SlideShare a Scribd company logo

Password War Games Webinar

nCircle - a Tripwire Company
nCircle - a Tripwire Company

nCircle Webinar Speaker John Alexander

Business
1 of 51
Download to read offline
Password War Games © 2012 nCircle. All Rights Reserved.
Password Basics – How Passwords are Stored ENCRYPTED PASSWORD: PASSWORD: One way Encryption bone33 6d19f07b3849a96156fe5b18733c07bb Algorithm md5 NT Hash Example: SHA-1 Account Algorithm used (1=md5 in this case) SHA-256 Salt (“R4mDH”) Blowfish jalex:$1$R4mDH$aOcFaA9.Dq6Ww2u3XmCfK/: SHA-512 14641:0:99999:7::: SHA-crypt bcrypt scrypt encrypted password © 2012 nCircle. All Rights Reserved.
Basic Password Math Character Complexity and Length Number of password • Numbers only = 10n combinations = cn • Lower case only = 26n • Mixed case = (26+26)n • Mixed case + numbers = (26+26+10)n • Mixed case + num + special = (26+26+10+30)n • All ASCII = (256)n c = number of characters in the character set, e.g. numbers = 10 n = the length of the password Special characters include the “space” character © 2012 nCircle. All Rights Reserved.
Basic Password Math Examples: 141 = 103 = 1000 cat = 263 = 17,576 Cat = (26+26)3 = 140,608 C2t = (26+26+10)3 = 238,828 #2t = (26+26+10+20)3 = 551,368 ….. thecatjumpedoutofthecup = 2623 = 3,500,000,000,000,000,000,000,000,000,000,000 Character complexity is important but Length is King!! © 2012 nCircle. All Rights Reserved.
Password Games Hackers Play Password cracking techniques: – Guessing • Lists of common passwords, personal information, default passwords – Dictionary • One or more dictionaries to include foreign dictionaries – Hybrid • One or more dictionaries (plus word lists, personal information, and rules) – Brute Force • Random passwords © 2012 nCircle. All Rights Reserved.
Quiz Question #1 What is the correct ordering of password cracking techniques from most powerful to least? a. Hybrid, Brute-Force, Guessing, Dictionary b. Dictionary, Brute-Force, Dictionary, Guessing c. Brute-Force, Dictionary, Hybrid, Guessing d. Brute-Force, Hybrid, Dictionary, Guessing © 2012 nCircle. All Rights Reserved.
Guessing Attacks © 2012 nCircle. All Rights Reserved.
Most Common Passwords • These are some standard common passwords. Common passwords are the weakest of all password types. Avoid them like the plague: Common Passwords password letmein sunshine 123456 trustno1 opensesame 12345678 dragon ashley qwerty baseball passw0rd abc123 111111 shadow monkey iloveyou 123123 1234567 master 654321 Source: Splashdata annual list of worst Internet passwords © 2012 nCircle. All Rights Reserved.
Default and Blank Passwords • Many networking devices come preconfigured with “default” passwords • Many users don’t change this default password • Example: 2Wire Router – Default login user name: admin – Default password: 2Wire © 2012 nCircle. All Rights Reserved.
Background Checks • Do Not Use Personal Information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password if it includes information such as: – Names: Your name, Pet Names, Names of family members and friends (e.g. Joshua) – Numbers: Phone numbers, addresses, social security numbers, license plate numbers, zip codes – Dates: Birth dates / anniversary dates – Favorites: Hobbies, sports teams, movie stars, colors, wine, books, cars, … © 2012 nCircle. All Rights Reserved.
The Dictionary Attack © 2012 nCircle. All Rights Reserved.
Word Games • Do Not Use Dictionary or Recognizable Words — Words such as proper names, dictionary words, or even terms from television shows or novels – guest – quartet – hogwarts – ds-9 – obiwan – spiderman © 2012 nCircle. All Rights Reserved.
Foreign Language Words • Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is not a good practice. This includes Klingon ;-) – betenoir – bienvenido – gutenmorgen © 2012 nCircle. All Rights Reserved.
Word Lists • Dictionary attacks can be augmented by pre-built and custom word lists: – Slang – Jargon – Dirty words – Klingon, Romulan, Elvish word lists, … – Custom lists: SF 49-ers, Star Trek, Jane Austen, Marilyn Monroe word lists, rock climbing terms… © 2012 nCircle. All Rights Reserved.
Double Jeopardy • Don’t combine two words: – cathycathy – springale – realginger – elegantpresentation – scissorsauto – brokenmouse © 2012 nCircle. All Rights Reserved.
Hybrid Attacks (Augmenting the dictionary with rules) © 2012 nCircle. All Rights Reserved.
Prefixes and Postfixes • Do Not add numbers or special characters to a simple words – superman7 – nevada999 – 34phonebook – desayuno!@ – %%stockmarket © 2012 nCircle. All Rights Reserved.
