Xem mẫu
- Password Assessment and
Management
Security Essentials
The SANS Institute
Information Assurance Foundations - SANS ©2001 1
This module will address password security. Although user names and passwords are a familiar
technology, most people are not aware of the inherent weaknesses in many of the different password-
based authentication schemes in use today. These weaknesses are important to understand since many
networks would be compromised if passwords on just a few key machines (such as firewalls, DNS
servers, or Windows domain controllers) were known to an attacker.
Many of us remember how, in the movie Wargames, a teenager breaks into the government's super-
secret WOPR computer by guessing the username and password of the scientist who created WOPR's
software. The teen researched information publicly available about the scientist, and guessed that the
man's password was the name of his young son -- Joshua. That familiar example illustrates exactly why
it is important not to use words or names that might be associated with a person as passwords. These
values can be guessed by an attacker.
Further, most of us are aware that we shouldn't use passwords that are too short (because all character
combinations can be easily tried) or write passwords on a sticky note and put the note under the
keyboard. But beyond this basic understanding, can we quantify what makes a password difficult to
guess when a computer is used as the guessing engine? It turns out that the (sometimes non-intuitive)
answer depends on the particular method used to protect the sensitive information.
In this module we will explore how and why we strive to protect passwords on the following two levels:
• The password files should be protected from reading or theft.
• It should be computationally infeasible (ideally) for an attacker to guess the password values even
given the password files. If an attacker does manage to obtain a copy of a password file, we do not want
him to be able to use the information contained therein to recover the password values.
We will see that the methods used to achieve password protection differ between operating systems,
vary in effectiveness, and in some cases have undergone recent evolution. This module will explore
common password strategies in use today, how these schemes are attacked, and how administrators can
maximize the strength of the password scheme they employ.
3-1
- Agenda
• What password cracking is
• Why it is important
• Methods of password cracking
• Password cracking in Unix - Crack
• Password cracking in Windows - LC3
(L0phtCrack)
• Password cracking with John the Ripper
Password Assessment and Management - SANS ©2001 2
Typically OS file permission schemes are employed to ensure that only privileged users (if any) can
access password file information. However, attacks exist to circumvent file access restrictions and an
attacker may be able to read or obtain a copy of the file. Further, an attacker may have already
gained sufficient privileges to read the file and wants to harvest other username/password
combinations to try on neighboring systems. Because it is possible for an attacker to get a copy of
the password file, our discussion today will focus most strongly on the process of "cracking"
passwords.
"Cracking" is the process of attempting to "guess" passwords given password file information. We
will start with a discussion of what password cracking is, why it is important, and methods of
password cracking. We will then move on to Unix password cracking and concentrate on Crack.
Then we will jump to the Microsoft side of the house and cover L0phtCrack (the newest version is
called LC3). For both packages we will cover how to install and run the program, how to view the
results, how to protect against password cracking, and features of a strong password.
At the end of the module we will explore a more recent addition to the cracking toolbox called "John
the Ripper". "John" is important due to the tool's speed advantages and ability to crack passwords
encoded with a wide range of encryption algorithms. We will see how Crack, LC3, and John evolved
to meet the increased cracking challenges posed by recent upgrades to the Unix and Windows
password protection mechanisms.
3-2
- Why Are Passwords So
Important?
• First line of defense
• Control access
• Get additional access
• Create back door for future access
Password Assessment and Management - SANS ©2001 3
Let's back up for a moment and think about why passwords are so important. Passwords are often the
first line of defense against interactive attacks on a system. Since it is fairly easy for someone to
figure out a user ID, the only thing protecting the system is a user’s password. If an attacker can
gather no helpful information to aid in the attack (such as password file contents or sniffed network
traffic) he must resort to either creative or "brute force" password guessing.
If an attacker can at least read the password file or obtain a copy, his chances of successfully
obtaining an actual password increase significantly. Even if the attacker only obtains a lowly user-
level password, it is fair to assume that he will log on to the target system as the user and then break
into "root" via an operating system hole.
Consider this brief example. Most companies have dial-up access for remote access to their network.
