditing the Strength of Passwords – get a clear picture of the security of passwords and what needs to be fixed • Recovering Forgotten/Unknown Passwords • Migrating Users • To use as a checks and balance system

  12. Types of Password Attacks • Dictionary Attack • Takes a file that contains most of the words that would be used in a dictionary and uses these words to guess a user’s password • Helps if you understand your environment • Urge users not to pick passwords that can easily be derived from their environment • Brute Force Attack • If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters you will eventually crack a password • If attacker knows minimum length of password they can start from there • General rule is to change password in less time than the time it would take to brute force a password

  13. Types of Password Attacks • Distributed Attack • Attacker breaks into several sites that have large computers and use those to crack your company’s passwords • Hybrid Attack • Takes dictionary words but concatenates a couple of letters or numbers at the end • Social Engineering • Shoulder Surfing • Dumpster Diving

  14. Windows 2000 Password Attacks • http://sysadminnews.com/sysadminnews-32-20031117DetectingPasswordAttacksonWindows.html • http://www.microsoft.com/technet/security/news/efs.mspx#XSLTsection122121120120 • How to Make Windows 2000 and NT 4 Passwords Uncrackable • http://sysopt.earthweb.com/articles/win2kpass/index.html • Hacking for Dummies • http://searchsecurity.techtarget.com/searchSecurity/downloads/HackingforDummiesCh07.pdf

More Related