1. CIS 450 – Network Security Chapter 8 – Password Security

2. Future of Passwords One-time passwords – users are given a device that generates a new password at certain intervals which is keyed with the authentication server Challenge response schemes http://www.securitysa.com/Article.ASP?pklArticleI D=3014&pklIssueID=412 http://www.securitysa.com/Article.ASP?pklArticleI D=3014&pklIssueID=412 http://www.trintech.com/PRO212120150501004116 069.html http://www.trintech.com/PRO212120150501004116 069.html Biometrics

3. Password Management Why do we need passwords? Passwords provide a mechanism to uniquely identify individuals and only give access to the information they need Why do you need a password policy? Explains to the users what is expected of them and what the company’s rules are regarding them Enforcement and repercussions if not followed should be part of policy Enforcement must be consistent Legal reasons

4. Password Management What is a strong password? Changes every 45 days Minimum length of 10 characters Must contain at least one alpha, one number, and one special character Characters must be mixed and not appended to the end Can not contain dictionary words Can not reuse the previous five passwords Minimum password age of ten days After five failed logon attempts, password is locked for several hours

5. Password Management How do you pick strong passwords? Use phrases instead of words Pick a phrase that relates to family or personal interests First letter of each word becomes character in password

6. Password Management How are passwords protected? Can not be stored as plain text on the system – must be encrypted Encryption The process of converting plain text into ciphertext with the goal of making it unreadable Symmetric Encryption Uses a single key to both encrypt and decrypt Need a secure way to exchange the key prior to communicating

7. Password Management Encryption - continued Asymmetric Encryption Uses two keys: a public and a private key The private key is known only to the owner and not shared with anyone else Public key is given to anyone that wants to communicate with you Keys are set up so they are inverse of each other  Anything encrypted with public key can only be decrypted with private key Do not need a secure way to exchange keys prior to communication Very slow Most systems use asymmetric encryption to initiate session and to exchange a session key which then can be used for symmetric encryption

8. Password Management Encryption - continued Hash Functions Performs a one-way transformation of the information that is irreversible Produces a fixed length output string from the input string with no way to determine the original input string System compares takes the plain text password, computes the hash, and compares it to the stored hash. A Salt is used to randomize the password to prevent two users with the same password to have the same encrypted password

9. Password Attacks Password Attack Guessing someone’s plain text password when you only have the encrypted password Manual method If system has automatic lockout trying to access each account unsuccessfully can cause DoS attack Automated method Obtain a copy of the encrypted passwords and try to crack them offline Use a program that goes through a list of words to see if there is a match

10. Password Attack Tools Pwdump2 - Tool that can obtain password hashes from the local security accounts manager (SAM) database or the Active Directory http://www.doubleupsoftware.com/HowToGetPwdump2.asp? AfId=&affiliateid= http://www.doubleupsoftware.com/HowToGetPwdump2.asp? AfId=&affiliateid= Lsadump2 - Tool that exposes the contents of the local security authority (LSA) in clear text http://www.bindview.com/Support/RAZOR/Utilities/Windows/l sadump2_readme.cfm http://www.bindview.com/Support/RAZOR/Utilities/Windows/l sadump2_readme.cfm LC5 - Password auditing tool that evaluates Windows NT, Windows 2000, and Windows XP password hashes http://www.atstake.com/products/lc/ John the Ripper -Password cracking tool for several operating system http://www.openwall.com/john/

11. Why is Password Cracking Important Auditing the Strength of Passwords – get a clear picture of the security of passwords and what needs to be fixed Recovering Forgotten/Unknown Passwords Migrating Users To use as a checks and balance system

12. Types of Password Attacks Dictionary Attack Takes a file that contains most of the words that would be used in a dictionary and uses these words to guess a user’s password Helps if you understand your environment Urge users not to pick passwords that can easily be derived from their environment Brute Force Attack If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters you will eventually crack a password If attacker knows minimum length of password they can start from there General rule is to change password in less time than the time it would take to brute force a password

13. Types of Password Attacks Distributed Attack Attacker breaks into several sites that have large computers and use those to crack your company’s passwords Hybrid Attack Takes dictionary words but concatenates a couple of letters or numbers at the end Social Engineering Shoulder Surfing Dumpster Diving

14. Windows 2000 Password Attacks http://sysadminnews.com/sysadminnews-32- 20031117DetectingPasswordAttacksonWindows.html http://sysadminnews.com/sysadminnews-32- 20031117DetectingPasswordAttacksonWindows.html http://www.microsoft.com/technet/security/news/efs. mspx#XSLTsection122121120120 http://www.microsoft.com/technet/security/news/efs. mspx#XSLTsection122121120120 How to Make Windows 2000 and NT 4 Passwords Uncrackable http://sysopt.earthweb.com/articles/win2kpass/index.ht ml http://sysopt.earthweb.com/articles/win2kpass/index.ht ml Hacking for Dummies http://searchsecurity.techtarget.com/searchSecurity/do wnloads/HackingforDummiesCh07.pdf http://searchsecurity.techtarget.com/searchSecurity/do wnloads/HackingforDummiesCh07.pdf