SlideShare una empresa de Scribd logo

8 passwordsecurity

R
richarddxd
1 de 18
Descargar para leer sin conexión
Password Security Module 8
Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance of good password selection Examine why password policies are essential Develop guidelines for creating strong passwords Password Cracking Tools File Integrity
Authentication & Authorization Authentication The process of verifying the digital identity of the sender of a communication, such as a request to log in Establish a trust relationship between a provider of services and a consumer of services Authorization Permissions granted to an authenticated user Authorization follows Authentication http://en.wikipedia.org/wiki/Authentication
Authentication & Authorization Authentication methods Something you have (a token, a swipe card, etc.) Something you are (biometrics) Something you know (a password) Secure communication channel Authorization By policies of an organization or operational requirements Access control (Set of permissions granted ) Module 06: 4
How/Where Passwords are Used Controlling access to a resource Computers Cell Phones On-line Accounts Voicemail Medical and Benefit phone access Facility Access Automated Teller Machines (ATM) Etc.
Why Password Development is Important Passwords control access to private data and resources Attackers may capture a password file and crack it Passwords stored as hash values Cracker programs can run at their leisure Attackers may try to break into a live system If a “time-out” policy is not implemented, they could try infinite times until they succeed Many users have simple passwords or one associated with their life (profiling or social engineering can be used against them) Some systems come with default passwords
Password Cracking Techniques Brute Force – Every combination of letters, numbers, and characters possible Dictionary – Words (and combinations of words) found in a specialized dictionary Assume a password of 7 alphabet characters in length MaxCombinations = NumberAvailableCharsPasswordLength MaxCombinations = 267 = 8,031,810,176 (8 Billion) Example: A 3GHz processor, guessing 3 million passwords per second, will take approximately 45 minutes to guess the passwords http://en.wikipedia.org/wiki/Password_strength
Password Cracking Tools Free password cracking programs Linux & Windows Top 10 Tools - http://sectools.org/crackers.html John the Ripper - http://www.openwall.com/john/ ophcrack - http://ophcrack.sourceforge.net/ Windows only Cain and Abel - http://www.oxid.it/cain.html Administrators often crack password son systems they manage to identify and change weak passwords
Guidelines for Developing Passwords Strong Passwords Weak Passwords 8 or more characters long Contains your name, friends name, Have a combination of upper and favorite pet, sports team, etc. lowercase letters, numbers, and Contains publicly accessible special characters information about yourself, such Changed on a regular basis as social security number, license Easy to remember and are not numbers, phone numbers, written down address, birthdays, etc. Passphrases: Choose a line or two Words found in a dictionary of any from a song or poem and use the language first letter of each word. For Made of all numbers or all the example, “It is the East, and Juliet same letter is the Sun'' becomes “IstE,@J1tS” Never changed Not used over and over again for Written down different programs and websites Shared with others
Windows XP Set password policies to enforce strong passwords Click Start -> Control Panel -> Administrative Tools -> Local Security Policy Click the plus sign (+) to the left of Account Policies. You will see these 2 categories: Password Policy and Account Lockout Policy. Click on Password Policy
Windows XP Best Practices are stated below Enforce password history: 5 passwords This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Maximum password age: 30 to 90 days This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. Best practices state passwords should expire every 30 to 90 days, depending on the environment. This limits an attacker’s amount of time to crack a user's password and have access to network resources. Minimum password age: 5 days This security setting determines the period of time (in days) a password must be used before it can be changed. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.
Windows XP Minimum password length: 8 characters This security setting determines the least number of characters a password may contain. The longer a password is, the harder it is for an attack to crack. Password must meet complexity requirements? Yes This security setting requires all passwords meet complexity requirements. For example, passwords must include special characters, capitalized, numeric, etc. The more complex a password, the harder for an attack to crack. Store password using reversible encryption for all users in the domain? Disable This setting allows applications using protocols that must have the user's clear text password for authentication purposes. These passwords are not really encrypted, but do use a hash to store them, essentially leaving them as vulnerable as plain text. This policy should never be enabled. Note: These are best practices for normal user accounts. Administrative level and Power Users may have more stringent settings.
Ubuntu Set password policies to enforce strong passwords Password values are controlled in the file /etc/pam.d/common- password Minimum Password Length – set to 8 By default, Ubuntu requires a minimum password length of 4 characters To adjust the minimum length to 8 characters add the ‘minlen = <x>’ parameter to the pam_unix configuration in the /etc/pam.d/common- password file Example password required pam_cracklib.so retry=3 minlen=8 difok=3
Ubuntu Password History (reuse) Create an empty /etc/security/opasswd file for storing old user passwords Set permissions to opasswd to the same as the /etc/shawdow file Enable password history by adding the “remember=<x>” to the pam_unix configuration in the /etc/pam.d/common-password file Example password required pam_unix.so md5 remember=12 use_authtok The value of the "remember" parameter is the number of old passwords to store for a user
Ubuntu Password aging parameters can be set in /etc/login.defs Password Expiration Needs a minimum and maximum password age forcing users to change their passwords when they expire PASS_MIN_DAYS – Set to 7 days Minimum number of days allowed between password changes PASS_MAX_DAYS – Set from 30 to 90 days Maximum number of days a password may be used PASS_WARN_AGE – Set to 14 days Number of days warning given before a password expires
Password Policy Best Practices Password policies are critical to the security posture of your organization Best Practices across the board Number of times a password can be reused Passwords should not be cycled more than 3 to 5 uses Password should expire/be changed Every 90 days for user account Every 30 days for an administrator account Minimum length requirement 8 characters Complexity requirements Upper and lower case, special character and numbers All passwords should be encrypted when stored Module 06: 16
Password Policy Best Practices Educate users Communicate to users that they will never be asked for their password over the phone, by the helpdesk, etc. This helps prevent social engineering attacks Make sure users do not use the same passwords for all of their login IDs Users should not write down or share passwords Module 06: 17
List of References http://en.wikipedia.org/wiki/Authentication http://www.duke.edu/~rob/kerberos/authvauth.html http://en.wikipedia.org/wiki/Password_strength http://www.computerhope.com/issues/ch000300.htm http://tigger.uic.edu/~mbird/password.html http://sectools.org/crackers.html

