Type 1 Authentication: Something you know
- Static Passwords – reusable password that may or may not expire. User generated and work best with when combined with other authentication type such as smart card or biometric
- Passphrase – Comprised of words in a phrase or sentence. Passphrase have less randomness but make up with length. It maybe stolen or reused.
- One-time passwords – maybe used for single authentication. Very secure but hard to manage. It is impossible to reuse and valid for one time
- Dynamic passwords – Change at regular interval like RSA tokens that change every 60 seconds. Often combined with a user PIN. The drawback is the expense of the tokens themselves
- Strong Authentication – multi factor – requires the user to present more than one authentication such as using a ATM card. The user must present both the card and a PIN
- Password Guessing – Online technique that involves attempting to authenticate a particular user to the system
- Clipping levels – are used to differentiate between malicious attacks and normal users accidentally mistyping their password – Ex. Set audit system only alerts if failed authentication occurs more frequently than five times in an hour.
- Account lockouts – Used to prevent password guessing attacks. Can be set to manual remediate or auto set a automatic reset time
Password hashes and Password cracking
Clear text passwords are not stored with an IT system, only the hashed outputs are stored.
- Hashing – one way encryption using an algorithm with no key.
- Password cracking – offline hashes are run against various possible passwords in hope to derive the password
Unix/Linux System is stored in the /etc/shadow (readable by root only)
Windows – SAM (Security account management) and Domain Controller. The SAM file can not accessed while the system is running but memory dumps can obtain the hashes from memory.
Law enforcements can perform a hash on a hard drive to prove it’s integrity.
Uses a predefined word list to see if the hashes match the ones used by the user. To counter, organizations require users to create passwords that have a special character, number, capital letter and length.
Brute force and Hybrid Attacks
- Brute force attack – The attacker calculates the hash output for every possible password. Takes more time but more effective. Modern CPU and GPUs have the capability to speed up this process many times
- Rainbow tables – Acts as a database with pre-computed based output for most or all possible passwords. Not always complete, and more complex relying on time/memory tradeoff to represent and recover passwords and hashes
- Hybrid attack – Appends, prepends or changes characters in words from a dictionary. Ex. changes o with 0. Targets of hybrids attacks can have complex passwords cracked if their passwords resemble any type of standard 8-15 character word with just a few changes in text with special chracters
Allows one password to hash multiple ways by adding a salt (a form of randomness) with a password. This is more secure and renders rainbow tables less effective. Linux/Unix systems uses 16bit salts requiring 65536 separate sets of rainbow tables for the same password for an attacker to crack at.
Windows password management is straight forward to implement through a DC. The US department minimum password security controls:
- Password History – 24 passwords
- Maximum password age – 90 days
- Minimum password age – 2 days (so that users don’t cycle through 24 passwords to return to their favourite)
- Minimum password length – 8
- Passwords must meet complexity requirements = true
- Store password using reversible encryption = false
The challenge is often users write down passwords and store the within wallets address books, cell phones and stick notes on their monitors.
One problem is complex passwords are harder to remember, which can lead to other security issues. Users who write passwords down and leave them in an insecure place can undermine the entire security posture of a system.
Type 2 Authentication: Something you have
Synchronous Dynamic Token
- Time based – A token that generates a dynamic code every 60 seconds Ex. RSA, can be hardware or software
- Counter based – The authentication server expects token code 1 and the users token displays the same code 1, once used the token displayed the second code and the server also expects the token code 2
Both cases users typically authenticate by typing their username, their PIN and the dynamic token code – Strong authentication.
Asynchronous Dynamic Token
Asynchronous dynamic tokens are not synchronized with a central server. The most common is a challenge-response tokens
- User enters username
- System sends challenge to user
- User enters PIN and challenge; token generates response, which is sent to the server
This is an example of strong authentication.