Unfortunately in most companies, the dial-up modems reside behind the firewall, which means once
you are authenticated by the remote access server, you have access to the network. In this case, if
someone has a weak password, an attacker can use a war dialer to find the remote access number,
dial-up the number, guess a weak password, and within a matter of minutes, an attacker has just
gained full access to the network.
3-3
- How Are Passwords Stored?
• User passwords must be protected
against:
– unauthorized disclosure
– unauthorized modification
– unauthorized removal
• Solution: Store only the encrypted
password
Password Assessment and Management - SANS ©2001 4
In many companies, passwords are more than the first line of defense -- they are the only line of
defense protecting internal information and servers. Since most user IDs consist of the first
initial/last name of an employee (or some combination), it is fairly easy to discover valid user IDs for
individuals at a company. Then, the only other piece of information needed to gain access is a user
password. Therefore passwords need to be protected and very hard to guess.
The key things passwords need to be protected against are unauthorized disclosure, unauthorized
modification, and unauthorized removal. If users write down their passwords or share them with
other people, then it is likely that a malicious party could obtain the password. An attacker able to
modify a password is just as problematic, because he could set the password to a particular value
without needing to know what the original password was. Note that changing the password is
potentially risky for the attacker however, because if the user tries to log in and cannot, foul play
may be suspected.
In order to protect passwords, operating systems use encryption, which basically hides the original
content so if someone gets the encrypted password they will not be able to determine what the
original password was.
3-4
- Encryption 101
• Encryption is the process of converting
plaintext into ciphertext.
• The goal is to make the original text
unreadable.
• Three basic methods:
– symmetric - single key
– asymmetric - two keys (public and private)
– hash – one-way algorithm, no key
Password Assessment and Management - SANS ©2001 5
This section will cover a brief overview of encryption so that you can understand why and how
password cracking works. For additional details, there are two additional modules in this training
course that cover encryption in-depth.
In its most basic form, cryptography is the process of converting plaintext into ciphertext, with the
goal of making the original text unreadable. Basically, plaintext is the original, human-readable
message and ciphertext is the unreadable message in its encrypted form.
Therefore, since the goal of passwords is to make them unreadable, they are stored in encrypted form.
There are three basic types of encryption. Symmetric encryption uses a single key to encrypt and
decrypt the message. Symmetric encryption is also known as secret key encryption because a single,
secret key is used for encryption and decryption. If two people wanted to communicate, they would
both have to have the same key. One person would use the key to encrypt the message, and the other
person would use the same key to decrypt it. The security of the scheme relies on the fact that an
attacker does not know the secret key.
Asymmetric encryption uses two keys, a public and a private key. Asymmetric encryption is also
known as public key cryptography because it uses both a private key and a public key to encrypt and
decrypt information. The public key is given to everyone while the private key is only known by the
owner. These keys form an "encryption-decryption pair" -- anything encrypted with the public key can
be decrypted with the private key, and anything encrypted with the private key can be decrypted with
the public key.
Note that symmetric and asymmetric encryption mechanisms provide both for translating text into
ciphertext, and for recovering the original text from the ciphertext. Hash functions are a little bit
different. Hash algorithms are considered "one-way" functions because they perform a one-way
transformation of information that is irreversible. Basically, given an input string, the hash function
produces a fixed-length encrypted output string, and from the output string there is no way to recover
the original input string.
3-5
- What Is Password Cracking?
Discovering a plain text password given an encrypted password.
clear-text guesses for
password clear-text
(unknown) passwords
Encryption
Encryption Algorithm
Algorithm
encrypted
password MATCH guesses for encrypted
(known) passwords
Password Assessment and Management - SANS ©2001 6
Computers use hashing algorithms to encrypt passwords for storage. This means that someone who
recovers a password file cannot use the hashed values to reverse the one-way encryption function
and recover the original passwords. But how does the computer use the encrypted information then
to authenticate users?
The technique is simple. Even though hashing functions cannot be reversed, they always produce the
same output given the same input. Thus, the computer stores only the hashed passwords (rather than
original passwords) on disk. When a user attempts to authenticate, the computer applies the hash
algorithm to the password the user has supplied for authentication. If the hash of the user-supplied
password matches the hash stored on disk, the user is successfully authenticated.