Recomendados

Computer software and operating system
Computer software and operating systemComputer software and operating system
Computer software and operating systemsonykhan3
 
Computer definition
Computer definitionComputer definition
Computer definitionMarivic Miole
 
Computer Programs & System Softwares
Computer Programs & System SoftwaresComputer Programs & System Softwares
Computer Programs & System SoftwaresAbijah Naresh Jumani
 
TUX Software Learning Center
TUX Software Learning CenterTUX Software Learning Center
TUX Software Learning CenterDr Thangaraju Balasubramanian
 
Security and protection
Security and protectionSecurity and protection
Security and protectionNital Shingala
 
software History
software Historysoftware History
software HistoryAvinash Avi
 
Computer Software & It's types.
Computer Software & It's types.Computer Software & It's types.
Computer Software & It's types.Mohit Dhankher
 
Introduction to computer software
Introduction to computer softwareIntroduction to computer software
Introduction to computer softwareElike Ikechukwu
 

Recomendados

Computer software and operating system
Computer software and operating systemComputer software and operating system
Computer software and operating systemsonykhan3
 
Computer definition
Computer definitionComputer definition
Computer definitionMarivic Miole
 
Computer Programs & System Softwares
Computer Programs & System SoftwaresComputer Programs & System Softwares
Computer Programs & System SoftwaresAbijah Naresh Jumani
 
TUX Software Learning Center
TUX Software Learning CenterTUX Software Learning Center
TUX Software Learning CenterDr Thangaraju Balasubramanian
 
Security and protection
Security and protectionSecurity and protection
Security and protectionNital Shingala
 
software History
software Historysoftware History
software HistoryAvinash Avi
 
Computer Software & It's types.
Computer Software & It's types.Computer Software & It's types.
Computer Software & It's types.Mohit Dhankher
 
Introduction to computer software
Introduction to computer softwareIntroduction to computer software
Introduction to computer softwareElike Ikechukwu
 
Types of software
Types of softwareTypes of software
Types of softwarejorindaevangelista
 
