In this video, Lisa Bock explore various ways administrators can help protect their users and systems from password attacks. She will explore three key techniques, salting passwords, user education, and hardening systems. Lisa will also discuss some common sense policies you can apply to your group policy and password storage rules.
- [Voiceover] There are a number of attacks against passwords. However, protecting against a password attack includes a few key guidelines. Salting, user education, common sense, and hardening your systems. Now salting the password with a random string will protect against a rainbow table attack. A rainbow table works because every hashed password will return the same hash. Take a look at this, in this we see an unsalted hash.
So we have two users, Rae and Matt. They both use the same password Marley. As you can see the resultant hash, the two are exactly the same. However if we add salt to the hash, we can see that both hashes are now different. The same password, but they have a different hash value. The salt is stored in the database, along with the hash or as part of the hash string. User education is always very important. We want to tell our users to protect their passwords.
One of the things, and it goes without saying, we want to include length and complexity and this is going to make your password stronger. Users should never disclose their password, not even to their network administrator. And common sense, we have to think about things that we can do that are common sense but shouldn't be overlooked. First of all, make sure that no one has physical access to a server. When I have physical access to something, I can do a lot of damage. Only the administrator should have access to the password files.
Once those passwords are stored in a hash value, use encryption on those password files. And discourage shoulder surfing. Of course, when you put in your password, it has a mask with the asterisks. You can't really see it, however, if someone is looking at you as you're entering that password on a keyboard, they can memorize the password. So if someone's standing over your shoulder, ask them to step back. And hardening systems. Now we can do a lot as far as the administrator, meaning I can utilize the password policies in the Group Policy object.
Let's take a look. I'm in server 2008, and I want to show you that in administrator level, we can enforce certain guidelines to make sure users have a strong password. We change it up every once in a while, and it meets complexity rules. If we take a look over here in the local security policy, we can see a lot of things that I can set. Enforce password history. This tells us like key passwords, maybe the last three and apply.
Maximum password age, password, well at this point, will not expire, but it will expire in possibly say 60 days. Minimum password age, and we can say that the password can be changed immediately, and that's a good thing, but you can see here this determines that a password can be used before the user can change it. I'll just keep that at zero. Minimum password length, and I would at least set it at eight characters, and we'll say okay.
And this one is really nice because this can enforce complexity. Password must meet complexity requirements. I'll go to the tab that says explain, and here it tells us a lot about what it's requiring. It can't contain the user's account name or part of the user's full name, that exceed two consecutive characters, be at least six characters in length, contain characters that are uppercase, lowercase, numeric and special characters. So we can see that within the local security policy, we can enforce that complexity to ensure that passwords are complex.
And the last thing is to store passwords using reversible encryption. If we do enable this, this is going to encrypt those hashed password values to layer another layer of protection on the passwords. So you can see that there are a lot of methods that we can use to defend against password attacks.
These tutorials, along with the other courses featured in the Ethical Hacking series, will prepare students to pass the Certified Ethical Hacker exam and start a career in this in-demand field. Find out more about the exam at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Acquiring passwords
- Generating rainbow tables
- Understanding where passwords are stored
- Defending against privilege escalation
- Understanding spyware
- Protecting against keylogging
- Detecting steganography
- How hackers cover their tracks