Password Policies

1,559 views

Published on

Password Policies

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,559
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Password Policies

  1. 1. Page 1 of 7 Name: Allen Galvan Due: 8 November 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #2: Passwords Last printed 11/8/2005 0:09:00 a11/p11 Page 1
  2. 2. Page 2 of 7 The Password Lab Goals...................................................................................... ......................3 Exercise 1 (Policies).......................................................................................... .........................3 Addendum on Password Policies..................................................................... ..........................3 Techniques for Strong Easy-to-Remember Passwords................................................ ..............3 Machine-Generated PasswordStrength........................................................... ..........................4 Diceware Creating Passphrases................................................................................... ...............4 Conclusions on Machine-Generated Passwords versus Human- enerated Passwords............5 G Password Safe.......................................................................................................... ...................6 Last printed 11/8/2005 0:09:00 a11/p11 Page 2
  3. 3. Page 3 of 7 The Password Lab Goals The goals of this Password lab are:  To become familiar with password policies.  To develop skills creating memorable, strong passwords.  To understand what makes a weak password.  To become familiar with a variety of password cracking too ls. Exercise 1 (Policies)  List at least 10 common characteristics among the different policies. o For example, password length tends to be 8 or more characters. o All system-level (root, enable, NT admin, application administration accounts, and so on) passwords must be changed at least on a quarterly basis. o Passwords should be unique to previous passwords. o Passwords should not be shared. If a password must be shared for tech support purposes, it must be changed as is practical. o Do not base passwords on personal information. o Create passwords that are easy to remember. o Do not use passwords that are dictionary words. o Don’t reveal any passwords in an email. o Passwords should never be written down or stored online. o Strong passwords should have digits and punctuation characters as well as letters (e.g., 0-9, !@#$%^&*()_+|~-=`{}[]:”;í<>?,./) o Do not reveal your password to your boss.  What are some differences between the various policies? o One difference is that the company name is different and for each respective company, that particular company name should be used as a password. o Some companies want their employees to change their passwords at least quarterly versus semi-annuall . y Addendum on Password Policies This chart is to be included in the Lab 3 Passwords report. After having read through a number of password policies, I'd like you tocome up with a reasonable and practical set of password policies for the various types of accounts in the spreadsheet. Remember, not all accounts are alike. Some have greater security requirements than others, and you need to secure them in proportion to the risk. Techniques for Strong Easy-to-Remember Passwords Last printed 11/8/2005 0:09:00 a11/p11 Page 3
  4. 4. Page 4 of 7 Machine-Generated Password Strength  Does the testing tool accurately gauge the strength of the passwords? o The testing tool seems to accurately gauge the streng of the passwords. th Simple passwords are character and numeric patterns or dictionary words. The tool indicated stronger passwords when special characters and random characters are chosen.  What observations can you make about the strength of the different kinds of passwords? o Which kinds of passwords are strongest?  Longer passwords are stronger.  Pass-phrases are stronger.  K3wl on passwords are stronger. o Which kinds of passwords are weakest?  Shorter passwords are weaker.  Dictionary words are weaker.  How does length affect the strength? o Longer passwords are stronger.  How does complexity affect the strength? o Complex and random passwords are stronger.  How does length affect our activity to remember the password? o The longer the password is, the harder it is to remember it.  How does complexity affect your ability to remember the password? o Complex passwords are harder to remember. Diceware Creating Passphrases Diceware is a method for picking passphrases. These passphrases may then be used as a password. Dice are used to specify a sequence of random numbers that are in turn used to specify individual words that ultimately describe a pass phrase. What are your 3, 4, and 5 word passphrases us the Diceware method? ing 61315 tiaga 52462 rw 51516 regis Pass phrase: taiga rw regsi Strength: 6 Comments: Your password does not meet Corporate password standards for the following reason(s): Last printed 11/8/2005 0:09:00 a11/p11 Page 4
  5. 5. Page 5 of 7 1) The password needs at least two of the following: upper case letters, special characters, and numbers. 32514 heave 61263 timid 41463 manama 41361 mace Pass phrase: heave timid Manama mace Strength: 10 Comments: Your password meets Corporate password standards, but can be improved in the following way(s): Could use some numeric chars 26546 galen 12333 any 66162 900 43634 norm 22341 dante Pass phrase: galen any 900 norm dante Strength: 10 Comments: Your password meets Corporate password standards, but can be improved in the following way(s): Could use some uppercase chars Are the above passphrases easy to remember?  The longer the passphrases are, the harder they are to remember.  The shorter the passphrases are, the easier they are to remember.  But generally since the words of the passphrases are random, if one does not employ good memorization skills or as time increases, these passphrases may be harder to remember. Memorization works well with “catchy” phrases remembered by acronyms. Maybe this technique would be well suited for a doctor or a Russian. These people remember long complex character stringed words. Do you think the password strength assessor is accurate?  Generally, it seems logical that the longer the password are, the stronger they would s be, & this was consistent with the password strength assessor.  But I was a little surprised. I thought the passwords were strong, since they were hard to remember and sequential random words; but the password strength assessor indicated that the shorter passphrases were weaker than the longer passphrases. Conclusions on Machine-Generated Passwords versus Human-Generated Passwords How did the machine-generated passwords compare to the human-generated passwords? Last printed 11/8/2005 0:09:00 a11/p11 Page 5
  6. 6. Page 6 of 7  Which are stronger? o Machine generated words seemed to translate into stronger passwords and passphrases. o Human-generated words were easier to remember, but generally seemed weaker. The strongest human-generated password was a random 5 word passphrase. This would be harder to remember.  Which are easier to remember? o Machine-generated password and passphrases were harder to remember. s o Some human-generated passwords and passphrases were easier to remember, but weaker passwords. o The random passphrase was a strong password passphrase, but harder to remember. How did Diceware-generated passphrases compare to machine-generated and human- generated passwords?  Which are stronger? o The shorter the passphrase, the weaker the password passphrase. o The longer the passphrase, the stronger the password passphrase.  Which are easier to remember? o The Diceware-generated passphrases were generally harder to remember. o The shorter the passphrase, the easier it was to remember. o The longer the passphrase, the harder it was to remember. Password Safe Last printed 11/8/2005 0:09:00 a11/p11 Page 6
  7. 7. Page 7 of 7 Appendix Last printed 11/8/2005 0:09:00 a11/p11 Page 7

×