CSE 3482 Introduction to Computer Security. Password Cracking

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CSE 3482 Introduction to Computer Security. Password Cracking"

Transcription

1 CSE 3482 Introduction to Computer Security Password Cracking Instructor: N. Vlajic, Winter 2016

2 Introduction Password a secret word/string of characters used to authenticate a user into a system critical (often only) defense against intruders ideal password: easy to remember, hard to crack Google (2013) released a list of common password types which are insecure as they are too easy to guess / get off social media name of a pet, child, family member, spouse names of birthplaces, favorite sports teams birthdays, anniversary dates overly complex passwords are as dangerous as very simple ones the user likely to write it down or to reuse it

3 Introduction (cont.) Passwords Cracked from a Sample of 13,797 Unix Accounts * using a customized dictionary comprising 3 million words * success rate: 25% * cracking time < 1 h Type of Password Search Size Number of Matches Percentage of Passwords Matched User/account name % Character sequences % Numbers % Chinese % Place names % Common names % Female names % Male names % Uncommon names % Myths and legends % Shakespearean % Sports terms % Science fiction % Movies and actors % Cartoons % Famous people % Phrases and patterns % Surnames % Biology % System dictionary % Machine names % Mnemonics % King James bible % Miscellaneous words % Cost/Benefit Ratioa Yiddish words % Asteroids % TOTAL % 0.053

4 Introduction (cont.) Passwords in a System in most systems, passwords are stored in a protected (hash) form snooper that gains internal access to system cannot easily retrieve/steal passwords every time a user logs in, password handling software runs the hash algorithm if (new hash = stored hash), access is granted

5 Introduction (cont.) Example: Password hashes Storing hash instead of password Testing a password against stored hash

6 Introduction (cont.) Password password hashes are stored in Management Security Account Manager (SAM) file in Windows stored in C:\Windows\System32\config or HKEY_LOCAL_MACHINE\SAM registry - cannot be accessed while computer running (file used by OS) Accessing SAM requires additional software File in Windows install and run LCP, pwdump, or FGDUMP with Administrator privileges

7 Introduction (cont.) Accessing Hash text file: /etc/passwd File in Unix readable by system administrator only

8 Password Cracking Password a method of gaining unauthorized access Cracking to a computer system by trying different (Guessing) passwords cracking difficulty size of password space

9 Password Cracking (cont.) Online vs. online cracking Offline Password Cracking try every password at the login prompt in real time very slow! 8-character password of 76 possible characters (upper & lower case, digits, common symbols) = 1.1x10 15 possibilities 2 to 3 passwords a second 5,878,324 years to guess a password extremely noisy! most systems block the victim account after several failed login attempts off-line cracking assumes the possession of passwd/hash file

10 Password Cracking (cont.) Brute-Force aka exhaustive password search Password entire password space is tried Cracking starts by using simple combinations of characters, and then gradually moves to more complex/longer ones (may be) effective for passwords of small size, but too time consuming for long passwords examples of brute-force crackers Cain and Able John the Ripper Ophcrack

11 Password Cracking (cont.) Brute-Force Password Search Space a) On 26-letter alphabet, password of length 1/2/n: S 1-Letter = 26 1 S 2-Letter = 26*26 = 26 2 S n-letter = 26*26* *26 = 26 n b) On A-character alphabet, password of length n: S n-character =A n c) On A-character alphabet, passwords up-to n characters

12 Password Cracking (cont.) Example: Brute-Force Password Search Space (1) Compare two systems in which the maximum password length is 16, and passwords may contain any printable ASCII characters. System A allows passwords to be any length (1-16) System B requires passwords to be at least 8 characters long (8-16). Calculate the search space for these two systems. A=94 System A: System B: Almost the same!!!

13 Password Cracking (cont.) Example: Brute-Force Password Search Space (2) Tina has to create a password for the security of a software program file. She wants to use a password with 3 letters. How many passwords are allowed if no letter are repeated and the password is not case sensitive? L 1 L 2 L 3 : A (B-Z) (C-Z) *25*24 = 15,600 n choose k, order does not matter:

14 Password Cracking (cont.) Example: Brute-Force Password Search Space (3) A system allows passwords consisting of 4 lower-case letters followed by 3 digit numbers. How many passwords are possible if there are no restrictions. L 1 L 2 L 3 L 4 D 1 D 2 D 4 any combination any combination 26 4 *10 3 = 456,976,000

15 Password Cracking (cont.) Biased the search space is further reduced by Attack focusing on most likely combinations of words and/or numbers Example: Biased Attack on 4-Digit Pins Assume a system requires that access passwords be comprised of 4 digits. Total unbiased search space: any number between (10,000) Many people use some important personal dates to generate 4-digit passwords. Biased search space: only 366 possible combinations!

