140 likes | 314 Views
CIS 450 – Network Security. Chapter 8 – Password Security. Future of Passwords One-time passwords – users are given a device that generates a new password at certain intervals which is keyed with the authentication server Challenge response schemes
E N D
CIS 450 – Network Security Chapter 8 – Password Security
Future of Passwords • One-time passwords – users are given a device that generates a new password at certain intervals which is keyed with the authentication server • Challenge response schemes • http://www.securitysa.com/Article.ASP?pklArticleID=3014&pklIssueID=412 • http://www.trintech.com/PRO212120150501004116069.html • Biometrics
Password Management • Why do we need passwords? • Passwords provide a mechanism to uniquely identify individuals and only give access to the information they need • Why do you need a password policy? • Explains to the users what is expected of them and what the company’s rules are regarding them • Enforcement and repercussions if not followed should be part of policy • Enforcement must be consistent • Legal reasons
Password Management • What is a strong password? • Changes every 45 days • Minimum length of 10 characters • Must contain at least one alpha, one number, and one special character • Characters must be mixed and not appended to the end • Can not contain dictionary words • Can not reuse the previous five passwords • Minimum password age of ten days • After five failed logon attempts, password is locked for several hours
Password Management • How do you pick strong passwords? • Use phrases instead of words • Pick a phrase that relates to family or personal interests • First letter of each word becomes character in password
Password Management • How are passwords protected? • Can not be stored as plain text on the system – must be encrypted • Encryption • The process of converting plain text into ciphertext with the goal of making it unreadable • Symmetric Encryption • Uses a single key to both encrypt and decrypt • Need a secure way to exchange the key prior to communicating
Password Management • Encryption - continued • Asymmetric Encryption • Uses two keys: a public and a private key • The private key is known only to the owner and not shared with anyone else • Public key is given to anyone that wants to communicate with you • Keys are set up so they are inverse of each other • Anything encrypted with public key can only be decrypted with private key • Do not need a secure way to exchange keys prior to communication • Very slow • Most systems use asymmetric encryption to initiate session and to exchange a session key which then can be used for symmetric encryption
Password Management • Encryption - continued • Hash Functions • Performs a one-way transformation of the information that is irreversible • Produces a fixed length output string from the input string with no way to determine the original input string • System compares takes the plain text password, computes the hash, and compares it to the stored hash. • A Salt is used to randomize the password to prevent two users with the same password to have the same encrypted password
Password Attacks • Password Attack • Guessing someone’s plain text password when you only have the encrypted password • Manual method • If system has automatic lockout trying to access each account unsuccessfully can cause DoS attack • Automated method • Obtain a copy of the encrypted passwords and try to crack them offline • Use a program that goes through a list of words to see if there is a match
Password Attack Tools • Pwdump2 - Tool that can obtain password hashes from the local security accounts manager (SAM) database or the Active Directory • http://www.doubleupsoftware.com/HowToGetPwdump2.asp?AfId=&affiliateid= • Lsadump2 - Tool that exposes the contents of the local security authority (LSA) in clear text • http://www.bindview.com/Support/RAZOR/Utilities/Windows/lsadump2_readme.cfm • LC5 - Password auditing tool that evaluates Windows NT, Windows 2000, and Windows XP password hashes • http://www.atstake.com/products/lc/ • John the Ripper -Password cracking tool for several operating system • http://www.openwall.com/john/
Why is Password Cracking Important • Auditing the Strength of Passwords – get a clear picture of the security of passwords and what needs to be fixed • Recovering Forgotten/Unknown Passwords • Migrating Users • To use as a checks and balance system
Types of Password Attacks • Dictionary Attack • Takes a file that contains most of the words that would be used in a dictionary and uses these words to guess a user’s password • Helps if you understand your environment • Urge users not to pick passwords that can easily be derived from their environment • Brute Force Attack • If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters you will eventually crack a password • If attacker knows minimum length of password they can start from there • General rule is to change password in less time than the time it would take to brute force a password
Types of Password Attacks • Distributed Attack • Attacker breaks into several sites that have large computers and use those to crack your company’s passwords • Hybrid Attack • Takes dictionary words but concatenates a couple of letters or numbers at the end • Social Engineering • Shoulder Surfing • Dumpster Diving
Windows 2000 Password Attacks • http://sysadminnews.com/sysadminnews-32-20031117DetectingPasswordAttacksonWindows.html • http://www.microsoft.com/technet/security/news/efs.mspx#XSLTsection122121120120 • How to Make Windows 2000 and NT 4 Passwords Uncrackable • http://sysopt.earthweb.com/articles/win2kpass/index.html • Hacking for Dummies • http://searchsecurity.techtarget.com/searchSecurity/downloads/HackingforDummiesCh07.pdf