Inversion/Reversal • Do Not Invert or Reverse Words — Good password checkers check for reversed words, so inverting/reversing a bad password does not make it any more secure: – etamitigel – ardnassac – nauj – 9-SD © 2012 nCircle. All Rights Reserved.
Keyboard Patterns (sequences) • Don’t use simple keyboard patterns: – 123 – 123123 – 1234567890 – qwerty – qwertyuiop – asdfghj – zaqwsx – !@#$%^&*() © 2012 nCircle. All Rights Reserved.
Character Substitutions & Leetspeak (elite speak = l33tspeak = leetspeak) Common Character Substitutions: $=S, @=A, 4=A, 1=L, 1=I, !=I, 3=E, 0=O, #=H • Examples: – PASWORD = P@$$w0rd – livefish = l!v3f1S# – ELITE = ELEET = 3L33T – n00b = newbie – Iamsurprised:-o © 2012 nCircle. All Rights Reserved.
Leetspeak Table (source: Wikipedia) © 2012 nCircle. All Rights Reserved.
Don’t Make it Up • Good password cracking programs can check many made up words using something called frequency tables. • Idea is that certain letters follow others more frequently than others in a given language • There are frequency tables for each language • Examples: – markap – yunk – quirp © 2012 nCircle. All Rights Reserved.
Quiz Question #2 What is the problem with the following password: minulauck? a. Susceptible to a dictionary cracking b. Susceptible to hybrid cracking (two words) c. Susceptible to hybrid cracking (made up word) d. Susceptible to guessing (a common word) © 2012 nCircle. All Rights Reserved.
Quiz Question #3 Which of these two passwords is weaker? a. superman56 b. Y&f2*e © 2012 nCircle. All Rights Reserved.
Brute-Force Attack © 2012 nCircle. All Rights Reserved.
Brute Force Attacks • When all else fails the cracking software will try every possible combination • Brute-force is intelligent in its search it will go in a certain order (that can be configured) • Example: – Single character, 2 character passwords, 3 character passwords, 4 digit numbers, 4 character lowercase, 4 character all character, …. © 2012 nCircle. All Rights Reserved.
Letters or Numbers Only • Do NOT use only letters or numbers: – 8675309 – miwhdd – prwlkj Length is key, but character complexity is also important in defending against Brute force attacks © 2012 nCircle. All Rights Reserved.
Loose Lips Sink Ships Password Best Practices © 2012 nCircle. All Rights Reserved.
Hide & Seek • Do Not Write Down Your Password — Never store your password on paper. Come up with a good memory scheme. © 2012 nCircle. All Rights Reserved.
The Golden Password • Do Not Use the Same Password For All Machines — i.e. This is called a gold or golden password. Crackers love them. It is important that you make separate passwords for each account. This way if one system is compromised, all of your machines/accounts/data will not be immediately at risk. © 2012 nCircle. All Rights Reserved.
Password Length • Make the Password At Least Eight Characters Long • The longer the password, the better • Most firms have a minimal acceptable length that they consider strong • Use longer passwords for more sensitive data © 2012 nCircle. All Rights Reserved.
Alphanumerics • Mix Letters and Numbers — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength. Where n = length of password Lower case alphabet = 26n combinations Alphabet + numbers = (26+10)n combinations © 2012 nCircle. All Rights Reserved.
Mixed Case • Mix Upper and Lower Case Letters — By mixing cases, you will enhance the strength of the password. Where n = length of password 26n versus (26+26)n 26 combinations of lowercase , 52 combinations of mixed case © 2012 nCircle. All Rights Reserved.
Special Sauce • Including Special characters such as &, $, #, >, … can greatly improve the strength of a password Where n = length of password Lower case only = 26n Mixed case = (26+26)n Mixed case + numbers = (26+26+10)n Mixed case + numbers + special char = (26+26+10+20)n © 2012 nCircle. All Rights Reserved.
Password Pragmatism • Pick a Password You Can Remember — The best password in the world does you little good if you cannot remember it or feel you have to write it down. • Use acronyms or other mnemonic devices to aid in memorizing passwords or use a “Password Manager” program © 2012 nCircle. All Rights Reserved.
Password Checkers vs. Password Cracking • Most password strength checkers will not discover certain types of bad passwords. • Organizations should use password cracking software as part of their audit procedures • Most password are not as sophisticated as actual password cracking programs. • Example: Procr4$tin4te i.e., a password checker might accept this password, while a good cracking program will easily break this. © 2012 nCircle. All Rights Reserved.
