1 / 14

Chapter 3

Chapter 3 . Passwords Principals Authenticate to systems. Basics. Authenticate user to machine What you have Electronic device What you know Password Who you are Biometrics. Password issues. Social Engineering Secure passwords difficult to remember Design errors Mothers maiden name

bardia
Download Presentation

Chapter 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3 Passwords Principals Authenticate to systems

  2. Basics • Authenticate user to machine • What you have • Electronic device • What you know • Password • Who you are • Biometrics

  3. Password issues • Social Engineering • Secure passwords difficult to remember • Design errors • Mothers maiden name • Passwords - many passwords many sites • Re-use between sites can be issue • PINs 1/3 use a birthdate • Many default passwords remain in systems

  4. Specific threats • Targeted attack on specific account • Any account on a system • Any account on any system (in domain) • Service denial attack • Intrusion detection systems • Lock account after 3 failed attempts to login

  5. User training • Strong/Secure password training • Give them food • The passphrase method works well • You must stay 1 step ahead of password cracking tools • Dictionary cracks • With end characters • With special characters • Brute force and time • Password policy

  6. Password attacks • Eaves dropping • Shoulder surfing • In person • Via camera • Web cams very small and cheap • Electronically • Sniffing • Rogue programs during entry • Rogue hardware, keyboards ATMs

  7. Attacks on password storage • Attacks via logs • Unencrypted password files • Password cracking • Crack for UNIX • L0phtcrack for windows • Weak passwords • Spouses names • Change enough times to get around to original

  8. Attacks on hashes Distributed • Rainbow tables • Software • http://www.antsight.com/zsl/rainbowcrack/ • Tables • http://www.plain-text.info/index/ • Video • http://www.irongeek.com/i.php?page=videos/backtrackplaintext

  9. Consider • Password reuse • Training • Freeze accounts • How will attackers target • Any account, specific account • Snooped by • Shoulder • Network • False devices (software or hardware) • Current state of cracker programs

  10. Discussion articles • Current state of biometrics • Current password attacks • Current password crackers • Identity theft statistics and techniques

  11. Previous articles • This site is 2002 identity theft statistics: • http://www.creditinfocenter.com/identity/IDTheftStats.shtml • Types of identity theft, methods, and statistics: • http://www.irmi.com/Expert/Articles/2005/Olson07.aspx • Here's a FAQ article from the navy regarding Kerberos. • http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html • Here's an article from Microsoft on how they implement Kerberos • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/pagexplained0001.asp • This article talks about developing strong passwords in detail, something which we were talking about in relation to password safety • http://insight.zdnet.co.uk/0,39020415,39249138,00.htm • This article lists many of the password cracking/hacking options for XP and NT Windows systems, and details them further • http://www.petri.co.il/forgot_administrator_password.htm • Talks about weak encryption of RFID: • http://www.networkworld.com/news/2005/0317rfidcrack.html?fsrc=rss-wirelesssec • RFID analysis and Hacks: • http://rfidanalysis.org/

  12. List of Resources • Authentication • http://en.wikipedia.org/wiki/Authentication • Password issues • http://www.mais.umich.edu/projects/2factor_passwords.html • http://www.informationweek.com/story/showArticle.jhtml?articleID=171201187

  13. List of Resources • Training • http://www.microsoft.com/midsizebusiness/securityrisk.mspx • http://www.comptechdoc.org/independent/security/policies/password-policy.html • http://www.comptechdoc.org/docs/ctdp/howtopass/

  14. List of Resources • Password attacks • http://www.windowsecurity.com/articles/Passwords-Attacks-Solutions.html • Kerberos • http://web.mit.edu/kerberos/ • Threat modeling • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwawalkthrough.asp

More Related