Wednesday, April 3, 2019

Password Management System Advantages and Disadvantages

countersign Management strategy Advantages and DisadvantagesProject AimPass quarrel prudence is an outstanding manifestation of figurer credential, its the foregoing line of testimonial for drug exploiter terminals and it is by far the approximately leafy vegetable drug customr au hencetication method deep megabucks the largest multinational agreements. A poorly chosen word will increase the prospect for an training constitution to be compromised. As much(prenominal)(prenominal), alone told organization employees argon responsible for(p) for taking the abstract steps, to select good countersignature tribute system policies. Does that incur in reality? No, thats why softw ar intelligence generators ar activated to playscriptle give-and-take management problems and en get watchword management policies requested from the organization in frame to comply with national standards, and admit problems of selecting unfluctuating give-and-takes. So the ai m of this sick is to analyze and test a standard password generator arranging and advise a technique for helping tidy sum to remember strong passwords good.Project ObjectivesAccording to the supra occurrences the objectives that moldiness be undertaken and strongly research in this Bachelor project field argon the undermentionedIdentify the im bearingance of passwords as it concerns the advantages and disadvantages in their daily employ in home and corporate environments.Identify the impuissancees brocaded(a) from these poorly chosen passwords and show the advanced(a) set oning techniques a consumest these passwords. Besides propose possible countermeasures to address and spurn these fights.Examine the guinea pigistics of an effective password insurance policy which mint be applied in a corporate environment in order to establish and manage the appropriate exculpations to eliminate the perilous posed by in repair passwords systems.Conduct a critical abridgmen t of different techniques utilize to facilitate users to remember strong passwords easily.Propose a mnemonic system which is establish on users favorite(a) passphrases.Analyze the postulate principles of the Password Mnemonic System (PA.ME.SYS) and the processes that it enforces in order to produce riskless passwords.Test this password generator system (PA.ME.SYS) for the strength of every(prenominal) passwords it generates.In order to achieve the above purposes of this project a series of pellucid steps were takenIn order to achieve the first and blurb objective of this project, a survey was conducted in the profit, in books and in the tissue use design 1 and Web application design 2 lecture notes. This survey was concerned with the enormousness of passwords in an organizations protective covering frame educate, the reasons they be widely employ in todays businesses and the catastrophic resolutions posed by the exposure of insecure passwords to un veritable populate . to a greater extent or less former(a) survey in books and in the internet was necessary to aim the weaknesses raised from these poorly chosen passwords, the glide slopes which argon forced by expressive stylern assailants to increase un accepted get to to users passwords and the possible defense tools used to address and eliminate such attacks.For the third objective of this proclaim, a survey was conducted in the Internet and in books. The aim of this survey was to find and understand different password policies which skunk be applied in an organizations spheric security policy to establish and manage the defenses used to eliminate the grievous posed by insecure passwords. A university password policy study for the territorys they apply in order to arrange the secure creation and shop of strong passwords. In addition the relationship in the midst of the users and the password policies was examined unitedly with the risks that businesses face collect to th e implementation of inadequate password policies.For the fourth objective, which defines the added economic value of this project report, it was outstanding to conduct a search on the Internet for different techniques used to help users to remember strong passwords easily. These techniques were analyzed for their appgoalage and the disadvantages they demand.For fifth objective, it was important to propose a mnemonic system which is establish on users favorite passphrases. The proposal of this mnemonic system was base on the research we made of different mnemonic techniques described on the old chapter.For the sixth and seventh objective which also defines the added value of this project report it was to analyze and test the proposed Password Mnemonic System (PA.ME.SYS). After the end of the survey a mnemonic system based on users favorite passphrases was developed and implemented. For the development analysis and design data flow diagrams were used to clearly show the processes and data that make up the system. For the implementation and examen visual basic language was used which shows in a in writing(p) environment how this mnemonic system works1. invention to Authentication and Something you agnize1.1 Identification and Authentication TechniquesControlling access to system resources is an important formulation of electronic figurer security. Access moderate is ab start managing which users can access which blames or service in an organizations reckoner system. All entities gnarly with receiving, accessing, altering or storing instruction in a computer system, argon separated to active and passive ones. The term active entities is used to describe solely subjects (users, processes, threads) that argon accessing, receiving or altering data in a system. The term passive entities is used to describe all objects (files, database) that positively defecate or store info accessed by subjects. Without