Quiz Question #4 How many times should you reuse a password? a. Never b. Twice c. Everywhere but your financial accounts d. Everywhere but your medical and financial accounts © 2012 nCircle. All Rights Reserved.
Password Subterfuge Snooping and Social Engineering © 2012 nCircle. All Rights Reserved.
Password Acquisition Methods (1 of 3) • Theft • Search - Passwords written down: under keyboard, on monitor, on wall, in desk drawer, under leaf of plant, under plant pot • Bribery • Coercion/Extortion/Subversion/Blackmail • Social Engineering (phishing, impersonation,…) © 2012 nCircle. All Rights Reserved.
Password Acquisition Methods (2 of 3) • Insider (admin, users, someone has access to password database) • Sniffer (to include wiretapping, rogue devices, wireless sniffing, could be insider assisted.) • Keylogger (hardware or software) • Logon spoofing (to include ATM spoofing) © 2012 nCircle. All Rights Reserved.
Password Acquisition Methods (3 of 3) • Shoulder surfing (to include hidden cameras) • Keyboard “Audio” detection • Dumpster diving • Access to password databases (safe, admin access,…) © 2012 nCircle. All Rights Reserved.
Quiz Question #5 What is the one of the most common methods that hackers use to steal passwords? a. phishing b. dumpster diving c. spamming d. breaking into your house and looking for passwords © 2012 nCircle. All Rights Reserved.
Password Counter Intelligence © 2012 nCircle. All Rights Reserved.
Policies • Password Policies – Password Use Policies • Don’t give your password to anyone • Don’t use the same password on multiple accounts • Password strength (length and character complexity) • Required use of password manager software – Logon, Aging, and Lockout Policies • Logon process should not indicate if you typed in a valid username • Delay of login response should be the same for correct and incorrect logins • Lockout policies (time and tries) • Password age • Password history © 2012 nCircle. All Rights Reserved.
Checking and Auditing • Password Checkers – Password Policy Tester – Password Defender • Password Auditing – Auditing for weak passwords using password crackers, e.g. ophcrack, John the Ripper, … – Sniffing – Physical security audits and Pen Testing © 2012 nCircle. All Rights Reserved.
Multi-Factor and Non-text Input Methods • Multiple factor authentication: – RSA tokens – Knowledge based redundancy – Smartcards – Biometrics – Location-based • Graphical passwords • Virtual keyboards © 2012 nCircle. All Rights Reserved.
Defenses • Education • Do not store or transmit passwords in the clear • Logging (login failure attempts) • Slower encryption methods (password hashing, e.g. SHA-crypt, bcrypt) • Password salts – Response to use of rainbow tables (i.e. pre-computation attacks) • Use of local parameterization • Use of password stretching (configurable iteration counts) © 2012 nCircle. All Rights Reserved.
Password Manager Example: KeePass • Easy to Use • Drag-n-drop • Hard to Get Into • Composite Master Key • Key Transformation (Stretching) • Random password Generator © 2012 nCircle. All Rights Reserved.
Personal Identifiable Information Reference • Names: (first, last, middle, maiden, hyphenated, ranks, titles), Names of relatives, friends, pets (to a lesser extent acquaintances), Nicknames • Addresses (home, addresses of relatives and friends, offices, current, old addresses, numbers, street names, city names, state names, country names) • License plate (all vehicles owned by victim to include previous vehicles) • Drivers license number (to include numbers of acquaintances) • Schools: Name of schools (elementary, middle, HS, college, fraternities, clubs) • Telephone numbers (home, cell, work, relatives, friends, office, contacts) • Social security number, account numbers, identification numbers, … • Dates: Birthday (victim, relatives, friends, pets), anniversaries (wedding, engagement, special occasion, graduation), astrological signs • Room numbers, office numbers • Clubs and military: Unit names and designations • Favorites: Colors, music groups, songs, actors/actresses, auto models, movies, books, food, wine, hobbies, sport teams,… • Web: urls of favorite sites © 2012 nCircle. All Rights Reserved.
Cloud-based network security services platform designed for small to medium enterprises nCircle PureCloud Twice the Security at Half the Cost • Enterprise-class security scanning • State-of-the-art cloud delivery • Easy to use • No hardware or software to deploy or manage © 2012 nCircle. All Rights Reserved.
Questions? Continue the conversation at http://connect.ncircle.com © 2012 nCircle. All Rights Reserved.