Password cracking is the process of trying to guess or determine someone’s plaintext password,
given only their encrypted password. The process does not actually "crack" the encryption, but rather
mimics the actions that would be taken if a user tried several passwords until they guessed the right
one. Each "guess" is hashed and compared to the stored value. When a match is found, the user is
authenticated. "Cracking" is the process of using a computer to generate many "guesses" and quickly
try them all against the hashed password value until a match is found. The cracking operation is
performed "offline", against a recovered password file.
The general method for cracking is the following:
•Find a valid user ID
•Find the encryption algorithm used
•Obtain the encrypted password
•Create a list of possible passwords
•Encrypt each password
•See if there is a match
One tip for speeding up the process is to pre-compute the encrypted versions of all possible clear-text
passwords. At that point the entire process reduces to comparing the encrypted password of interest
with all values on the pre-computed list. When a matching encrypted value is found, we extract the
clear-text password corresponding to the encrypted match to find the answer.
3-6
- Methods of Password Cracking
• Dictionary attack
• Hybrid attack
• Brute force attack
Password Assessment and Management - SANS ©2001 7
There are three general methods for cracking passwords. The main difference between the
alternatives is the speed of performing the crack vs. the complexity of passwords that can be cracked.
For example, one method that is extremely quick will only crack passwords with a low complexity
such as passwords that contain only alpha characters. More complex passwords might contain alpha
characters, numbers, and special characters, but will take longer to crack.
The fastest method for cracking passwords is a dictionary attack. This is done by testing all the
words in a dictionary or word file against the password hashes. When it finds the correct password,
it displays the result. There are lots of sites that have downloadable dictionaries you can use. These
attacks are quite effective because people tend to choose dictionary words for passwords.
The second method to crack passwords is called a hybrid attack. This attack builds upon the
dictionary method by adding numeric and symbol characters to dictionary words. Many users
choose passwords such as "bogus11" or ”he11o!!” (where the letter L’s are replaced by numeric
ones). These passwords are just dictionary words slightly modified with additional numbers and
symbols. The hybrid attack rapidly computes these passwords. These are the types of passwords
that will pass through many password filters and policies, yet still are easily crackable. Several tools
have configurable rulesets that allow the attacker to specify the combinations and permutations of
dictionary words that should be tried.
The final and most powerful cracking method is the brute force method. This method will always
recover the password no matter how complex. It is just a matter of time. Really complex passwords
that use characters that are not directly available on the keyboard may take so much time that it is not
feasible to crack them on a single machine using today's hardware. But most complex passwords can
be cracked in a matter of days. This is usually much shorter than the time most administrators set
their password policy expiration time to. Using a real-world cracking tool is the only good way to
know what time one should set for password expirations.
3-7
- Why Is Password Cracking
Useful?
• Auditing strength of passwords
• Recovering a forgotten password
• Recovering an unknown password
• Migrating users
• Checks and balances
Password Assessment and Management - SANS ©2001 8
There are many reasons for computing users’ passwords. First and foremost is for a system administrator
to audit the strength of the passwords that their users are using. There are password filters for Unix, but
how do you know how well you have chosen a filter? Without testing the passwords generated by users
against a real-world password cracker, you are guessing at the time it will take an external attacker or
malicious insider to uncover the passwords. Other uses include recovering a forgotten password,
retrieving the password of a user in order to impersonate them, or migrating Windows NT users to another
platform such as Unix.
Migrating users from one platform to another is included for completeness, but is not recommend. In
every case where I saw companies attempt to do this, it never worked and always resulted in a security
violation. An example of this would be a company that currently has 2 NT domains and they want to
migrate to a single domain. Instead of moving half of the accounts to one domain, giving those users a
new temporary password that is the same for all users, and have all users logon and change their password,
a company might want to make this process transparent to them. One way to do this is to crack all of the
passwords on one domain and then manually enter the new account with the old password for each user on
the new system. This way when the users come in, they can logon with their old password and not even
know that their account has been migrated. The negative side is several users besides the end user now
know the user’s password. As you can imagine, this could lead to a lot of potential problems.