Firmware, Middle-ware and Software Development Life Cycle (SDLC)
Firmware, Middle-ware and Software Development Life Cycle (SDLC) Firmware, Middle-ware and Software Development Life Cycle (SDLC)
Firmware, Middle-ware and Software Development Life Cycle (SDLC) Md. Hasan Imam
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
Software and its types
Software and its typesSoftware and its types
Software and its typesAhmad Hussain
 
Computer memory, Types of programming languages
Computer memory, Types of programming languagesComputer memory, Types of programming languages
Computer memory, Types of programming languagesInfinity Tech Solutions
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systemsvampugani
 
Os security issues
Os security issuesOs security issues
Os security issuesJOLLUSUDARSHANREDDY
 
Software and its types
Software and its typesSoftware and its types
Software and its typesGECE BADIN
 
Application Software
Application Software Application Software
Application Software Rishikesh Poorun
 
Powerpoint on Software Concept (ClassXI)
Powerpoint on Software Concept (ClassXI)Powerpoint on Software Concept (ClassXI)
Powerpoint on Software Concept (ClassXI)Fernando Torres
 
Opeating system programs
Opeating system programsOpeating system programs
Opeating system programsJotham Gadot
 
Introduction to Computer Softwares
Introduction to Computer SoftwaresIntroduction to Computer Softwares
Introduction to Computer SoftwaresNaresh Dubey
 
Software lec1
Software lec1Software lec1
Software lec1Zaman Mughal
 
Ppt softwears
Ppt softwearsPpt softwears
Ppt softwearsDynamic Research Centre & institute
 
What is software
What is softwareWhat is software
What is softwareMohamedelhassan Ismail
 
system Security
system Security system Security
system Security Gaurav Mishra
 
Lecture 3 - Processors, Memory and I/O devices
Lecture 3 - Processors, Memory and I/O devicesLecture 3 - Processors, Memory and I/O devices
Lecture 3 - Processors, Memory and I/O devicesMd. Imran Hossain Showrov
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating systemAbdullah Khosa
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 
Lecture 4- Computer Software and Languages
Lecture 4- Computer Software and LanguagesLecture 4- Computer Software and Languages
Lecture 4- Computer Software and LanguagesMd. Imran Hossain Showrov
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 

Más contenido relacionado

La actualidad más candente

Firmware, Middle-ware and Software Development Life Cycle (SDLC)
Firmware, Middle-ware and Software Development Life Cycle (SDLC) Firmware, Middle-ware and Software Development Life Cycle (SDLC)
Firmware, Middle-ware and Software Development Life Cycle (SDLC) Md. Hasan Imam
 
Operating System Security
Operating System SecurityOperating System Security
Operating System SecurityRamesh Upadhaya
 
Software and its types
Software and its typesSoftware and its types
Software and its typesAhmad Hussain
 
Computer memory, Types of programming languages
Computer memory, Types of programming languagesComputer memory, Types of programming languages
Computer memory, Types of programming languagesInfinity Tech Solutions
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systemsvampugani
 
Software and its types
Software and its typesSoftware and its types
Software and its typesGECE BADIN
 
Powerpoint on Software Concept (ClassXI)
Powerpoint on Software Concept (ClassXI)Powerpoint on Software Concept (ClassXI)
Powerpoint on Software Concept (ClassXI)Fernando Torres
 
Opeating system programs
Opeating system programsOpeating system programs
Opeating system programsJotham Gadot
 
Introduction to Computer Softwares
Introduction to Computer SoftwaresIntroduction to Computer Softwares
Introduction to Computer SoftwaresNaresh Dubey
 
Lecture 3 - Processors, Memory and I/O devices
Lecture 3 - Processors, Memory and I/O devicesLecture 3 - Processors, Memory and I/O devices
Lecture 3 - Processors, Memory and I/O devicesMd. Imran Hossain Showrov
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating systemAbdullah Khosa
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 

La actualidad más candente (20)

Types of software
Types of softwareTypes of software
Types of software
 
Firmware, Middle-ware and Software Development Life Cycle (SDLC)
Firmware, Middle-ware and Software Development Life Cycle (SDLC) Firmware, Middle-ware and Software Development Life Cycle (SDLC)
Firmware, Middle-ware and Software Development Life Cycle (SDLC)
 
