passwords and password cracking n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Passwords and Password Cracking PowerPoint Presentation
Download Presentation
Passwords and Password Cracking

Loading in 2 Seconds...

play fullscreen
1 / 13

Passwords and Password Cracking - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

Passwords and Password Cracking. Borrowed from the CLICS group. Authentication vs. Authorization. Authentication Proving you are who you say you are Tools: passwords, biometrics Authorization

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Passwords and Password Cracking' - amos


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
passwords and password cracking

Passwords and Password Cracking

Borrowed from the CLICS group.

authentication vs authorization
Authentication vs. Authorization
  • Authentication
    • Proving you are who you say you are
    • Tools: passwords, biometrics
  • Authorization
    • Given who you say you are, do you have privilege to do a particular action / affect a particular object?
    • Tools: access control lists, privileges
password security policy issues
Password Security/Policy Issues
  • Length
  • Required Characters (Letters, Letters plus Digits, Letters plus Digits plus Special Chars, etc.
  • Prohibited Constructs (e.g. Dictionary Words)
  • User Changeability (Require/Prevent User From Changing)
    • How often?
  • How password remembered (memory, written, on system, etc.)
classic techniques
Classic Techniques
  • Try all possible passwords
    • Difficult, as most systems disconnect after small number of attempts, lock out after more
  • Break the encryption scheme
    • Difficult with current one-way encryption methods
  • Find password file and compare encrypted passwords
    • Linux - /etc/passwd, world-readable, but passwords encrypted
    • Line from unshadowed /etc/passwd:
      • wagnerpj:3#aVu5O1:2510:10::/home/pjw:/bin/tcsh
    • Linux (better) – use shadow password file /etc/shadow, with only system access (content as on line above)
    • Line from shadowed /etc/passwd:
      • wagnerpj:x:2510:10::/home/pjw:/bin/tcsh
    • Run password cracker program, compare encrypted versions of possible passwords from sample file with actual encrypted passwords in file
    • Another technique: search for certain patterns (e.g. !! => no password set)
      • E.g. grep ‘!!’ /etc/passwd
possible password sources
Possible Password Sources
  • Regular dictionary
  • Special cracker dictionary
    • Common phrases, names, bands, slang, expletives, etc.
  • Combinations of relevant numbers and constructs from above sources
  • Knowledge about user
comparison re length content
Comparison re: Length/Content
  • 6 chars, Letters (52 upper and lower)
    • 52^6 = 19.7 billion possibilities
    • Easier to crack
  • 8 chars, Letters plus Digits plus Special (approximately 82 characters)
    • 82^8 = 2 quadrillion possibilities
    • 100,000 times harder (longer) to crack
enforcing password policies linux
Enforcing Password Policies - Linux
  • System utilities
    • passwd
    • npasswd (replacement for passwd)
    • File: /etc/login.defs
  • 3rd party tools
enforcing password policies windows
Enforcing Password Policies - Windows
  • Windows System – Group Policy Editor
    • Start/Run: gpedit.msc
      • Computer Configuration
      • Windows Settings
      • Security Settings
      • Account Policies
      • Password Policy
    • Items to control: keep password history, min and max age, min and max length, complexity requirement, encryption
defensive issues
Defensive Issues
  • Weakest Link Theory
    • One weak password on system jeopardizes other users, system
    • Security officer should check all passwords periodically to make sure there aren’t potential problems
      • What to do if find problems?
        • Notify users
        • Lock out accounts
password encryption techniques and tools linux
Password Encryption Techniques and Tools - Linux
  • Crypt – tool for encrypting many passwords under Unix/Linux
    • Based on Data Encryption Standard (DES)
  • PAM – Pluggable Authentication Modules
    • Supports dynamic configuration of authentication for multiple applications
password encryption techniques and tools windows
Password Encryption Techniques and Tools - Windows
  • Passwords stored in protected part of registry (SAM file)
  • rdisk command – can back up SAM
  • Password crackers can analyze this backup file
  • Other tools can extract the password information directly
    • E.g. SAMInside
password cracking tools
Password Cracking Tools
  • Linux
    • John the Ripper ( http://www.openwall.com/john/ )
    • crack ( http://www.crypticide.org/users/alecm/ )
    • L0phtCrack (http://www.evadenet.com/downloads/lophtcrack.shtml )
  • Windows
    • John the Ripper (see above)
    • SamInside (http://www.insidepro.com )
  • Functionality
    • Check word lists against password files
    • Increasing support for cracking other types of passwords; e.g. mySQL (database management system), LDAP (network directory)
account management
Account Management
  • Related issue
  • Need to monitor accounts
    • If no longer needed, remove them
    • Periodically check for unused accounts, remove them
  • Need policy for abuse of accounts (e.g. not maintaining password secrecy)