Recommended

Password Policies
Password PoliciesPassword Policies
Password Policiesallengalvan
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101Robert Rowley
 
Password Patterns- An Analysis
Password Patterns- An AnalysisPassword Patterns- An Analysis
Password Patterns- An AnalysisDr. Emin İslam Tatlı
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
How to Design Passwords
How to Design PasswordsHow to Design Passwords
How to Design PasswordsUniversity of Hertfordshire
 

Recommended

Password Policies
Password PoliciesPassword Policies
Password Policiesallengalvan
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101Robert Rowley
 
Password Patterns- An Analysis
Password Patterns- An AnalysisPassword Patterns- An Analysis
Password Patterns- An AnalysisDr. Emin İslam Tatlı
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
How to Design Passwords
How to Design PasswordsHow to Design Passwords
How to Design PasswordsUniversity of Hertfordshire
 
2012 03 The Death of Passwords
2012 03 The Death of Passwords2012 03 The Death of Passwords
2012 03 The Death of PasswordsRaleigh ISSA
 
Password policies
Password policiesPassword policies
Password policiesAri Elias-Bachrach
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESRazorpoint Security
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmJoon Young Park
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Mike Barker
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policyDefconRussia
 
Let me in! 10 tips to better passwords
Let me in! 10 tips to better passwordsLet me in! 10 tips to better passwords
Let me in! 10 tips to better passwordsMarian Merritt
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Introduction to cryptography part2-final
Introduction to cryptography part2-finalIntroduction to cryptography part2-final
Introduction to cryptography part2-finalTaymoor Nazmy
 
Security.ppt
Security.pptSecurity.ppt
Security.pptSherefHesham
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...Mail.ru Group
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxAllanGuevarra1
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - OverviewMohammed Adam
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics BootcampnCircle - a Tripwire Company
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationnCircle - a Tripwire Company
 

More Related Content

Similar to Password War Games Webinar

2012 03 The Death of Passwords
2012 03 The Death of Passwords2012 03 The Death of Passwords
2012 03 The Death of PasswordsRaleigh ISSA
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Mike Barker
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policyDefconRussia
 
