![Page 1: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/1.jpg)
LONGER IS STRONGER
The value of passphrases
Kevin SullivanDirectory of Sales Engineering Specops Software
![Page 2: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/2.jpg)
Agenda
• Password Management overview• Limitations and mitigations• Math behind password strength• Walk through
– DDP– FGPP– PowerShell– Specops Password Policy
• Questions
AGENDA
![Page 3: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/3.jpg)
PASSWORD MANAGEMENTOverview
![Page 4: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/4.jpg)
Security
• Password policies that are in line with the business role of the end-user– Flexible targeting– Deep control over complexity
• Balance end-user efficiency and security needs
LOCK IT UP
![Page 5: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/5.jpg)
Self-Service
• What can they self-serve?• What is the cost value of self-service
password reset– Estimates are up to 2 calls per year per user– Short calls – relatively easy– Roughly $20 per call average
• Branded, intuitive, helpful, informative
OPEN IT UP
![Page 6: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/6.jpg)
Global Identity Management
• SSO – implementation cost vs. value to business?
• Password Sync– Typically far less $$$ than SSO– Maybe not for all users – requires flexibility– Sync targets may be unknowns
MOVE IT OUT
![Page 7: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/7.jpg)
LIMITATION AND MITIGATIONSLet’s talk about Passwords
![Page 8: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/8.jpg)
What are the concerns?
• Rainbow tables• Dictionary attacks• Brute Force attacks
RISKS
Home Work
![Page 9: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/9.jpg)
Some ‘techniques’ to strengthen
• Random password generation• Character substitution
– Common character substitution is built into most brute force attacks!
• Passphrases
+-*/
![Page 10: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/10.jpg)
Random
• 3!pIcn&P• The problem
– Super hard to remember– Super easy to crack
• < 1 day
+-*/
![Page 11: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/11.jpg)
Character Substitution
1. “Fred and Wilma sat down for a dinner of eggs and ham”
2. F+Wsd4adoe&h
• The problem – #1 is cracked in 170 centuries based on some
common algorithms– #2 is cracked in 10 years
+-*/
Example from Sophos’s Graham Cluley https://www.youtube.com/watch?v=VYzguTdOmmU
![Page 12: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/12.jpg)
THE MATH AND SCIENCEBack to school
![Page 13: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/13.jpg)
LONGER IS STRONGER
![Page 14: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/14.jpg)
Which is stronger?
• D0g.....................• PrXyc.N(n4k77#L!eVdAfp9• ‘The Grateful D3@d is my Favorite Band!’
SAY NO TO PASSWORD1!
Re – Steve Gibson GRC.com
![Page 15: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/15.jpg)
Concepts
• Entropy – Lack of order or predictability• How Big is Your Haystack?
– https://www.grc.com/haystack.htm– Every password is a needle in a haystack– A single character, only allowing alpha characters
is a very small haystack!
HEAD ACHES!
![Page 16: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/16.jpg)
Basic Stuff – brute force
• If I ask you to guess a number between 1 and 10, you have 10 possibilities– Single digit– 10 = 10
• If I ask you to guess a number between 1 and 100, you have 100 possibilities– Two digits– 10 x 10 = 100
• If I ask you to guess number between 1 and 1000, you have 1000 possibilities– Three digits– 10 x 10 x 10 = 1000
FUNDAMENTALS
![Page 17: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/17.jpg)
Brute Force – cont.
• What if I ask you for a single character and it can be either a number or a letter (English)?– 26 letter + 10 number– 36 possibilities
• OK… now 2 characters– 36 x 36 = 1296
• 3?– 36 x 36 x 36 = 46,656
• Upper case, lower case, number, special character?– 94 possibilities for each character– 3 required characters
• 94 x 94 x 94 = 830,584 possibilities
FUNDAMENTALS
![Page 18: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/18.jpg)
Passphrases
• Longer is stronger• Number of possible letters – 52 in English • Number of digits – 10 (0 – 9)• Special characters – 32 • Add them together 94 possibilities for each
required character in length• Entropy is 94n where n is the number of required
characters
+-*/
With just alpha in a 25 character passphrase the ability to crack is astronomical
![Page 19: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/19.jpg)
Additional Considerations
• Do all systems support passphrases?• How to train your end-users?
– http://success.specopssoft.com
• User multi-factor when you can, consumer and corp
• Preferences vs. Facts– I like peanut butter - preference– I lived in Towson MD - fact
![Page 20: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/20.jpg)
Questions
• Do you believe passphrases increase security?
• Do you believe passphrases are easier for users to remember than traditional passwords?
• Do you think you will receive fewer password reset calls if you enable passphrases?
THOUGHTS?
![Page 21: [Webinar] Longer is stronger - why passphrases are a powerful security tool](https://reader035.vdocument.in/reader035/viewer/2022070302/548f4463b4795927058b4e69/html5/thumbnails/21.jpg)
Wrap Up
• Use Two/Multi Factor where you can, always!– https://twofactorauth.org
• Understand the vulnerability– Haystack – https://www.grc.com/haystack.htm– Passfault –
https://passfault.appspot.com/password_strength.html?#menu
• Some fun reading– http://
cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf
– https://howsecureismypassword.net/
TAKE AWAYS