16 Password Cracking (cont.) Dictionary users often create passwords using Attack common dictionary words instead of trying every password, dictionary attack probes only common dictionary words faster than brute force, as it uses smaller (more likely) search space still might take considerable time, and might fail in the end

17 Password Cracking (cont.) Example: Dictionary Attacks in Real World Many studies on effectiveness of dictionary attack have been conducted. Not 100% effective, but enough passwords were cracked to make the use of this attack worthwhile. Research or Incident % Guessed Morris worm, estimated success (1988) ~50% Klein s Study (1990) 24.2% Spafford s Study (1992) 20% CERT Incident % Cambridge study by Yan, et al. (2000) 35% Lulz and Anonymous, estimated success (2011) 30% Elementary Information Security, R. E. Smith, pp. 253

18 Password Cracking (cont.) Pre-Computed achieves TIME-SPACE tradeoff by Dictionary pre-computing a list of hashes of Attacks dictionary words pre-computed hashes are compared against those in a stolen password file rainbow tables effective-to-use pregenerated sets/lists of hashes n*gbyte size!!!

19 Password Cracking (cont.) Rainbow Table: time/space tradeoff!!!

20 Password Salting Password Salting adding a unique random value to each password before hashing both the hash and salt are stored does not fully prevent against password cracking, but makes it harder / more time consuming

21 User id + Password

22 Password Salting (cont.) Password Salting Benefits in case of a compromised Password File dictionary and rainbow attacks impossible to perform prevents duplicate passwords from being visible in password file becomes impossible to find out whether a person has used the same password on multiple systems

23 Password Hashing in Windows Password Hashing in Windows Windows-based computers utilize two hashing methods LAN Manager (LM) used in earlier versions up until Windows 2000, XP, Vista, and 7 NT LAN Manager (NTLM) much stronger and harder to crack than LM hash used in Windows 2000, XP, Vista, and 7 Windows 2000 and XP are also backward compatible hash with both, to be able operate with older clients/servers* * feature that should be disabled if not necessary

24 Password Hashing in Windows (cont.) LM Password Hashing not really a hash, but a a cryptographic value 1) user password is converted to all uppercase 2) password has null characters added to it until it equals 14 characters 3) new password is split into two 7 char. halves 4) two 7-byte halves are used to create two 64-bit (8-byte) long DES encryption keys, by inserting a null bit after every seven bits 5) each key is used to DES-encrypt the constant ASCII string resulting in two 16-byte long ciphertext values 6) finally, two 16 byte hashes are concatenated to form the 32-byte long hash

25 Password Hashing in Windows (cont.) LM Password Hashes (cont.) drawbacks: 1) case insensitive significantly reduces character set that attacker must use (A - from 95 down to 69) 2) 14-character long passwords split into two 7-character long halves search space dramatically reduced (from A 14 to 2*A 7 ) total reduction in search space: from to 2*69 7 3) DES encryption not considered safe anymore

26 Password Hashing in Windows (cont.) NTLM Hashing much simpler in terms of OS operations than LM applies MD4 hash algorithm 3 times advantages: much stronger than LN allows for distinction between upper and lower case does not split password into smaller, easier to crack, chunks disadvantages: does not use salting like in UNIX and Linux salt random combination of 0 & 1 added to a password every bit of salt => 2X password-cracking demands on storage and/or computation

27 Example: Password policies which one is better?! Company A requires that its employees pick 6-character passwords made up of combinations of lowercase letters, uppercase letters, and digits. No other characters are allowed, and a given user s password must not use any character twice. Example: ab98cd Company B requires that its employees pick 12-character passwords, where each of the 12 can be any of 100 possible characters. Unlike for Company A, Company B s employees can reuse characters in their passwords. However, Company B finds that users often make mistakes with these long passwords, so if an authentication attempt fails, the login server helps the user by telling them how many of the initial letters were correct. For example, if a password entered was abcdefgij and the server replies Wrong, but the first 4 letters were correct, then abcd are correct, e is wrong, and nothing is revealed about the correctness of the letters after e.