Let me in! 10 tips to better passwords
Let me in! 10 tips to better passwordsLet me in! 10 tips to better passwords
Let me in! 10 tips to better passwordsMarian Merritt
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Introduction to cryptography part2-final
Introduction to cryptography part2-finalIntroduction to cryptography part2-final
Introduction to cryptography part2-finalTaymoor Nazmy
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...Mail.ru Group
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxAllanGuevarra1
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - OverviewMohammed Adam
 

Similar to Password War Games Webinar (20)

2012 03 The Death of Passwords
2012 03 The Death of Passwords2012 03 The Death of Passwords
2012 03 The Death of Passwords
 
Password policies
Password policiesPassword policies
Password policies
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICES
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
Password Management
Password ManagementPassword Management
Password Management
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineering
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
 
Anton Dedov - Testing of password policy
Anton Dedov - Testing of password policyAnton Dedov - Testing of password policy
Anton Dedov - Testing of password policy
 
Let me in! 10 tips to better passwords
Let me in! 10 tips to better passwordsLet me in! 10 tips to better passwords
Let me in! 10 tips to better passwords
 
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
Introduction to cryptography part2-final
Introduction to cryptography part2-finalIntroduction to cryptography part2-final
Introduction to cryptography part2-final
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug hunting
 
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptx
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
 

More from nCircle - a Tripwire Company

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationnCircle - a Tripwire Company
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionnCircle - a Tripwire Company
 

More from nCircle - a Tripwire Company (9)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadAyesha Khan
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024Matteo Carbone
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 

Recently uploaded (20)

Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024IoT Insurance Observatory: summary 2024
IoT Insurance Observatory: summary 2024
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 