Some could also argue that cracking user’s passwords also results in a potential security violation, because
once the password is cracked others will know that user’s password. As we all know this is not an issue
because everyone trusts security. ☺ (Sorry, there I go with geek humor again.) Since this is a concern,
password cracking can be used for checks and balances, where strong passwords are never cracked. For
example, if the password policy for a particular company says all passwords must contain alpha
characters, numbers, and special characters, then a customized cracking scheme can be developed. We
can use our password cracker to crack passwords that only contain alpha characters, or numbers, or special
characters, or alpha characters and numbers, or alpha characters and special characters, or numbers and
special characters. In this case if the password adheres to the policy, which means it contains alpha
characters, numbers, and special characters, then it will not be cracked. Only passwords that do not follow
the policy will be cracked and seen by the administrator. Users with cracked passwords would be
instructed to change their passwords immediately and the administrator never sees the new values.
3-8
- Unix Password Cracking - Crack
• Name: Crack
• Operating System: Unix
• Brief Description: Crack is a "password
guessing" program that is designed to
quickly identify accounts having weak
passwords given a Unix password file.
Password Assessment and Management - SANS ©2001 9
Crack is a freely available program designed to break Unix encrypted passwords by standard
guessing techniques. Crack was originally developed for passwords encrypted using the DES-based
crypt() function that is typically included in the Unix standard C libraries. Over time, Crack evolved
to support crypt() versions that use non-DES hash algorithms (such as MD5), and to use alternate
DES implementations on OS installations where the crypt() function is not available.
The Crack program is written to be flexible, configurable and fast, and can make use of several
networked hosts via the Berkeley rsh program (or similar), where possible.
Note: According to Crack's author Alec Muffet, of all the possible encryption implementations that
Crack can use, the program usually runs fastest with Eric Young's "libdes". This fact will become
more interesting when we discuss John the Ripper.
Note: Each of the password cracking programs we will discuss operates by checking the users'
passwords against "guessable" values. The method is illustrated in the previous slide. The program
works by encrypting a list of likely passwords and seeing if the result matches any of the encrypted
passwords contained in the password file. The tools are surprisingly effective and easy to use.
3-9
- Crack
• Available from
ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack
• Features
– Configurable password cracking
– Modular approach with various scripts
– Combining and extracting password files
– Works with any crypt() implementation
Password Assessment and Management - SANS ©2001 10
Crack’s main function is to crack passwords on a Unix machine. There are some versions that have
been ported to other operating systems, but the original program works only on Unix. Crack also has
a modular approach where Crack is used only to crack user passwords. But what makes Crack so
useful is that it comes with various other scripts. For example, one script is used to view the results
of running Crack. Another script is used to combine password files. This is very useful because it
makes it very flexible and adaptable to be used in various environments.
One of the distinguishing strengths of Crack is the huge number of rules (over 2000) it uses to create
permutations of password guesses. Each time Crack is run it uses supplementary information from
the password file's comment fields to create a new wordlist (in addition to using the standard
dictionaries and permutations thereof). Often users will put information about themselves, such as
their full name, in the comment field and then use some permutation of this information as their
password. Crack takes advantage of the comment information to create a list of password guesses
specifically tailored for each user.
3 - 10
- Crack Requirements
• Requirements
– Unix-like operating system
– C compiler
– Moderate amount of disk space
– Lots of CPU time
– PERMISSION FROM SYSADMIN
– Root-privileges, quite possibly
– "gzip" is extremely desirable
Password Assessment and Management - SANS ©2001 11
In order to run Crack, you need to be running a Unix operating system and using an encryption algorithm that
Crack supports. The traditional Unix standard is DES encryption, and this is what Crack is best at handling.
However, in recent years several operating systems have moved to alternate encryption algorithms such as
MD5 or Blowfish. Primary reasons for the change include: Avoiding problems with US export restrictions
concerning encryption products, allowing for passwords longer than the 8 characters permitted by DES, foiling
cracking programs by forcing them to spend more effort on each encryption performed (MD5 and Blowfish
are stronger algorithms than DES).