28 Example: Password policies which one is better?! Suppose an attacker is trying to guess/crack the password of user U1 at Company A, and user U2 at Company B. Both usernames are valid at the respective companies, and the users have chosen passwords that conform with the policy. a) Write down an expression for the # of attempts the attacker needs for guessing the password of user U1 at Company A. Solution: Example: ab98cd Total # of allowed characters = = 62 Total # of possible passwords = 62*61*60*59*58*57 = = 4.4 * 10 10

29 Example: Password policies which one is better?! b) Write down an expression for the # of attempts the attacker needs for guessing the password of user U2 at Company B. Solution: The key for this part of the problem is that the attacker can use feedback provided by the login process to speed up the cracking process. To start, the attacker can try 100 passwords that each differ in their first character. One of these must succeed. In addition, when it succeeds, in the worst case the attacker is told that the second character in the attempted password is incorrect. Therefore, once the attacker learns that the first character is correct, they also can eliminate 1 of the possibilities for the second character.

30 Example: Password policies which one is better?! Password: bszi1289amlk 1 st round of guesses: aa, ba, ca, da, 2 nd round of guesses bba, bca, bda, bea,, bsa, bta, At this point, they make another = 99 guesses, each of which uses the first character learned in the previous step, and tries a different second character (excluding the character that the attacker has already learned is not correct for the second position). This process continues until they try candidates for all 12 positions, requiring at worst a total of: # of possible passwords = = = 1189

Windows passwords security

Windows passwords security IT Advisory Windows passwords security ADVISORY WHOAMI 2 Agenda The typical windows environment Local passwords Secure storage mechanims: Syskey & SAM File Password hashing & Cracking: LM & NTLM Into the

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Scanning and Analysis Tools

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Scanning and Analysis Tools CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Scanning and Analysis Tools Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security

More information

Password Security Module 8

Password Security Module 8 Password Security Air Force Association s CyberPatriot The National High School Cyber Defense Competition Module 8 Password Security Module 8 Unix GCCS Operating Definitions Patching Timeline System Explain

More information

L2: Hashing, Cryptographic Hashes, and Password Hashing

L2: Hashing, Cryptographic Hashes, and Password Hashing L2: Hashing, Cryptographic Hashes, and Password Hashing Sudhir Aggarwal and Shiva Houshmand Florida State University Department of Computer Science E-Crime Investigative Technologies Lab Tallahassee, Florida

More information

UNICRYPT: A CONSTRUCTIVE APPROACH TOWARDS RAINBOW TABLE VULNERABILITY

UNICRYPT: A CONSTRUCTIVE APPROACH TOWARDS RAINBOW TABLE VULNERABILITY UNICRYPT: A CONSTRUCTIVE APPROACH TOWARDS RAINBOW TABLE VULNERABILITY Mohit Dagar 1, Nandit Saini 2, Himanshu Naresh 3, Ashish Sankla 4 1 Student, Computer Science Department, G.B Pant Govt. Engineering

More information

Authentication. Readings. Chapters 9, 10 Sections

Authentication. Readings. Chapters 9, 10 Sections Authentication Readings Chapters 9, 10 Sections 11.1-11.3 1 Authentication: Who and How User (human) can be authenticated logging into a workstation using resources of a system issues: humans find it difficult

More information

Windows XP Login Vulnerabilities

Windows XP Login Vulnerabilities Windows XP Login Vulnerabilities A Case Study Using Ophcrack Yoan Hermida 12/1/2008 Hermida 2 Abstract This paper aims to demonstrate that the login process for Windows XP is inherently unsecure. It will

More information

Attacking NTLM with Precomputed Hashtables

Attacking NTLM with Precomputed Hashtables Attacking NTLM with Precomputed Hashtables warlord warlord@nologin.org Contents 1 Introduction 2 2 The design of LM and NTLM 3 2.1 The LanMan disaster......................... 3 2.2 NTLM.................................

More information

2006-331: PASSWORD AUDITING TOOLS

2006-331: PASSWORD AUDITING TOOLS 2006-331: PASSWORD AUDITING TOOLS Mario Garcia, Texas A&M University-Corpus Christi American Society for Engineering Education, 2006 Page 11.985.1 Password Auditing Tools Abstract A goal of computer system

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on

More information

Protecting against modern password cracking

Protecting against modern password cracking Protecting against modern password cracking Are passwords still an adequate form of authentication? by Yiannis Chrysanthou, MSc (RHUL, 2012), and Allan Tomlinson (supervisor), ISG, Royal Holloway istockphoto/ronen

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control

More information

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Types. Password-based Authentication. Off-Line Password Guessing Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:

More information

GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES. Password POLICY

GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES. Password POLICY GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES Password POLICY Table of Contents OVERVIEW... 2 PURPOSE... 2 SCOPE... 2 DEFINITIONS... 2 POLICY... 3 RELATED STANDARDS, POLICIES AND PROCESSES... 4 EXCEPTIONS...