Password War Games Webinar

  • 1. Password War Games © 2012 nCircle. All Rights Reserved.
  • 2. Password Basics – How Passwords are Stored ENCRYPTED PASSWORD: PASSWORD: One way Encryption bone33 6d19f07b3849a96156fe5b18733c07bb Algorithm md5 NT Hash Example: SHA-1 Account Algorithm used (1=md5 in this case) SHA-256 Salt (“R4mDH”) Blowfish jalex:$1$R4mDH$aOcFaA9.Dq6Ww2u3XmCfK/: SHA-512 14641:0:99999:7::: SHA-crypt bcrypt scrypt encrypted password © 2012 nCircle. All Rights Reserved.
  • 3. Basic Password Math Character Complexity and Length Number of password • Numbers only = 10n combinations = cn • Lower case only = 26n • Mixed case = (26+26)n • Mixed case + numbers = (26+26+10)n • Mixed case + num + special = (26+26+10+30)n • All ASCII = (256)n c = number of characters in the character set, e.g. numbers = 10 n = the length of the password Special characters include the “space” character © 2012 nCircle. All Rights Reserved.
  • 4. Basic Password Math Examples: 141 = 103 = 1000 cat = 263 = 17,576 Cat = (26+26)3 = 140,608 C2t = (26+26+10)3 = 238,828 #2t = (26+26+10+20)3 = 551,368 ….. thecatjumpedoutofthecup = 2623 = 3,500,000,000,000,000,000,000,000,000,000,000 Character complexity is important but Length is King!! © 2012 nCircle. All Rights Reserved.
  • 5. Password Games Hackers Play Password cracking techniques: – Guessing • Lists of common passwords, personal information, default passwords – Dictionary • One or more dictionaries to include foreign dictionaries – Hybrid • One or more dictionaries (plus word lists, personal information, and rules) – Brute Force • Random passwords © 2012 nCircle. All Rights Reserved.
  • 6. Quiz Question #1 What is the correct ordering of password cracking techniques from most powerful to least? a. Hybrid, Brute-Force, Guessing, Dictionary b. Dictionary, Brute-Force, Dictionary, Guessing c. Brute-Force, Dictionary, Hybrid, Guessing d. Brute-Force, Hybrid, Dictionary, Guessing © 2012 nCircle. All Rights Reserved.
  • 7. Guessing Attacks © 2012 nCircle. All Rights Reserved.
  • 8. Most Common Passwords • These are some standard common passwords. Common passwords are the weakest of all password types. Avoid them like the plague: Common Passwords password letmein sunshine 123456 trustno1 opensesame 12345678 dragon ashley qwerty baseball passw0rd abc123 111111 shadow monkey iloveyou 123123 1234567 master 654321 Source: Splashdata annual list of worst Internet passwords © 2012 nCircle. All Rights Reserved.
  • 9. Default and Blank Passwords • Many networking devices come preconfigured with “default” passwords • Many users don’t change this default password • Example: 2Wire Router – Default login user name: admin – Default password: 2Wire © 2012 nCircle. All Rights Reserved.
  • 10. Background Checks • Do Not Use Personal Information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password if it includes information such as: – Names: Your name, Pet Names, Names of family members and friends (e.g. Joshua) – Numbers: Phone numbers, addresses, social security numbers, license plate numbers, zip codes – Dates: Birth dates / anniversary dates – Favorites: Hobbies, sports teams, movie stars, colors, wine, books, cars, … © 2012 nCircle. All Rights Reserved.
  • 11. The Dictionary Attack © 2012 nCircle. All Rights Reserved.
  • 12. Word Games • Do Not Use Dictionary or Recognizable Words — Words such as proper names, dictionary words, or even terms from television shows or novels – guest – quartet – hogwarts – ds-9 – obiwan – spiderman © 2012 nCircle. All Rights Reserved.
  • 13. Foreign Language Words • Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is not a good practice. This includes Klingon ;-) – betenoir – bienvenido – gutenmorgen © 2012 nCircle. All Rights Reserved.
  • 14. Word Lists • Dictionary attacks can be augmented by pre-built and custom word lists: – Slang – Jargon – Dirty words – Klingon, Romulan, Elvish word lists, … – Custom lists: SF 49-ers, Star Trek, Jane Austen, Marilyn Monroe word lists, rock climbing terms… © 2012 nCircle. All Rights Reserved.
  • 15. Double Jeopardy • Don’t combine two words: – cathycathy – springale – realginger – elegantpresentation – scissorsauto – brokenmouse © 2012 nCircle. All Rights Reserved.
  • 16. Hybrid Attacks (Augmenting the dictionary with rules) © 2012 nCircle. All Rights Reserved.
  • 17. Prefixes and Postfixes • Do Not add numbers or special characters to a simple words – superman7 – nevada999 – 34phonebook – desayuno!@ – %%stockmarket © 2012 nCircle. All Rights Reserved.
  • 18. Inversion/Reversal • Do Not Invert or Reverse Words — Good password checkers check for reversed words, so inverting/reversing a bad password does not make it any more secure: – etamitigel – ardnassac – nauj – 9-SD © 2012 nCircle. All Rights Reserved.