You can discover what encryption type your system is using by examining the encrypted password values
found in the password or shadow file. MD5 encrypted passwords are significantly longer than their DES-
encrypted cousins and always begin with a "$1". Similarly, Blowfish encrypted passwords always begin with a
"$2". If your system uses one of these alternate algorithms you would be better off using "John the Ripper"
(discussed later). Some background information can be found at these URLs:
http://www.linux.com/howto/User-Authentication-HOWTO/x57.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html
http://www.usenix.org/events/usenix99/provos/provos.html/node10.html
Crack is not compiled when you download it, so you must have a C compiler running on your system. It is
recommended that you use GNU C or gcc, since this has been tested with Crack already and it will make it
much easier to compile. Crack is "self-compiling" and builds the components it needs when executed.
Crack is fairly large and computationally intensive, just by nature of what the program does. So before you
install and run Crack, make sure you have enough resources to compile and run it. If other people are using
the Unix machine, please check with them prior to running Crack because it could cause some issues if they
are running critical applications. If you do not own the machine, always make sure you check with the
appropriate people prior to running it.
Also, depending on how your system is configured, you might need root access to configure, run, and get the
encrypted passwords. Since Crack is compressed, make sure you have gzip on your system so that you can
uncompress the Crack source code.
3 - 11
- Configuring Crack
• Download Crack file
• Unzip the file using gzip
– gunzip -r crack5.0.tar.Z
• Untar the file
– tar -xvf crack5.0.tar
• Read manual.txt
• Edit the script file
• Compile program
– crack -makeonly
– crack -makedict
Password Assessment and Management - SANS ©2001 12
Once you download Crack, there are several steps that must be performed prior to running it. This is because you
do not download an executable like you do with Windows; you download the source files which need to be
compiled and configured in order to run the program.
After you successfully download Crack, unzip and untar the file crack5.0.tar.gz with the command tar -xzvf
crack5.0.tar.gz. A directory called c50a is generated with subdirectories holding configuration files,
documents, scripts, source codes, etc. Text files like Makefile, Reporter, and Crack are also generated. A
manual.txt file is there too (which is the same as the README file).
Next, READ the manual.txt file. This is just to give you an overview and more detailed information of how to use
the program. These slides will give you enough information to get Crack up and running on supported systems.
Then, edit the Crack script file and reconfigure the values of CRACK_PATH, C5FLAGS, CC, CFLAGS, and
LIBS to suit the operating system.
If you are running a supported operating system like Solaris, you do not need to make any changes to the script
files. You would only need to do that if you are running it on a version of Unix that has not been tested or are
using a different encryption algorithm. It is recommended that you look at these files, but you could also just try
compiling with the standard scripts to see what happens.
Finally, issue the commands Crack -makeonly and then Crack -makedict. After these two steps, a
binary executable Crack file is generated. You should view the output of these commands to make sure no errors
were generated. If errors were generated, you will have to go back and configure the Crack script files for your
specific environment. If no errors are generated, you are ready to start using Crack.
3 - 12
- Running Crack
• Run Crack with a password file
– Crack [options] [-fmt format]
[file ...]
– Crack myfile
• Pipe output to a file
– Crack myfile > output
• Run Reporter script to see results
– ./Reporter [-quiet] [-html]
Password Assessment and Management - SANS ©2001 13
To run Crack, run the Crack file using any password file that you have. The simplest syntax of Crack is Crack
followed by the path and name of the passwd file. If you want to run it against the password file on your current
machine and the system is not using shadow password files, just type Crack /etc/passwd. (If you know
your system uses shadow password files, or are not sure if it does, consult slides 22 and 23 for help.)
While the Crack program is running, it keeps on displaying messages on the screen indicating the status of the
program. This information can be captured by redirecting the output of Crack to a file, say >output. In order to
make sure Crack is running properly, create an account “eric” with a password of “eric” to make sure Crack
catches it.
There is a switch in Crack, which is –mail, which will email a warning message to anyone whose password is
cracked. Sending mail to a cracked user actually may not be a good idea, because if the user keeps their mailbox
readable by everyone (accidentally), everyone will know he/she has a weak password and his/her account may be
hacked in! It is also interesting to note that under the c50a directory, there is a directory called dict. This is a
dictionary directory that stores common passwords in files ending with .dwg extensions. These passwords are
arranged in categories like sports, cis, etc. You can view and even modify these files with an editor. If you are
going to edit these files, be extremely careful because you could cause Crack to stop working since these are the
files it uses to crack passwords.