Operating System Security
Operating System SecurityOperating System Security
Operating System Security
 
Software and its types
Software and its typesSoftware and its types
Software and its types
 
Computer memory, Types of programming languages
Computer memory, Types of programming languagesComputer memory, Types of programming languages
Computer memory, Types of programming languages
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systems
 
Os security issues
Os security issuesOs security issues
Os security issues
 
Software and its types
Software and its typesSoftware and its types
Software and its types
 
Application Software
Application Software Application Software
Application Software
 
Powerpoint on Software Concept (ClassXI)
Powerpoint on Software Concept (ClassXI)Powerpoint on Software Concept (ClassXI)
Powerpoint on Software Concept (ClassXI)
 
Opeating system programs
Opeating system programsOpeating system programs
Opeating system programs
 
Introduction to Computer Softwares
Introduction to Computer SoftwaresIntroduction to Computer Softwares
Introduction to Computer Softwares
 
Software lec1
Software lec1Software lec1
Software lec1
 
Ppt softwears
Ppt softwearsPpt softwears
Ppt softwears
 
What is software
What is softwareWhat is software
What is software
 
system Security
system Security system Security
system Security
 
Lecture 3 - Processors, Memory and I/O devices
Lecture 3 - Processors, Memory and I/O devicesLecture 3 - Processors, Memory and I/O devices
Lecture 3 - Processors, Memory and I/O devices
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating system
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Lecture 4- Computer Software and Languages
Lecture 4- Computer Software and LanguagesLecture 4- Computer Software and Languages
Lecture 4- Computer Software and Languages
 

Similar a 8 passwordsecurity

Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy QueryGloria Stoilova
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Email Retention Policy1.0 PurposeThe Email Retention Polic.docx
Email Retention Policy1.0 PurposeThe Email Retention Polic.docxEmail Retention Policy1.0 PurposeThe Email Retention Polic.docx
Email Retention Policy1.0 PurposeThe Email Retention Polic.docxchristinemaritza
 
Best Practices for Password Creation
Best Practices for Password CreationBest Practices for Password Creation
Best Practices for Password CreationnFront Security
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and CompliancePortalGuard
 
Epas - Enterprise Password Assessment Solution
Epas - Enterprise Password Assessment SolutionEpas - Enterprise Password Assessment Solution
Epas - Enterprise Password Assessment SolutionSeamus Hoole
 
Racf psw enhancement
Racf psw enhancementRacf psw enhancement
Racf psw enhancementLuigi Perrone
 
Problems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password PoliciesProblems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password PoliciesMichael J Geiser
 

Similar a 8 passwordsecurity (20)

Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
 
Ch10
Ch10Ch10
Ch10
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Lecture 4
Lecture 4Lecture 4
Lecture 4
 
Email Retention Policy1.0 PurposeThe Email Retention Polic.docx
Email Retention Policy1.0 PurposeThe Email Retention Polic.docxEmail Retention Policy1.0 PurposeThe Email Retention Polic.docx
Email Retention Policy1.0 PurposeThe Email Retention Polic.docx
 
Best Practices for Password Creation
Best Practices for Password CreationBest Practices for Password Creation
Best Practices for Password Creation
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICES
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
 
Epas - Enterprise Password Assessment Solution
Epas - Enterprise Password Assessment SolutionEpas - Enterprise Password Assessment Solution
Epas - Enterprise Password Assessment Solution
 
Racf psw enhancement
Racf psw enhancementRacf psw enhancement
Racf psw enhancement
 
Problems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password PoliciesProblems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password Policies
 
IAM Password
IAM PasswordIAM Password
IAM Password
 
Securing password
Securing passwordSecuring password
Securing password
 
Opass
OpassOpass
Opass
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Ch18
Ch18Ch18
Ch18
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 

Más de richarddxd

Step6 troubleshooting
Step6 troubleshootingStep6 troubleshooting
Step6 troubleshootingricharddxd
 