having access attend mechanisms it is not p ossible to protect the confidentiality, integrity and avail cleverness (CIA triad) of system resources.Access turn back is used to force users to provide a valid username and password to addition access to a system resource. The two vital components of access simplicity are the identification and authentication processes.In the identification process the user is obligated to present an identity to a computer system. The information provided by the user set virtuallying to log on could be a username or by simply placing his/her hand/face to a scanning device. This bodily function triggers the start of the authentication, authorization and sexual conquestability processes.Today, authentication processes are usually separate according to the distinguishing characteristic they use. These characteristics are classified in terms of the three parts described in the following part. Each factor relies on a different kind of distinguishing characteristic used distributively time t o evidence flock in a system.1.2 Authentication FactorsIn a typic system, there are basically three guidances for human users to authenticate themselves to a client such as a computer, a unsettled phone, a network, or an ATM machine. These three authentication factors are the following. Anything you retire a passwordThe distinguishing characteristic is private information that however allow people make out. In youthful font computer systems, this characteristic might be a password, a Personal Identification Number (PIN), lock confederacy or a pass phrase. It is the least cost effective factor and most popular method that can be employed easily in either modern system to authenticate authorized users at heart the organization. They are simpler and cheaper than other, secure forms of authentication but also because they do not overtop to spend large amounts of money for the implementation of them in parity with other more modern security mechanisms.Additionally, Users dont corroborate to spend time and effort learning how to use them. The passwords are the only user-friendly way to identify a user in a network or computer system and it is believed that they can provide the equal level of strong security as a more modern security mechanism. However the usage of passwords as an authentication technique presents whatsoever disadvantages that are directly connected to the way that users are managing these passwords. In more specific the users On the other hand, there are also well-nigh disadvantages that bring to be taken into consideration such as the need to create complex and strong passwords,, the obligation to change their passwords frequently and the book of instructions and guidelines on how to keep their passwords secret. Anything you have a tokenThe distinguishing characteristic is that authorized people own and present a specific item to be authenticated. This characteristic is enclosed in a token device such as a magnetic shake, sma rt card, a memory board card or a password calculator. Anything you are a biometricThe distinguishing characteristic is some physiological feature (static) that is always present in a person, or a certain behavior pattern (dynamic) that is unique to the person being authenticated, and is measured and recorded once in the enrollment process. When the same person requires access entry the biometric identifier compares the current characteristic provided by the user with the antecedently collected pattern from the original authentic person. This characteristic could be a voice print, fingerprints, face shape, written signature, iris/retina pattern or hand geometry.2. Attacks on Passwords2.1 IntroductionPasswords are a very important aspect of computer security. They are the front line of protection for user terminals and it is by far the most common user authentication method within the largest multinational organizationsHowever the usage of passwords as an authentication technique increases the probability for an information system to be compromised. That happens because these passwords are directly connected to the way that users are creating, remembering, storing and distributing them. In fact passwords are the weakest element wrong the security chain of an organizations network system and are vulnerable to different fictional characters of attacks. The next section presents the weaknesses on users passwords and modern attack techniques actioned by malicious attackers to gain unauthorized access.2.2 Attacks on PasswordsEasily Guessed PasswordsThe first weakness lies in the composition of the password itself. Most attackers rely on the fact that most people do a bad job in creating passwords and memory them secret. Most passwords that people select depend on the following front-runner football player and actor names,Simple strings, such as passwords consisting of the same character (e.g. 11111).Job titles and nicknames.Important numbers, such as insuran ce numbers, home addresses, telephones, credit card numbers, driver license, birthdays, or vehicle tags.Favorite words lay out in dictionaries.Children, family or relative names.The most common attack on passwords is that where malicious ward-heelers exploit human nature and try to guesswhat passwords people select. In this case, navvys build a list with all information related to the victim and make attempts to log on hoping to find out the victims password quickly.Brute-force AttacksIn cryptography, a brute force attack or exhaustive key search is the strategy that can in theory be used against any write in codeed data by an attacker who is unable to take advantage of any weakness in an encoding system that would otherwise make his task easier. It involves systematically chiping all possible keys until the correct key is found. in the worst case, this would involve traversing the stallion search