More information

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics

More information

Audit of Operating System. Module 4 Protection of Information Systems and Information Assets

Audit of Operating System. Module 4 Protection of Information Systems and Information Assets Audit of Operating System Module 4 Protection of Information Systems and Information Assets 1 Table of Contents Task Statment Introduction Why Audit Operating System? Password Policy Password Policy- How

More information

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application

More information

Password Policy 1. Purpose: 2. Scope: 3.Policy 3.1 Policy Statements

Password Policy 1. Purpose: 2. Scope: 3.Policy 3.1 Policy Statements Password Policy 1. Purpose: The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of the passwords. 2. Scope:

More information

A Review of Advancements in Code Breaking and Password Recovery Technology

A Review of Advancements in Code Breaking and Password Recovery Technology A Review of Advancements in Code Breaking and Password Recovery Technology Code Breaking and Digital Forensics FBI Supervisory Special Agent Chris Beeson Laboratory Director Silicon Valley Regional Computer

More information

Trusted Internet Services from VeriSign and SafeScrypt.

Trusted Internet Services from VeriSign and SafeScrypt. The Security Risks of Using Passwords Trusted Internet Services from VeriSign and SafeScrypt. Using Passwords Can be Hazardous As the need for information security continues to grow at an ever-increasing

More information

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Five Steps to Improve Internal Network Security. Chattanooga ISSA Five Steps to Improve Internal Network Security Chattanooga ISSA 1 Find Me AverageSecurityGuy.info @averagesecguy stephen@averagesecurityguy.info github.com/averagesecurityguy ChattSec.org 2 Why? The methodical

More information

Authenticating Humans

Authenticating Humans 29 Oct 2015 CSCD27 Computer and Network Security Authenticating Humans CSCD27 Computer and Network Security 1 Authenticating Computers and Programs Computers and programs need to authenticate one another:

More information

Windows servers. NT networks

Windows servers. NT networks Windows servers The NT security model NT networks Networked NT machines can be: Primary Domain controller Centralizes user database/authentication Backup Domain controller Domain member Non-domain member

More information

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS) http://www.elcomsoft.

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS) http://www.elcomsoft. Presentation on Black Hat Europe 2003 Conference Security Analysis of Microsoft Encrypting File System (EFS) Microsoft Encrypting File System Encrypting File File System System (EFS) (EFS) is is a a new

More information

Vulnerability scanning

Vulnerability scanning Mag. iur. Dr. techn. Michael Sonntag Vulnerability scanning Security and Privacy VSE Prag, 7-11.6.2010 E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

NESCO/NESCOR Common TFE Analysis: CIP-007 R5.3 Password Complexity

NESCO/NESCOR Common TFE Analysis: CIP-007 R5.3 Password Complexity NESCO/NESCOR Common TFE Analysis: CIP-007 R5.3 Password Complexity National Electric Sector Cybersecurity Organization (NESCO)/NESCO Resource (NESCOR) DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITIES

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Vulnerability scanning

Vulnerability scanning Mag. iur. Dr. techn. Michael Sonntag Vulnerability scanning Security and Privacy VSE Prag, 9-13.6.2008 E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information

More information

Password Manager with 3-Step Authentication System

Password Manager with 3-Step Authentication System Password Manager with 3-Step Authentication System Zhelyazko Petrov, Razvan Ragazan University of Westminster, London z.petrov@my.westminster.ac.uk, razvan.ragazan@my.westminster.ac.uk Abstract: A big

More information

Rainbow Cracking: Do you need to fear the Rainbow? Philippe Oechslin, Objectif Sécurité. OS Objectif Sécurité SA, Gland, www.objectif-securite.