Step5 unzipping and installing a competition image
Step5 unzipping and installing a competition imageStep5 unzipping and installing a competition image
Step5 unzipping and installing a competition imagericharddxd
 
Step4 downloading and installing vm ware target image
Step4 downloading and installing vm ware target imageStep4 downloading and installing vm ware target image
Step4 downloading and installing vm ware target imagericharddxd
 
Step3 downloading and installing v mware player software
Step3 downloading and installing v mware player softwareStep3 downloading and installing v mware player software
Step3 downloading and installing v mware player softwarericharddxd
 
Step2 download and load 7-zip and win mds applications
Step2 download and load 7-zip and win mds applicationsStep2 download and load 7-zip and win mds applications
Step2 download and load 7-zip and win mds applicationsricharddxd
 
Step1 validation system configuration
Step1 validation system configurationStep1 validation system configuration
Step1 validation system configurationricharddxd
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 
5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigatericharddxd
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilitiesricharddxd
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurityricharddxd
 
1 introit security
1 introit security1 introit security
1 introit securityricharddxd
 

Más de richarddxd (13)

Step6 troubleshooting
Step6 troubleshootingStep6 troubleshooting
Step6 troubleshooting
 
Step5 unzipping and installing a competition image
Step5 unzipping and installing a competition imageStep5 unzipping and installing a competition image
Step5 unzipping and installing a competition image
 
Step4 downloading and installing vm ware target image
Step4 downloading and installing vm ware target imageStep4 downloading and installing vm ware target image
Step4 downloading and installing vm ware target image
 
Step3 downloading and installing v mware player software
Step3 downloading and installing v mware player softwareStep3 downloading and installing v mware player software
Step3 downloading and installing v mware player software
 
Step2 download and load 7-zip and win mds applications
Step2 download and load 7-zip and win mds applicationsStep2 download and load 7-zip and win mds applications
Step2 download and load 7-zip and win mds applications
 
Step1 validation system configuration
Step1 validation system configurationStep1 validation system configuration
Step1 validation system configuration
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
 
6 networking
6 networking6 networking
6 networking
 
5 howtomitigate
5 howtomitigate5 howtomitigate
5 howtomitigate
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilities
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
 
