CIS 450 – Network Security Chapter 8 – Password Security.

Slides:



Advertisements
Similar presentations
Password Cracking Lesson 10. Why crack passwords?
Advertisements

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 3 Passwords Principals Authenticate to systems.
Chapter 5 Cryptography Protecting principals communication in systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
CHAPTER 6 Cryptography. An Overview It is origin from the Greek word kruptos which means hidden. The objective is to hide information so that only the.
Cryptography, Authentication and Digital Signatures
Lecture 11: Strong Passwords
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 50 Cryptography, Privacy, and Digital Certificates.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
Encryption. What is Encryption? Encryption is the process of converting plain text into cipher text, with the goal of making the text unreadable.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Password Cracking By Allison Ramondetta & Christine Giordano.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Authentication What you know? What you have? What you are?
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Security Operations Chapter 11 Part 3 Pages 1279 to 1309.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
Understanding Security Policies Lesson 3. Objectives.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Password Cracking COEN 252 Computer Forensics. Social Engineering Perps trick Law enforcement, private investigators can ask. Look for clues: Passwords.
Understanding Security Policies
I have edited and added material.
Password Cracking Lesson 10.
CS 465 PasswordS Last Updated: Nov 7, 2017.
Lesson 16-Windows NT Security Issues
Greta Mameniskyte IV course 3rd group
Exercise: Hashing, Password security, And File Integrity
Presentation transcript:

CIS 450 – Network Security Chapter 8 – Password Security

Future of Passwords One-time passwords – users are given a device that generates a new password at certain intervals which is keyed with the authentication server Challenge response schemes D=3014&pklIssueID=412 D=3014&pklIssueID= html html Biometrics

Password Management Why do we need passwords? Passwords provide a mechanism to uniquely identify individuals and only give access to the information they need Why do you need a password policy? Explains to the users what is expected of them and what the company’s rules are regarding them Enforcement and repercussions if not followed should be part of policy Enforcement must be consistent Legal reasons

Password Management What is a strong password? Changes every 45 days Minimum length of 10 characters Must contain at least one alpha, one number, and one special character Characters must be mixed and not appended to the end Can not contain dictionary words Can not reuse the previous five passwords Minimum password age of ten days After five failed logon attempts, password is locked for several hours

Password Management How do you pick strong passwords? Use phrases instead of words Pick a phrase that relates to family or personal interests First letter of each word becomes character in password

Password Management How are passwords protected? Can not be stored as plain text on the system – must be encrypted Encryption The process of converting plain text into ciphertext with the goal of making it unreadable Symmetric Encryption Uses a single key to both encrypt and decrypt Need a secure way to exchange the key prior to communicating

Password Management Encryption - continued Asymmetric Encryption Uses two keys: a public and a private key The private key is known only to the owner and not shared with anyone else Public key is given to anyone that wants to communicate with you Keys are set up so they are inverse of each other  Anything encrypted with public key can only be decrypted with private key Do not need a secure way to exchange keys prior to communication Very slow Most systems use asymmetric encryption to initiate session and to exchange a session key which then can be used for symmetric encryption

Password Management Encryption - continued Hash Functions Performs a one-way transformation of the information that is irreversible Produces a fixed length output string from the input string with no way to determine the original input string System compares takes the plain text password, computes the hash, and compares it to the stored hash. A Salt is used to randomize the password to prevent two users with the same password to have the same encrypted password

Password Attacks Password Attack Guessing someone’s plain text password when you only have the encrypted password Manual method If system has automatic lockout trying to access each account unsuccessfully can cause DoS attack Automated method Obtain a copy of the encrypted passwords and try to crack them offline Use a program that goes through a list of words to see if there is a match

Password Attack Tools Pwdump2 - Tool that can obtain password hashes from the local security accounts manager (SAM) database or the Active Directory AfId=&affiliateid= AfId=&affiliateid= Lsadump2 - Tool that exposes the contents of the local security authority (LSA) in clear text sadump2_readme.cfm sadump2_readme.cfm LC5 - Password auditing tool that evaluates Windows NT, Windows 2000, and Windows XP password hashes John the Ripper -Password cracking tool for several operating system

Why is Password Cracking Important Auditing the Strength of Passwords – get a clear picture of the security of passwords and what needs to be fixed Recovering Forgotten/Unknown Passwords Migrating Users To use as a checks and balance system

Types of Password Attacks Dictionary Attack Takes a file that contains most of the words that would be used in a dictionary and uses these words to guess a user’s password Helps if you understand your environment Urge users not to pick passwords that can easily be derived from their environment Brute Force Attack If you have a fast enough computer that can try every possible combination of letters, numbers, and special characters you will eventually crack a password If attacker knows minimum length of password they can start from there General rule is to change password in less time than the time it would take to brute force a password

Types of Password Attacks Distributed Attack Attacker breaks into several sites that have large computers and use those to crack your company’s passwords Hybrid Attack Takes dictionary words but concatenates a couple of letters or numbers at the end Social Engineering Shoulder Surfing Dumpster Diving

Windows 2000 Password Attacks DetectingPasswordAttacksonWindows.html DetectingPasswordAttacksonWindows.html mspx#XSLTsection mspx#XSLTsection How to Make Windows 2000 and NT 4 Passwords Uncrackable ml ml Hacking for Dummies wnloads/HackingforDummiesCh07.pdf wnloads/HackingforDummiesCh07.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.