Rainbow Cracking: Do you need to fear the Rainbow? Philippe Oechslin, Objectif Sécurité. OS Objectif Sécurité SA, Gland, www.objectif-securite. ainbow Cracking: Do you need to fear the ainbow? Philippe Oechslin, Objectif Sécurité 1 On the menu 1. ainbow tables explained 2. Who is vulnerable 3. Tools and history 4. What you should do about it 2

More information

Activities for Password Posters For Middle and High School Students

Activities for Password Posters For Middle and High School Students Activities for Password Posters For Middle and High School Students Overview There are three password posters for this grade span. We recommend that these be hung together, either vertically or horizontally,

More information

Authentication. Steven M. Bellovin September 27,

Authentication. Steven M. Bellovin September 27, Authentication Steven M. Bellovin September 27, 2010 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to

More information

CAPITAL UNIVERSITY PASSWORD POLICY

CAPITAL UNIVERSITY PASSWORD POLICY 1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's

More information

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques Computer Security process of reliably verifying identity verification techniques what you know (eg., passwords, crypto key) what you have (eg., keycards, embedded crypto) what you are (eg., biometric information)

More information

The Security Behind Sticky Password

The Security Behind Sticky Password The Security Behind Sticky Password Technical White Paper version 3, September 16th, 2015 Executive Summary When it comes to password management tools, concerns over secure data storage of passwords and

More information

Threat Events: Software Attacks (cont.)

Threat Events: Software Attacks (cont.) ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to

More information

NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS A DISTRIBUTED PASSWORD SCHEME FOR NETWORK OPERATING SYSTEMS.

NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS A DISTRIBUTED PASSWORD SCHEME FOR NETWORK OPERATING SYSTEMS. NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS A DISTRIBUTED PASSWORD SCHEME FOR NETWORK OPERATING SYSTEMS by Christopher Roth June 2002 Thesis Advisor: Co-Advisor: Bret Michael Craig Rasmussen

More information

It may look like this all has to do with your password, but that s not the only factor to worry about.

It may look like this all has to do with your password, but that s not the only factor to worry about. Account Security One of the easiest ways to lose control of private information is to use poor safeguards on internet accounts like web-based email, online banking and social media (Facebook, Twitter).

More information

CS 361S - Network Security and Privacy Spring 2014. Homework #1

CS 361S - Network Security and Privacy Spring 2014. Homework #1 CS 361S - Network Security and Privacy Spring 2014 Homework #1 Due: 11am CST (in class), February 11, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating

More information

Your Password Complexity Requirements are Worthless. Rick Redman KoreLogic www.korelogic.com

Your Password Complexity Requirements are Worthless. Rick Redman KoreLogic www.korelogic.com Your Password Complexity Requirements are Worthless Rick Redman KoreLogic www.korelogic.com Introduction Rick Redman < rredman@korelogic.com > 88FB D23C 5AC1 8756 5690 6661 A933 6E99 4E2C EF75 Penetration

More information

Computer and Network Security

Computer and Network Security Computer and Network Security c Copyright 2000 R. E. Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@cise.ufl.edu Hashes (Pfleeger Ch. 3,

More information

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/ Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP

More information

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE HOW ENCRYPTION WORKS Technology Overview Strong Encryption BackupEDGE Introduction to BackupEDGE Data Encryption A major feature of BackupEDGE is the ability to protect archives containing critical client

More information

Remote Access Password Tips

Remote Access Password Tips Introduction: The following document was created to assist Remote Access users with password change and synchronization issues. IT&S has identified the following five (5) scenarios for remote access password

More information

CS 393/682 Network Security. Nasir Memon Polytechnic University Module 7 Virtual Private Networks

CS 393/682 Network Security. Nasir Memon Polytechnic University Module 7 Virtual Private Networks CS 393/682 Network Security Nasir Memon Polytechnic University Module 7 Virtual Private Networks Course Logistics Midterm next week. Old exams posted Brief review at end of this module HW 4 assigned, due

More information

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Compass Security AG, Daniel Stirnimann Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel +41 55-214 41 60 Fax +41

More information

Secure Remote Password (SRP) Authentication

Secure Remote Password (SRP) Authentication Secure Remote Password (SRP) Authentication Tom Wu Stanford University tjw@cs.stanford.edu Authentication in General What you are Fingerprints, retinal scans, voiceprints What you have Token cards, smart

More information

Cyber Security Workshop Encryption Reference Manual

Cyber Security Workshop Encryption Reference Manual Cyber Security Workshop Encryption Reference Manual May 2015 Basic Concepts in Encoding and Encryption Binary Encoding Examples Encryption Cipher Examples 1 P a g e Encoding Concepts Binary Encoding Basics

More information

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY 1.0 Purpose The purpose of this policy is to establish Office of Human Resources (OHR) standards for creation of strong

More information

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure) Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.

