Testing Password Quality
Aco Dmitrović, Srce - University Computing Centre,
Croatia
Abstract:
Vulnerabilities and exposures in most IT systems are due
to poor system management, e.g. patches not installed, weak password policy,
poor access control etc.
Password policy, as a part of organizational Security
Policy, should define minimal standards to be considered when creating
passwords. But how can we define those parameters? Is there such a thing
as a safe password length? How long can we use a password before an attacker
discovers it? In our project Distributed password cracking with Condor
and John the Ripper, we used a computer cluster to crack passwords using
different methods. I believe that the results of the project can help
us to determine minimal length and a period after which a randomly created
password should be replaced. They will be explained in a separate presentation.
In this workshop we intend to show methods that security
professionals can use to check quality of passwords. Testing user passwords
is a part of network security assessment, which organizational security
team should perform regularly to find weaknesses before attackers can
exploit them. However, no such operation should be done if legal, ethical
and organizational prerequisites are not met. Every Security Policy must
authorise a chosen individual or a group to perform such security checks.
Management must approve each action. Ethical considerations are not so
precisely definable. When warned, the users can temporarily change their
weak passwords. Uninformed users will feel hurt and it would look as if
you were doing something behind their back, as if you don’t trust them.
You can unintentionally create a culture of distrust and resentment.
A number of password cracking tools and methods will be
demonstrated in the practical part of our workshop. These very tools are
regularly used by hackers. Security professionals can utilize them as
a part of security checks to discover weak points in their systems. They
enable us to track users with substandard passwords, which allow the attackers
to gain easy access to the computer systems.
When properly educated, your users will better understand
the job and the responsibilities of a Security Officer. You should present
to them how easy it is to guess or crack a simple password. They will
be more willing to cooperate after you have demonstrated, by utilizing
the hacking tools and methods, how the system can be compromised and explain
what damage can be done once you have normal user access.
This workshop is primarily designed for the system administrators
and security officers. However, the workshop can help decision makers
and managers of IT systems to gain better understanding of the importance
of preventive actions, which include good Security Policy, periodic security
assessment and penetration testing.
Biography
Aco Dmitrović graduated philosophy at Zagreb University.
Since then worked as a journalist, photographer, high school teacher and
lecturer at Open University.
From 1991. in IT as a database application programmer, network administrator
and Unix system administrator. Currently in charge of IT security at University
Computing Centre, Zagreb. Author of two books, about Visual Basic and
Linux operating system. Occasionally writting articles for Croatian computer
magazines. Promotor of Open Source software and editor of Croatin web
portal for system engineers, http://sitemac.carnet.hr.
|