  • 19. Keyboard Patterns (sequences) • Don’t use simple keyboard patterns: – 123 – 123123 – 1234567890 – qwerty – qwertyuiop – asdfghj – zaqwsx – !@#$%^&*() © 2012 nCircle. All Rights Reserved.
  • 20. Character Substitutions & Leetspeak (elite speak = l33tspeak = leetspeak) Common Character Substitutions: $=S, @=A, 4=A, 1=L, 1=I, !=I, 3=E, 0=O, #=H • Examples: – PASWORD = P@$$w0rd – livefish = l!v3f1S# – ELITE = ELEET = 3L33T – n00b = newbie – Iamsurprised:-o © 2012 nCircle. All Rights Reserved.
  • 21. Leetspeak Table (source: Wikipedia) © 2012 nCircle. All Rights Reserved.
  • 22. Don’t Make it Up • Good password cracking programs can check many made up words using something called frequency tables. • Idea is that certain letters follow others more frequently than others in a given language • There are frequency tables for each language • Examples: – markap – yunk – quirp © 2012 nCircle. All Rights Reserved.
  • 23. Quiz Question #2 What is the problem with the following password: minulauck? a. Susceptible to a dictionary cracking b. Susceptible to hybrid cracking (two words) c. Susceptible to hybrid cracking (made up word) d. Susceptible to guessing (a common word) © 2012 nCircle. All Rights Reserved.
  • 24. Quiz Question #3 Which of these two passwords is weaker? a. superman56 b. Y&f2*e © 2012 nCircle. All Rights Reserved.
  • 25. Brute-Force Attack © 2012 nCircle. All Rights Reserved.
  • 26. Brute Force Attacks • When all else fails the cracking software will try every possible combination • Brute-force is intelligent in its search it will go in a certain order (that can be configured) • Example: – Single character, 2 character passwords, 3 character passwords, 4 digit numbers, 4 character lowercase, 4 character all character, …. © 2012 nCircle. All Rights Reserved.
  • 27. Letters or Numbers Only • Do NOT use only letters or numbers: – 8675309 – miwhdd – prwlkj Length is key, but character complexity is also important in defending against Brute force attacks © 2012 nCircle. All Rights Reserved.
  • 28. Loose Lips Sink Ships Password Best Practices © 2012 nCircle. All Rights Reserved.
  • 29. Hide & Seek • Do Not Write Down Your Password — Never store your password on paper. Come up with a good memory scheme. © 2012 nCircle. All Rights Reserved.
  • 30. The Golden Password • Do Not Use the Same Password For All Machines — i.e. This is called a gold or golden password. Crackers love them. It is important that you make separate passwords for each account. This way if one system is compromised, all of your machines/accounts/data will not be immediately at risk. © 2012 nCircle. All Rights Reserved.
  • 31. Password Length • Make the Password At Least Eight Characters Long • The longer the password, the better • Most firms have a minimal acceptable length that they consider strong • Use longer passwords for more sensitive data © 2012 nCircle. All Rights Reserved.
  • 32. Alphanumerics • Mix Letters and Numbers — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength. Where n = length of password Lower case alphabet = 26n combinations Alphabet + numbers = (26+10)n combinations © 2012 nCircle. All Rights Reserved.
  • 33. Mixed Case • Mix Upper and Lower Case Letters — By mixing cases, you will enhance the strength of the password. Where n = length of password 26n versus (26+26)n 26 combinations of lowercase , 52 combinations of mixed case © 2012 nCircle. All Rights Reserved.
  • 34. Special Sauce • Including Special characters such as &, $, #, >, … can greatly improve the strength of a password Where n = length of password Lower case only = 26n Mixed case = (26+26)n Mixed case + numbers = (26+26+10)n Mixed case + numbers + special char = (26+26+10+20)n © 2012 nCircle. All Rights Reserved.
  • 35. Password Pragmatism • Pick a Password You Can Remember — The best password in the world does you little good if you cannot remember it or feel you have to write it down. • Use acronyms or other mnemonic devices to aid in memorizing passwords or use a “Password Manager” program © 2012 nCircle. All Rights Reserved.
  • 36. Password Checkers vs. Password Cracking • Most password strength checkers will not discover certain types of bad passwords. • Organizations should use password cracking software as part of their audit procedures • Most password are not as sophisticated as actual password cracking programs. • Example: Procr4$tin4te i.e., a password checker might accept this password, while a good cracking program will easily break this. © 2012 nCircle. All Rights Reserved.