More information

DataTraveler Vault and DataTraveler Vault Privacy Edition

DataTraveler Vault and DataTraveler Vault Privacy Edition DataTraveler Vault and DataTraveler Vault Privacy Edition Advanced Security and High Performance White Paper A leading-edge solution for business and corporate IT users that combines advanced data security

More information

TLP WHITE. Cloud storage and data security

TLP WHITE. Cloud storage and data security Cloud storage and data security 1 Contents Contents... 2 Introduction... 3 What is cloud storage... 3 Benefits and risks... 4 Maintaining data security in the cloud... 5 Secure passwords and sensitive

More information

RFG Secure FTP. Web Interface

RFG Secure FTP. Web Interface RFG Secure FTP Web Interface Step 1: Getting to the Secure FTP Web Interface: Open your preferred web browser and type the following address: http://ftp.raddon.com After you hit enter, you will be taken

More information

Intro to Password Management. January 5, 2015

Intro to Password Management. January 5, 2015 Intro to Password Management January 5, 2015 Listen up! A USERNAME and password combination has long been the standard security mechanism for online accounts. But that method just isn t cutting it anymore.

More information

Procedures and Tools to Reset or Recover the Administrator Password on Popular Operating Systems

Procedures and Tools to Reset or Recover the Administrator Password on Popular Operating Systems Procedures and Tools to Reset or Recover the Administrator Password on Popular Operating Systems Jørgen Wahl Blakstad Rune Walsø Nergård Master of Science in Communication Technology Submission date: June

More information

Configuring Authentication for Microsoft Windows

Configuring Authentication for Microsoft Windows Chapter 4 Configuring Authentication for Microsoft Windows In this chapter: Storing and Transmitting Credentials..............................69 Storing Secrets in Windows......................................83

More information

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4 Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access

More information

Chapter 5 - Basic Authentication Methods

Chapter 5 - Basic Authentication Methods Chapter 5 - Basic Authentication Methods The following topics are discussed in this chapter: Password Authentication Protocol (PAP) Password formats Alternate authentication methods Forcing Authentication

More information

More Than You Ever Wanted to Know about NT Login Authentication

More Than You Ever Wanted to Know about NT Login Authentication A Perspective On Practical Security 2000 More Than You Ever Wanted to Know about NT Login Authentication SystemExperts Corporation Philip C. Cox & Paul B. Hill Abstract The login process is the user's

More information

Security and Operating Systems It s the Application

Security and Operating Systems It s the Application What is Security? Internal Roles Protecting Whom? Operating Systems 1 / 38 What is Security? Internal Roles Protecting Whom? What is operating system security? How do operating systems contribute to system

More information

Hooks could have been left around for the imposter to regain control. A.Arpaci-Dusseau. Remove all files from disk and reinstall all software

Hooks could have been left around for the imposter to regain control. A.Arpaci-Dusseau. Remove all files from disk and reinstall all software UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 537 A. Arpaci-Dusseau Intro to Operating Systems Spring 2000 Security Solutions and Encryption Questions answered in these notes: How does

More information

WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

WHITE PAPER AUGUST 2014. Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords WHITE PAPER AUGUST 2014 Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords 2 WHITE PAPER: PREVENTING SECURITY BREACHES Table of Contents on t Become the Next Headline

More information

Hack Your SQL Server Database Before the Hackers Do

Hack Your SQL Server Database Before the Hackers Do Note: This article was edited in Oct. 2013, from numerous Web Sources. TJS At the Install: The default install for SQL server makes it is as secure as it will ever be. DBAs and developers will eventually

More information

Dashlane Security Whitepaper

Dashlane Security Whitepaper Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.