To check results of the Crack program, run the Reporter script. This script outputs the results of which passwords
were cracked. This can also be piped to a file. If you used an earlier version of Crack, it no longer generates
human-readable output directly; instead, to see the results of a Crack run, the user should do: ./Reporter [-
quiet] [-html]
Guesses are listed chronologically, so users who wish to see incremental changes in the output as Crack continues
to run over a course of days or weeks, are encouraged to wrap invocations of "Reporter" in a script with "diff".
The -quiet option suppresses the reporting of errors in the password file (corrupt entries, etc), while -html
produces output in a fairly basic HTML-readable format.
3 - 13
- Crack Options
• -debug • -network
• -recover • -nice N
• -fgnd • -makeonly
• -fmt format • -makedict
• -from N • -kill filename
• -keep • -remote
• -mail
Password Assessment and Management - SANS ©2001 14
The following are the options available with Crack and a brief explanation of each. Crack automatically
decides what encryption algorithm to use by searching the host file system for shared libraries and
using whatever can be found.
-debug: Lets you see what the Crack script is doing.
-recover: Used when restarting an abnormally-terminated run; suppresses the rebuild of the
gecos-derived dictionaries. (Editor’s note: The password field that contains the user’s full name
is sometimes called the ‘gecos’ field because the early Unix machines at Bell Labs used this field
to store information needed to submit batch jobs to a mainframe running the GECOS operating
system. ‘Gecos-derived dictionaries’ are dictionaries of possible passwords generated based on
the user’s full name, or variations on the user’s full name. – JK)
-fgnd: Runs the password cracker in the foreground, with stdin, stdout, and stderr attached to
the usual places.
-fmt: Format, specifies the input file format.
-from N: Starts password cracking from rule number “N.”
-keep: Prevents deletion of the temporary file used to store the password cracker's input.
-mail: Email a warning message to anyone whose password is cracked. See
"scripts/nastygram."
-network: Runs the password cracker in "network" mode.
-nice N: Runs the password cracker at a reduced priority, so that other jobs can take priority
over the CPU.
-makeonly and -makedict: Used for building Crack binaries and dictionaries.
-kill filename:
-remote: Internal options used to support networking.
3 - 14
- Original Passwords
• User Eric password eric
• User John password john1234
• User Mike password 5369421
• User Mary password #57adm7#
• User Sue password sue
• User Lucy password 12345
• User Pat no password
• User Tim password password
• User Cathy password 55555
• User Frank password abcde
• User Tom password mnopqr
• User Karen password bbbbbbbb
Password Assessment and Management - SANS ©2001 15
To show you how effective Crack is at cracking passwords, this is a sample password file that was
used and the corresponding passwords.
3 - 15
- Results From Crack
Output From Reporter
• ---- passwords cracked as of Tue Aug 17 10:41:00 EDT 1999 ---
• 0:Guessed pat [] [npasswd /bin/sh]
• 934899050:Guessed eric [eric] [npasswd /bin/sh]
• 934899050:Guessed lucy [12345] [npasswd /bin/sh]
• 934899050:Guessed sue [sue] [npasswd /bin/sh]
• 934899259:Guessed tim [password] [npasswd /bin/sh]
• 934899274:Guessed frank [abcde] [npasswd /bin/sh]
• 934899304:Guessed karen [bbbbbbbb] [npasswd /bin/sh]
• 934899342:Guessed cathy [55555] [npasswd /bin/sh]
• -----done--------
Password Assessment and Management - SANS ©2001 16
Basically by typing ./Reporter, the above results are displayed to the user to show you which
passwords were cracked.
3 - 16
- Effectiveness of Crack
• User Eric password eric - CRACKED
• User John password john1234
• User Mike password 5369421
• User Mary password #57adm7#
• User Sue password sue - CRACKED
• User Lucy password 12345 - CRACKED
• User Pat no password - CRACKED
• User Tim password password - CRACKED
• User Cathy password 55555 - CRACKED
• User Frank password abcde - CRACKED
• User Tom password mnopqr
• User Karen password bbbbbbbb - CRACKED
Password Assessment and Management - SANS ©2001 17
As you can see, Crack guessed eight of the passwords. All of the passwords that were guessed were
either simple words, repetitive characters, or a string of characters or numbers. What is interesting is
that abcde was cracked but mnopqr was not. Both are strings, but one started in the beginning of the
alphabet and the other started in the middle. Also john1234 was not cracked, which is a simple
combination of two strings.