2 v mware
2 v mware2 v mware
2 v mware
 
1 introit security
1 introit security1 introit security
1 introit security
 

8 passwordsecurity

  • 2. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance of good password selection Examine why password policies are essential Develop guidelines for creating strong passwords Password Cracking Tools File Integrity
  • 3. Authentication & Authorization Authentication The process of verifying the digital identity of the sender of a communication, such as a request to log in Establish a trust relationship between a provider of services and a consumer of services Authorization Permissions granted to an authenticated user Authorization follows Authentication http://en.wikipedia.org/wiki/Authentication
  • 4. Authentication & Authorization Authentication methods Something you have (a token, a swipe card, etc.) Something you are (biometrics) Something you know (a password) Secure communication channel Authorization By policies of an organization or operational requirements Access control (Set of permissions granted ) Module 06: 4
  • 5. How/Where Passwords are Used Controlling access to a resource Computers Cell Phones On-line Accounts Voicemail Medical and Benefit phone access Facility Access Automated Teller Machines (ATM) Etc.
  • 6. Why Password Development is Important Passwords control access to private data and resources Attackers may capture a password file and crack it Passwords stored as hash values Cracker programs can run at their leisure Attackers may try to break into a live system If a “time-out” policy is not implemented, they could try infinite times until they succeed Many users have simple passwords or one associated with their life (profiling or social engineering can be used against them) Some systems come with default passwords
  • 7. Password Cracking Techniques Brute Force – Every combination of letters, numbers, and characters possible Dictionary – Words (and combinations of words) found in a specialized dictionary Assume a password of 7 alphabet characters in length MaxCombinations = NumberAvailableCharsPasswordLength MaxCombinations = 267 = 8,031,810,176 (8 Billion) Example: A 3GHz processor, guessing 3 million passwords per second, will take approximately 45 minutes to guess the passwords http://en.wikipedia.org/wiki/Password_strength
  • 8. Password Cracking Tools Free password cracking programs Linux & Windows Top 10 Tools - http://sectools.org/crackers.html John the Ripper - http://www.openwall.com/john/ ophcrack - http://ophcrack.sourceforge.net/ Windows only Cain and Abel - http://www.oxid.it/cain.html Administrators often crack password son systems they manage to identify and change weak passwords
  • 9. Guidelines for Developing Passwords Strong Passwords Weak Passwords 8 or more characters long Contains your name, friends name, Have a combination of upper and favorite pet, sports team, etc. lowercase letters, numbers, and Contains publicly accessible special characters information about yourself, such Changed on a regular basis as social security number, license Easy to remember and are not numbers, phone numbers, written down address, birthdays, etc. Passphrases: Choose a line or two Words found in a dictionary of any from a song or poem and use the language first letter of each word. For Made of all numbers or all the example, “It is the East, and Juliet same letter is the Sun'' becomes “IstE,@J1tS” Never changed Not used over and over again for Written down different programs and websites Shared with others
  • 10. Windows XP Set password policies to enforce strong passwords Click Start -> Control Panel -> Administrative Tools -> Local Security Policy Click the plus sign (+) to the left of Account Policies. You will see these 2 categories: Password Policy and Account Lockout Policy. Click on Password Policy
  • 11. Windows XP Best Practices are stated below Enforce password history: 5 passwords This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Maximum password age: 30 to 90 days This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. Best practices state passwords should expire every 30 to 90 days, depending on the environment. This limits an attacker’s amount of time to crack a user's password and have access to network resources. Minimum password age: 5 days This security setting determines the period of time (in days) a password must be used before it can be changed. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.
  • 12. Windows XP Minimum password length: 8 characters This security setting determines the least number of characters a password may contain. The longer a password is, the harder it is for an attack to crack. Password must meet complexity requirements? Yes This security setting requires all passwords meet complexity requirements. For example, passwords must include special characters, capitalized, numeric, etc. The more complex a password, the harder for an attack to crack. Store password using reversible encryption for all users in the domain? Disable This setting allows applications using protocols that must have the user's clear text password for authentication purposes. These passwords are not really encrypted, but do use a hash to store them, essentially leaving them as vulnerable as plain text. This policy should never be enabled. Note: These are best practices for normal user accounts. Administrative level and Power Users may have more stringent settings.
  • 13. Ubuntu Set password policies to enforce strong passwords Password values are controlled in the file /etc/pam.d/common- password Minimum Password Length – set to 8 By default, Ubuntu requires a minimum password length of 4 characters To adjust the minimum length to 8 characters add the ‘minlen = <x>’ parameter to the pam_unix configuration in the /etc/pam.d/common- password file Example password required pam_cracklib.so retry=3 minlen=8 difok=3
  • 14. Ubuntu Password History (reuse) Create an empty /etc/security/opasswd file for storing old user passwords Set permissions to opasswd to the same as the /etc/shawdow file Enable password history by adding the “remember=<x>” to the pam_unix configuration in the /etc/pam.d/common-password file Example password required pam_unix.so md5 remember=12 use_authtok The value of the "remember" parameter is the number of old passwords to store for a user
  • 15. Ubuntu Password aging parameters can be set in /etc/login.defs Password Expiration Needs a minimum and maximum password age forcing users to change their passwords when they expire PASS_MIN_DAYS – Set to 7 days Minimum number of days allowed between password changes PASS_MAX_DAYS – Set from 30 to 90 days Maximum number of days a password may be used PASS_WARN_AGE – Set to 14 days Number of days warning given before a password expires
  • 16. Password Policy Best Practices Password policies are critical to the security posture of your organization Best Practices across the board Number of times a password can be reused Passwords should not be cycled more than 3 to 5 uses Password should expire/be changed Every 90 days for user account Every 30 days for an administrator account Minimum length requirement 8 characters Complexity requirements Upper and lower case, special character and numbers All passwords should be encrypted when stored Module 06: 16
  • 17. Password Policy Best Practices Educate users Communicate to users that they will never be asked for their password over the phone, by the helpdesk, etc. This helps prevent social engineering attacks Make sure users do not use the same passwords for all of their login IDs Users should not write down or share passwords Module 06: 17