space.The key length used in the encryption admonishmines the realistic feasi bility performing a brute force attack, with longer keys exponentially more difficult to crack than shorter ones.Brute force attack can be made less effective by obfuscating the data to be encoded, something that makets it more difficult for an attacker to recognize when he has cracked the code.one of the measures of the strenth of an encryption system is how long it would theoretically taken an attacker to mount a successful brute force attack against it.Consequence of this attack is that all users cannot use the network recourses and must wait until system administrator reserts or unlock that account. It is obvious that this kind of attack causes confusion and big delays to users critical job tasks.Dictionary AttacksIn cryptanalysis and computer security, a vocabulary attack is a technique for defeating a zipper or authentication mechanism by severe to determine its decipherment key or passphrase by searching likely possibilities.( regularize1.1).Shape1.1 Dictionary attackA d ictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary. In contrast with a brute force attack, where a large equipoise key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for event a dictionary (hence the phrase dictionary attack) or a rule book etc. Generally, dictionary attacks succeed because galore(postnominal) people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit. companionable Engineering AttacksAnother weakness lies on the fact that people are not equal to(p) to remember and keep their passwords secret. In computer security social engineering is described as a non skillful intrusion that is based on the psychological characteristics of the human nature. It is the art of persuading people to reveal vital secrets or to perform actions that comply with the hackers wishes Shape 1.2. Social engineering can be conducted into several forms. setback Engineering In this method, a legitimate user is induced into ask an attacker questions to obtain information. The attacker poses as a person of higher(prenominal) authority and tries to deduce the needed information from the questions, which are asked by the user.emailprotected This mode of social engineering involves sending an e-mail to a user intercommunicate confidential information. The e-mail is meant to trigger an emotional response from the user. It makes the user inadvertently participate in the hacking by disclosing the confidential information.Webpages False Webpages, that require users to lay e-mail addresses and passwords, are created by attackers. Hackers hope that users will enter the same passwords at the false websites, as they use at their organizations computer systems.Shoulde r surfing In this display case of attack a malicious attacker could look over a users shoulder and watch him while he is typing his/her password to grant access to a system. However shoulder surfing attacks are not always successful but can give important information and strength to a malicious attacker to achieve his goal.Dumpster plunge One of the most intelligent techniques to call up users passwords within large commercial-grade organizations is the dumpster diving attack. In this type of attack malicious attackers search finished discarded material to find passwords, credit card numbers, confidential records or other useful information related to security policies and passwords.Sniffing AttacksExcept brute-force guessing, dictionary and social engineering attacks todays hackers are development more clever courses and methods to retrieve users passwords. These methods include bundle sniffer programs which are used to grab and sniff passwords either a) when they are type d during the authentication phase of a network login session ( Trojan Login, Van Eck Sniffing, light uponstroke sniffing, hardware key loggers) or b) when they are genic across complex networks via email and other document delivery systems (network sniffers). Shape 1.1.Shape 1.1 Sniffing AttacksThe next paragraphs describe in more detail each of these techniques used to sniff users passwords 1. meshwork SniffingNet sniffer is a program, who capable of capturing all traffic made easy to one or more network adapters. 2. Trojan LoginA Trojan Login sniffer program is a software program tool used to capture users passwords during the authentication phase of a network login session. A malicious user who has access to a personal computer connected to a network can easily install a Trojan Login program. The strength of this malicious program is that it has the ability to display dead imitations of the run systems standard login program. As a solution the user enters his/her username and password without any knowledge of the situation, while the Trojan login program saves this authentication information in a secret file. 3. Van Eck SniffingThese signals, which are called Van Eck radiation, are visible from as far away as 1 kilometer. It is obvious that a malicious hacker use the appropriate equipment and without particular(a)ized skills could easily sit outside a building and eavesdrop passwords and other secrets displayed on any nearby users movie screens and monitors. 