password policies
DESCRIPTION
Password PoliciesTRANSCRIPT
Page 1 of 7
Name: Allen GalvanDue: 8 November 2005CSFI 214: Information Security Systems Analysis – Fall 2005Lab #2: Passwords
Last printed 11/8/2005 12:09:00 AM Page 1
Page 2 of 7
The Password Lab Goals........................................................................................................3Exercise 1 (Policies)...............................................................................................................3Addendum on Password Policies...........................................................................................3Techniques for Strong Easy-to-Remember Passwords..........................................................4Machine-Generated Password Strength.................................................................................4Diceware Creating Passphrases..............................................................................................4Conclusions on Machine-Generated Passwords versus Human-Generated Passwords.........6Password Safe........................................................................................................................6
Last printed 11/8/2005 12:09:00 AM Page 2
Page 3 of 7
The Password Lab Goals
The goals of this Password lab are: To become familiar with password policies. To develop skills creating memorable, strong passwords. To understand what makes a weak password. To become familiar with a variety of password cracking tools.
Exercise 1 (Policies)
List at least 10 common characteristics among the different policies. o For example, password length tends to be 8 or more characters.o All system-level (root, enable, NT admin, application administration
accounts, and so on) passwords must be changed at least on a quarterly basis.
o Passwords should be unique to previous passwords.o Passwords should not be shared. If a password must be shared for tech
support purposes, it must be changed as is practical.o Do not base passwords on personal information.o Create passwords that are easy to remember.o Do not use passwords that are dictionary words.o Don’t reveal any passwords in an email.o Passwords should never be written down or stored online.o Strong passwords should have digits and punctuation characters as well as
letters (e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:”;í<>?,./)o Do not reveal your password to your boss.
What are some differences between the various policies? o One difference is that the company name is different and for each respective
company, that particular company name should be used as a password.o Some companies want their employees to change their passwords at least
quarterly versus semi-annually.
Addendum on Password Policies
This chart is to be included in the Lab 3 Passwords report.
After having read through a number of password policies, I'd like you tocome up with a reasonable and practical set of password policies for the various types of accounts in the spreadsheet.
Remember, not all accounts are alike. Some have greater security requirements than others, and you need to secure them in proportion to the risk.
Last printed 11/8/2005 12:09:00 AM Page 3
Page 4 of 7
Techniques for Strong Easy-to-Remember Passwords
Machine-Generated Password Strength
Does the testing tool accurately gauge the strength of the passwords? o The testing tool seems to accurately gauge the strength of the passwords.
Simple passwords are character and numeric patterns or dictionary words. The tool indicated stronger passwords when special characters and random characters are chosen.
What observations can you make about the strength of the different kinds of passwords?
o Which kinds of passwords are strongest? Longer passwords are stronger. Pass-phrases are stronger. K3wl on passwords are stronger.
o Which kinds of passwords are weakest? Shorter passwords are weaker. Dictionary words are weaker.
How does length affect the strength? o Longer passwords are stronger.
How does complexity affect the strength? o Complex and random passwords are stronger.
How does length affect our activity to remember the password? o The longer the password is, the harder it is to remember it.
How does complexity affect your ability to remember the password? o Complex passwords are harder to remember.
Diceware Creating Passphrases
Diceware is a method for picking passphrases. These passphrases may then be used as a password. Dice are used to specify a sequence of random numbers that are in turn used to specify individual words that ultimately describe a pass phrase.
What are your 3, 4, and 5 word passphrases using the Diceware method?
6 1 3 1 5 tiaga5 2 4 6 2 rw5 1 5 1 6 regisPass phrase: taiga rw regsi
Last printed 11/8/2005 12:09:00 AM Page 4
Page 5 of 7
Strength: 6Comments: Your password does not meet Corporate password standards for the following reason(s):
1) The password needs at least two of the following: upper case letters, special characters, and numbers.
3 2 5 1 4 heave6 1 2 6 3 timid
4 1 4 6 3 manama4 1 3 6 1 macePass phrase: heave timid Manama maceStrength: 10Comments: Your password meets Corporate password standards, but can be
improved in the following way(s):
Could use some numeric chars
2 6 5 4 6 galen1 2 3 3 3 any6 6 1 6 2 9004 3 6 3 4 norm2 2 3 4 1 dantePass phrase: galen any 900 norm danteStrength: 10Comments: Your password meets Corporate password standards, but can be improved
in the following way(s):
Could use some uppercase chars
Are the above passphrases easy to remember? The longer the passphrases are, the harder they are to remember. The shorter the passphrases are, the easier they are to remember. But generally since the words of the passphrases are random, if one does not
employ good memorization skills or as time increases, these passphrases may be harder to remember. Memorization works well with “catchy” phrases remembered by acronyms. Maybe this technique would be well suited for a doctor or a Russian. These people remember long complex character stringed words.
Do you think the password strength assessor is accurate?
Generally, it seems logical that the longer the passwords are, the stronger they would be, & this was consistent with the password strength assessor.
Last printed 11/8/2005 12:09:00 AM Page 5
Page 6 of 7
But I was a little surprised. I thought the passwords were strong, since they were hard to remember and sequential random words; but the password strength assessor indicated that the shorter passphrases were weaker than the longer passphrases.
Conclusions on Machine-Generated Passwords versus Human-Generated Passwords
How did the machine-generated passwords compare to the human-generated passwords?
Which are stronger? o Machine generated words seemed to translate into stronger passwords and
passphrases.o Human-generated words were easier to remember, but generally seemed
weaker. The strongest human-generated password was a random 5 word passphrase. This would be harder to remember.
Which are easier to remember? o Machine-generated passwords and passphrases were harder to remember.o Some human-generated passwords and passphrases were easier to
remember, but weaker passwords. o The random passphrase was a strong password passphrase, but harder to
remember.
How did Diceware-generated passphrases compare to machine-generated and human-generated passwords?
Which are stronger? o The shorter the passphrase, the weaker the password passphrase.o The longer the passphrase, the stronger the password passphrase.
Which are easier to remember? o The Diceware-generated passphrases were generally harder to remember.o The shorter the passphrase, the easier it was to remember.o The longer the passphrase, the harder it was to remember.
Password Safe
Last printed 11/8/2005 12:09:00 AM Page 6
Page 7 of 7
Appendix
Last printed 11/8/2005 12:09:00 AM Page 7