Date post: | 05-Jan-2016 |
Category: |
Documents |
Upload: | mitchell-harper |
View: | 224 times |
Download: | 3 times |
Password Security
Overview
• What are passwords, why are they used?
• Different types of attacks
• Bad password practices to avoid
• Good password practices
• How to create a secure password
What are passwords?
• Secret combination of characters that only a user should know.
• "Passwords are a compromise between security and convenience"
• Password security used to secure information, and provide that information to authorized users easily.
How are Passwords Compromised?
• Brute force Attack
• Dictionary Attack
• Hybrid Attack
• Social Engineering
Brute Force Attack
• Most widely used method of cracking passwords• Every combination of every character tried until
password is found • Password is guaranteed to be found• The longer the password, the longer it will take to crack.• E.g password that is 2 chars long, is case
sensitive,consists of letters and numbers
* First char: lower case letters (26) +
upper case letters (26) + numbers (10) = 62
*Second char: same as first = 62
* Total permutations 62 * 62 = 3,844
Time to Crack Passwords using Brute Force
Dictionary Attack
• Uses a list of common values or words
• "Dictionary" is uploaded to a cracking app
• Words run against passwords
• Intended to narrow field of possible password values
• Succeed if password is single word that is easily predictable.
• Easy to defeat, (adding single random char in middle)
Hybrid Attack
• Combines Brute force and Dictionary Attack• Checks all words in the dictionary along with it's
variations. • Noticeably slower than a dictionary attack
* Common: Integrates dictionary words with common mutations
* Dates: Combines dictionary attack with dates in various formats
* Numbers: Mixes dictionary words with various number combinations
Social Engineering
• Use of social skills to convince people to reveal access credentials or other valuable information
• People are the easiest way to get information• Posing as someone else to gain access to a
system• Stroking someones ego to get them to reveal
information or passwords • Use of Authority to get information from
someone
Social Engineering Example
http://www.youtube.com/watch?v=ZQDyCRHptbU
Kevin Mitnic social engineering example
What is a safe password?
• Basic goal of a secure password is one that is easy for YOU to remember but hard for someone else to find out
• Long complicated passwords are not always the best solution
• E.g. : random password like !$fjDd&^fw43_f%@+
• Will you really be able to memorize that?
Problems with Complicated Passwords
If a password is too complicated and hard to remember, you are likely to:
• Write it down
• Need password resets
• Use complicated password in many places• A password is only as secure as the weakest
system you use it on.
Easy to remember, easy to guess
• Your Birthday• City you live in/ were born • Your boyfriend/ girlfriend• Pets names• Family members names• Any favorite thing (e.g.
favorite team)• Student ID
– Avoid any information, numbers, or words that anyone can associate with you
Easy to remember, hard to guess
• Birthday of a famous person
• City your grandpa was born in
• Any information that means something to you, but not anything that friends, family, would know
Bad Practices
• DO NOT write down your passwords
• DO NOT share your password with anyone
• DO NOT use any personal information
• DO NOT use word or number patterns (e.g. "aaabbb", "qwerty" "123321", etc. )
Good Practices
• Minimum length of 8 characters
• User numeric characters (0-9)
• Use upper and lower case
• Use special characters (e.g. ! ? & # * )
• Use passphrases
Pass Phrases to Create Passwords
1. Think of a phrase or sentence that's easy for you to remember.
– Example: "Making passwords is easy when you follow these 5 steps“
2. Turn your sentence or phrase into a password.
- Take the first letter of each word in your sentence to create a password
- Example: "mpiewyft5s"
Pass Phrases Continued..
• 3. Make your password complex by using special characters and upper and lowercase.
- For instance, substitute "i" with "!" , "e" with "3" and "s" with "$"
- "mpiewyft5s" becomes "Mp!3wYft53$"
• 4. Consider testing your password with a password checker, which will rate your password on strength, complexity, length, etc.
Pass Phrases Continued..
• 5. Change your passwords at least every 90 days and do not "recycle" passwords; i.e. using old passwords again, or slightly modifying your existing password.
Conclusion
• Be aware of different attacks, and how they are used to crack passwords
• Do not fall for social engineering!• Basic goal of a secure password is one that is
easy for YOU to remember but hard for someone else to find out
• Use pass phrases to create secure passwords• Check the strength of your passwords• Change passwords often
Questions?