Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:63

0
77
lượt xem
9

Mô tả tài liệu

This module will address password security. Although user names and passwords are a familiar technology, most people are not aware of the inherent weaknesses in many of the different passwordbased authentication schemes in use today. These weaknesses are important to understand since many networks would be compromised if passwords on just a few key machines (such as firewalls, DNS servers, or Windows domain controllers) were known to an attacker.

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Password Assessment and Management

11. Crack Requirements • Requirements – Unix-like operating system – C compiler – Moderate amount of disk space – Lots of CPU time – PERMISSION FROM SYSADMIN – Root-privileges, quite possibly – "gzip" is extremely desirable Password Assessment and Management - SANS ©2001 11 In order to run Crack, you need to be running a Unix operating system and using an encryption algorithm that Crack supports. The traditional Unix standard is DES encryption, and this is what Crack is best at handling. However, in recent years several operating systems have moved to alternate encryption algorithms such as MD5 or Blowfish. Primary reasons for the change include: Avoiding problems with US export restrictions concerning encryption products, allowing for passwords longer than the 8 characters permitted by DES, foiling cracking programs by forcing them to spend more effort on each encryption performed (MD5 and Blowfish are stronger algorithms than DES). You can discover what encryption type your system is using by examining the encrypted password values found in the password or shadow file. MD5 encrypted passwords are significantly longer than their DES- encrypted cousins and always begin with a "$1". Similarly, Blowfish encrypted passwords always begin with a "$2". If your system uses one of these alternate algorithms you would be better off using "John the Ripper" (discussed later). Some background information can be found at these URLs: http://www.linux.com/howto/User-Authentication-HOWTO/x57.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html http://www.usenix.org/events/usenix99/provos/provos.html/node10.html Crack is not compiled when you download it, so you must have a C compiler running on your system. It is recommended that you use GNU C or gcc, since this has been tested with Crack already and it will make it much easier to compile. Crack is "self-compiling" and builds the components it needs when executed. Crack is fairly large and computationally intensive, just by nature of what the program does. So before you install and run Crack, make sure you have enough resources to compile and run it. If other people are using the Unix machine, please check with them prior to running Crack because it could cause some issues if they are running critical applications. If you do not own the machine, always make sure you check with the appropriate people prior to running it. Also, depending on how your system is configured, you might need root access to configure, run, and get the encrypted passwords. Since Crack is compressed, make sure you have gzip on your system so that you can uncompress the Crack source code. 3 - 11
20. Enforce a Strong Password Policy (continued) • Password should not contain: – birthdays, names, sports teams, etc. • Tips for picking good passwords – pick a phrase and use the first letter of each word – example - When I stub my toe I say !@#$% 5 times – password - WIsmtIs!@#$%5t Password Assessment and Management - SANS ©2001 20 Choose a hard to guess password (the "do's"): Use a mixture of upper and lower case letters as well as digits or punctuation. When choosing a new password, make sure that it is unrelated to any previous password. Use long passwords (e.g. at least 8 characters long). Examples: A word pair with punctuation inserted, a passphrase (an understandable sequence of words), or the first letter of each word in a passphrase. In order to prevent easily guessable passwords, a password should never contain birthdays, names, sport teams, or special interests. Anything that can be viewed while sitting at your desk should also never be used as a password. Attackers can easily target an individual. Anything that stands out as a potential password, should never be used because it is to easy for someone to guess. What I suggest is instead of picking words as passwords, users should be trained to pick a phrase. If I told you that your new password was WIsmtIs!@#$%5t, you would probably think I was crazy. Your response might be, “How in the world am I going to remember that password?” On the other hand if I told you to remember the phrase, “When I stub my toe I say !@#$% 5 times,” you would probably agree that it is fairly reasonable. The main emphasis of a password policy should not only be to tell the user what is expected of them, but help them generate strong passwords that are fairly easy to remember. 3 - 20