More information

AC 2009-1697: EXPERIMENTS WITH COMPUTER PASSWORD CRACKING AND SHIELDING TECHNIQUES

AC 2009-1697: EXPERIMENTS WITH COMPUTER PASSWORD CRACKING AND SHIELDING TECHNIQUES AC 2009-1697: EXPERIMENTS WITH COMPUTER PASSWORD CRACKING AND SHIELDING TECHNIQUES Veeramuthu Rajaravivarma, State University of New York, Farmingdale V. Rajaravivarma is currently with the Electrical

More information

Cryptographic Key Infrastructure

Cryptographic Key Infrastructure Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial

More information

Beyond files forensic OWADE cloud based forensic

Beyond files forensic OWADE cloud based forensic Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian 1 The world is moving to the

More information

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals Five Steps to Improve Internal Network Security Chattanooga Information security Professionals Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Hashes and Message Digests What hashes can do

More information

DataTrust Backup Software. Whitepaper Data Security. Version 6.8

DataTrust Backup Software. Whitepaper Data Security. Version 6.8 Version 6.8 Table of Contents 1 Introduction... 3 2 DataTrust Offsite Backup Server Secure, Robust and Reliable... 4 2.1 Secure 128-bit SSL communication... 4 2.2 Backup data are securely encrypted...

More information

Firmware security features in HP Compaq business notebooks

Firmware security features in HP Compaq business notebooks HP ProtectTools Firmware security features in HP Compaq business notebooks Embedded security overview... 2 Basics of protection... 2 Protecting against unauthorized access user authentication... 3 Pre-boot

More information

DataTraveler Secure and DataTraveler Secure Privacy Edition

DataTraveler Secure and DataTraveler Secure Privacy Edition DataTraveler Secure and DataTraveler Secure Privacy Edition Advanced Security and High Performance White Paper A leading-edge solution for business and corporate IT users that combines advanced data security

More information

DFW Backup Software. Whitepaper Data Security

DFW Backup Software. Whitepaper Data Security Version 6 Jan 2012 Table of Content 1 Introduction... 3 2 DFW Backup Offsite Backup Server Secure, Robust and Reliable... 4 2.1 Secure 128-bit SSL communication... 4 2.2 Backup data are securely encrypted...

More information

Visualizing Keyboard Pattern Passwords

Visualizing Keyboard Pattern Passwords Visualizing Keyboard Pattern Passwords Dino Schweitzer, Jeff Boleng, Colin Hughes, Louis Murphy United States Air Force Academy ABSTRACT Passwords are a fundamental security vulnerability in many systems.

More information

Virtual Code Authentication User s Guide. June 25, 2015

Virtual Code Authentication User s Guide. June 25, 2015 Virtual Code Authentication User s Guide June 25, 2015 Virtual Code Authentication User s Guide Overview of New Security Modern technologies call for higher security standards as practiced among many other

More information

OTP using a Cellular Phone

OTP using a Cellular Phone OTP using a Cellular Phone Project book Instructor: Ittay Eyal Student: Vitaly Timofeev 9.8.2009 Table of contents: 1. Introduction a. The problem and current solutions b. Our idea c. Brief project overview

More information

PORTLANDDIOCESE.ORG Email - How to Connect Table of Contents

PORTLANDDIOCESE.ORG Email - How to Connect Table of Contents 1 PORTLANDDIOCESE.ORG Email - How to Connect Table of Contents Email Access via a Web Browser... 2 Email Client Setup... 3 Outlook 2013 for Windows... 3 Outlook for Mac 2011... 4 Mac OS X 10.6+... 4 iphone

More information

Password Cracking Beyond Brute-Force

Password Cracking Beyond Brute-Force Password Cracking Beyond Brute-Force by Immanuel Willi Most password mechanisms work by comparing a password against a stored reference value. It is insecure to store the whole password, so one-way functions

More information

Topics in Network Security

Topics in Network Security Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure

More information

On NT Password Security

On NT Password Security On NT Password Security By: Jos Visser This article is (c) Copyright 1997 Open Solution Providers. It may be referred to or reproduced in full only with full retention of this copyright message. For more

More information

Rainbow Table Optimization for Password Recovery

Rainbow Table Optimization for Password Recovery Optimization for Recovery 479 Vrizlynn L. L. Thing, Hwei-Ming Ying Cryptography & Security Department Institute for Infocomm Research, Singapore {vriz,hmying}@i2r.a-star.edu.sg Abstract As users become

More information

2.3: Hash Functions Message Digest (MD) MD2, MD4, MD5. Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks

2.3: Hash Functions Message Digest (MD) MD2, MD4, MD5. Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer 2.3: Hash Functions Message Digest

More information

Internet Banking Two-Factor Authentication using Smartphones

Internet Banking Two-Factor Authentication using Smartphones Internet Banking Two-Factor Authentication using Smartphones Costin Andrei SOARE IT&C Security Master Department of Economic Informatics and Cybernetics Bucharest University of Economic Studies, Romania