  • 37. Quiz Question #4 How many times should you reuse a password? a. Never b. Twice c. Everywhere but your financial accounts d. Everywhere but your medical and financial accounts © 2012 nCircle. All Rights Reserved.
  • 38. Password Subterfuge Snooping and Social Engineering © 2012 nCircle. All Rights Reserved.
  • 39. Password Acquisition Methods (1 of 3) • Theft • Search - Passwords written down: under keyboard, on monitor, on wall, in desk drawer, under leaf of plant, under plant pot • Bribery • Coercion/Extortion/Subversion/Blackmail • Social Engineering (phishing, impersonation,…) © 2012 nCircle. All Rights Reserved.
  • 40. Password Acquisition Methods (2 of 3) • Insider (admin, users, someone has access to password database) • Sniffer (to include wiretapping, rogue devices, wireless sniffing, could be insider assisted.) • Keylogger (hardware or software) • Logon spoofing (to include ATM spoofing) © 2012 nCircle. All Rights Reserved.
  • 41. Password Acquisition Methods (3 of 3) • Shoulder surfing (to include hidden cameras) • Keyboard “Audio” detection • Dumpster diving • Access to password databases (safe, admin access,…) © 2012 nCircle. All Rights Reserved.
  • 42. Quiz Question #5 What is the one of the most common methods that hackers use to steal passwords? a. phishing b. dumpster diving c. spamming d. breaking into your house and looking for passwords © 2012 nCircle. All Rights Reserved.
  • 43. Password Counter Intelligence © 2012 nCircle. All Rights Reserved.
  • 44. Policies • Password Policies – Password Use Policies • Don’t give your password to anyone • Don’t use the same password on multiple accounts • Password strength (length and character complexity) • Required use of password manager software – Logon, Aging, and Lockout Policies • Logon process should not indicate if you typed in a valid username • Delay of login response should be the same for correct and incorrect logins • Lockout policies (time and tries) • Password age • Password history © 2012 nCircle. All Rights Reserved.
  • 45. Checking and Auditing • Password Checkers – Password Policy Tester – Password Defender • Password Auditing – Auditing for weak passwords using password crackers, e.g. ophcrack, John the Ripper, … – Sniffing – Physical security audits and Pen Testing © 2012 nCircle. All Rights Reserved.
  • 46. Multi-Factor and Non-text Input Methods • Multiple factor authentication: – RSA tokens – Knowledge based redundancy – Smartcards – Biometrics – Location-based • Graphical passwords • Virtual keyboards © 2012 nCircle. All Rights Reserved.
  • 47. Defenses • Education • Do not store or transmit passwords in the clear • Logging (login failure attempts) • Slower encryption methods (password hashing, e.g. SHA-crypt, bcrypt) • Password salts – Response to use of rainbow tables (i.e. pre-computation attacks) • Use of local parameterization • Use of password stretching (configurable iteration counts) © 2012 nCircle. All Rights Reserved.
  • 48. Password Manager Example: KeePass • Easy to Use • Drag-n-drop • Hard to Get Into • Composite Master Key • Key Transformation (Stretching) • Random password Generator © 2012 nCircle. All Rights Reserved.
  • 49. Personal Identifiable Information Reference • Names: (first, last, middle, maiden, hyphenated, ranks, titles), Names of relatives, friends, pets (to a lesser extent acquaintances), Nicknames • Addresses (home, addresses of relatives and friends, offices, current, old addresses, numbers, street names, city names, state names, country names) • License plate (all vehicles owned by victim to include previous vehicles) • Drivers license number (to include numbers of acquaintances) • Schools: Name of schools (elementary, middle, HS, college, fraternities, clubs) • Telephone numbers (home, cell, work, relatives, friends, office, contacts) • Social security number, account numbers, identification numbers, … • Dates: Birthday (victim, relatives, friends, pets), anniversaries (wedding, engagement, special occasion, graduation), astrological signs • Room numbers, office numbers • Clubs and military: Unit names and designations • Favorites: Colors, music groups, songs, actors/actresses, auto models, movies, books, food, wine, hobbies, sport teams,… • Web: urls of favorite sites © 2012 nCircle. All Rights Reserved.
  • 50. Cloud-based network security services platform designed for small to medium enterprises nCircle PureCloud Twice the Security at Half the Cost • Enterprise-class security scanning • State-of-the-art cloud delivery • Easy to use • No hardware or software to deploy or manage © 2012 nCircle. All Rights Reserved.
  • 51. Questions? Continue the conversation at http://connect.ncircle.com © 2012 nCircle. All Rights Reserved.