This is not a negative aspect of Crack, but it is just important to understand the limitations of a
program whenever you use it. So, just because Crack didn’t guess a password does not mean that an
attacker might not.
Also, it is important to note that these results are based on the standard configuration of Crack.
Crack can be configured to guess additional passwords.
One key aspect of password crackers that use dictionary attacks is how good a dictionary they use.
There are several sites on the internet that contain dictionaries and you can also create your own.
Depending on where your company is located there are also dictionaries that contain foreign words.
3 - 17
- How To Protect Against It
• Enforce a strong password policy
• Use shadow passwords
• Use one-time passwords
• Use passwd to enforce strong
passwords
Password Assessment and Management - SANS ©2001 18
There is no one set way to protect your site from someone guessing your passwords, but there are
steps you can take to minimize the chances.
A key to protecting passwords is a strong password. By having a strong password, you can make it
very difficult for someone to crack. Also, by using shadow password files you can restrict access to
the encrypted passwords. One-time passwords are also effective because they change each time the
user logs in. There is also a program for Unix called passwd which will perform basic checks when
a user changes their password to make sure it is not an easy-to-guess password.
3 - 18
- Enforce a Strong Password Policy
• Mandatory for all accounts
– Passwords change every 60 days
– Accounts locked after 3 failed
attempts
– All passwords must contain one
alpha, one number, and one special
character
– Can’t re-use previous 5 passwords
Password Assessment and Management - SANS ©2001 19
A password policy is critical for a secure system. A few general guidelines are given in the slide
above. Additional suggestions for users, taken from the "passwd" man page, are below and on the
next notes page.
Protect your password:
Don't write your password down anywhere or place it in an unencrypted file. Memorize it.
Use unrelated passwords for systems controlled by different organizations.
Don't give or share your password, in particular to someone claiming to be from computer support or
a vendor.
Don't let anyone watch you enter your password.
Don't enter your password on a computer you don't trust.
Use the password for a limited time and change it periodically.
Choose a hard to guess password (the "don'ts"):
Don't use something you'd find in a dictionary (in any language or jargon).
Don't use a name (including that of a spouse, parent, child, pet, fantasy character, famous person, and
location).
Don't use any variation of your personal or accout name.
Don't use accessible information about you (such as phone number, license plate, or Social Security
number) or your environment.
Don't use a birthday.
Don't use a simple pattern (such as backwards, followed by a digit, or preceded by a digit).
3 - 19
- Enforce a Strong Password Policy
(continued)
• Password should not contain:
– birthdays, names, sports teams, etc.
• Tips for picking good passwords
– pick a phrase and use the first letter of
each word
– example - When I stub my toe I say
!@#$% 5 times
– password - WIsmtIs!@#$%5t
Password Assessment and Management - SANS ©2001 20
Choose a hard to guess password (the "do's"):
Use a mixture of upper and lower case letters as well as digits or punctuation.
When choosing a new password, make sure that it is unrelated to any previous password.
Use long passwords (e.g. at least 8 characters long).
Examples: A word pair with punctuation inserted, a passphrase (an understandable sequence of
words), or the first letter of each word in a passphrase.
In order to prevent easily guessable passwords, a password should never contain birthdays, names,
sport teams, or special interests. Anything that can be viewed while sitting at your desk should also
never be used as a password. Attackers can easily target an individual. Anything that stands out as a
potential password, should never be used because it is to easy for someone to guess.
What I suggest is instead of picking words as passwords, users should be trained to pick a phrase. If
I told you that your new password was WIsmtIs!@#$%5t, you would probably think I was crazy.
Your response might be, “How in the world am I going to remember that password?” On the other
hand if I told you to remember the phrase, “When I stub my toe I say !@#$% 5 times,” you would
probably agree that it is fairly reasonable. The main emphasis of a password policy should not only
be to tell the user what is expected of them, but help them generate strong passwords that are fairly
easy to remember.
3 - 20
nguon tai.lieu . vn