More information

Cracking Salted Hashes

Cracking Salted Hashes Overview: Cracking Salted Hashes Web Application Security: - The Do s and Don ts of Salt Cryptography Data Base security has become more critical as Databases have become more open. And Encryption which

More information

Two-Factor Authentication and Swivel

Two-Factor Authentication and Swivel Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide

More information

Instructions For Opening UHA Encrypted Email

Instructions For Opening UHA Encrypted Email Receiving Encrypted Email You have received a secure, encrypted message from UHA. The message will contain the following notice and an attachment named SecureMessageAtt.hml. The attachment is shown circled

More information

Grandstream Networks, Inc. UCM6100 Security Manual

Grandstream Networks, Inc. UCM6100 Security Manual Grandstream Networks, Inc. UCM6100 Security Manual Index Table of Contents OVERVIEW... 3 WEB UI ACCESS... 4 UCM6100 HTTP SERVER ACCESS... 4 PROTOCOL TYPE... 4 USER LOGIN... 4 LOGIN TIMEOUT... 5 TWO-LEVEL

More information

Secure Graphical Passwords

Secure Graphical Passwords SESSION ID: IDY-F02 Secure Graphical Passwords Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Is this Secure? Google TM Android TM Pattern Unlock 2 What about this? Microsoft

More information

Authentication. Steven M. Bellovin September 25, 2015 1

Authentication. Steven M. Bellovin September 25, 2015 1 Authentication Steven M. Bellovin September 25, 2015 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to

More information

The Elements of Cryptography

The Elements of Cryptography The Elements of Cryptography (March 30, 2016) Abdou Illia Spring 2016 Learning Objectives Discuss Cryptography Terminology Discuss Symmetric Key Encryption Discuss Asymmetric Key Encryption Distinguish

More information

Application Layer (1)

Application Layer (1) Application Layer (1) Functionality: providing applications (e-mail, www, USENET etc) providing support protocols to allow the real applications to function properly security comprising a large number

More information

Complete the details and click the Next button.

Complete the details and click the Next button. How To Setup a New Google Account When starting your Chromebook and selecting the option to Create a New Account you will be presented with the screen below. Your choice of email address may already be

More information

TALES FROM THE CRYPT0

TALES FROM THE CRYPT0 TALES FROM THE CRYPT0 INTRODUCTION Kirk Jackson Xero http://www.xero.com http://www.codecamp.co.nz http://www.ignitewellington.co.nz http://pageofwords.com Graeme Neilson Aura Software Security Security

More information

SERVER TYPES AND SECURITY MODES

SERVER TYPES AND SECURITY MODES Chapter 3 SERVER TYPES AND SECURITY MODES This chapter provides information regarding the types of server that Samba may be configured to be. A Microsoft network administrator who wishes to migrate to

More information

Oracle Entereprise Single Sign-on Password Reset. User Guide Release E

Oracle Entereprise Single Sign-on Password Reset. User Guide Release E Oracle Entereprise Single Sign-on Password Reset User Guide Release 10.1.4.1.0 E12627-01 November 2008 Oracle Enterprise Single Sign-on Password Reset User Guide, Release 10.1.4.1.0 E12627-01 Copyright

More information

CSE331: Introduction to Networks and Security. Lecture 20 Fall 2006

CSE331: Introduction to Networks and Security. Lecture 20 Fall 2006 CSE331: Introduction to Networks and Security Lecture 20 Fall 2006 Announcements Homework 2 has been assigned: **NEW DUE DATE** It's now due on Friday, November 3rd. Midterm 2 is Friday, November 10th

More information

THE FUTURE OF MOBILE SECURITY http://www.cs-networks.net

THE FUTURE OF MOBILE SECURITY http://www.cs-networks.net http://www.cs-networks.net 1 The Future Of Mobile Security Stefan Certic CS Network Solutions Limited http://www.cs-networks.net 2 Introduction Mobile devices are more than just phones, they are a lifeline

More information

Digital Signatures on iqmis User Access Request Form

Digital Signatures on iqmis User Access Request Form Digital Signatures on iqmis User Access Request Form When a user clicks in the User Signature block on the iqmis Access Form, the following window appears: Click Save a Copy and rename it with your name,

More information

The Password Problem Will Only Get Worse

The Password Problem Will Only Get Worse The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois & SEQRD ijones@seqrd.com @SyntaxPolice Goals & Talk outline Update the group on authentication

More information