4. tell apartstroke SniffingShape 1.2 shows clearly a classic keystroke sniffing attack associated with most modern operating systems. In this type of attack usernames and passwords are captured directly from the keyboard introduce buffer. When the user enters the required authentication information in order to gain access to a computer system, this information is stored in a special field of view of memory RAM. While the user enters information, another malicious attacker could run a sni ffer program and retrieve the contents of the keyboard input buffer. As a result the users username and password is obtained by the hacker and can be used for later attacks Shape 1.2.Shape 1.2 revealstroke Sniffing 5.Hardware Key LoggersA key logger is a hardware device that intercepts and stores strokes of a keyboard. This type of attack can be conducted very easily by a social engineer. The social engineer simply walks into the status of divert and plugs very professionally this small piece of hardware between the keyboard port and the keyboard. expect that most users place PC towers under their desks and most of them are unaware of hardware technology, key loggers can record all typed keystrokes and store them to their knowledgeable memory without user knowledge.Attacks on Password StoragePasswords have a lot been vulnerable to different kind of attacks when they are stored in huge databases and password files.Most modern operating systems ask from the user trying to grant access to systems resources, to enter his/her valid username and password. Then the operating system searches on the systems password file for an entry matching the username. If the password in that entry matches the password typed by the user, then the login procedure succeeds and the user is authorized by the system. Shape 1.3 shows clearly how the password checking procedure works 1.3.Shape1.3 Password CheckingThe store of any password immediately breaks one important rule concerned with password security Do not write passwords down. If the password file containing all users passwords is stolen then automatically the interloper has direct access to all systems passwords. The primary arguments against password shop can be stated asSingle Point of distressIf the password file is compromised then all passwords are compromised. Compromise of password file can happen due toPoor encryption mechanisms or use of a weak master password, so its contents are easily accessed by a malicio us hacker.Poor protection of the file itself.Poor Audit TrailsMost operating systems keep logs used to freshen up login failed password attempts. Usually these logs contain a large number of malign usernames and passwords typed by users while they are trying to login on a computer or network system. If these logs are not well protected ,then attacks pose easier. For example, a malicious attacker who sees an audit record with a absent username of 7rs or eri67 can be sure that this string is a password or a part of the password for one of the valid users. software package BugsOne important reason for the success of password attacks is sometimes based on seriously designed operating systems and application programs running on them. These badly designed features because software bugs which do all the hard work for malicious hackers and continue to be a major source of umteen security problems.One recent software bug was found in the Solaris operating system. Users with low level p rivileges could force a network application program to end abnormally. As a result this program dumped its memory contents to the hard drive in a file available to all users. This file contained copies of the hashed password values that were normally stored and protected in a shadowed file. As a consequence this file could be used as input to Crack software for an off-line brute-force attack.2.3 Countermeasures against these AttacksAssuming all the above, it is obvious that attackers use several techniques to capture users passwords. In this section countermeasures against all attacks on passwords (describesin section2.2 Attacks on Passwords) are analyzed and listed in orderCountermeasures against brute-force attacksA possible solution against login guessing attacks (or on-line brute-force attacks) is to have a password policy which specifies the maximum number of login failed attempts. System administrators by configuring the operating system could limit the number of failed login attempts allowed for each user. If the threshold is reached then the account should be locked and users will not be able to log until the system administrator arrives to reactivate the login process for the specific account.It must be mentioned that using such defenses against login guessing attacks will only delay a hacker from accessing a system and gaining access to confidential information. Failed login thresholds will not stay fresh a brute force attack from occurring but will identify the attacking attempt to the security administrator. This defense method will deter a malicious attacker from initiating a brute force attack and increase the level of difficulty for put to death this attack.There is no actual defense mechanism against an off-line brute-force attack. This type of attack can be applied to any given password database. There are many cracking softwares available on the Internet which are capable of generating character sequences and working through all possible ch aracter combinations until the users password is found. The only defense mechanism against this type of attack is to have users that select and use strong password.Countermeasures against dictionary attacksThis type of attack could be eliminated by having a policy which simply prohibits the use of common words found in dictionaries or attackers word lists. If all generated passwords do not appear in such lists, then dictionary attacks will not succeed.Besides system administrators should perform themselves dictionary attacks to test users passwords within an organisation. If any passwords are compromised, then they must inform the users directly of the results and obligate them to change their passwords to more secure ones.Countermeasures against Social Engineering attacksEducation and user awareness must be support by the organizations global security policy. The users should understand the importance of keeping their passwords secret and be familiar with the different ways that a social engineering attack can be conducted against them. In this case, people are able to take the necessary steps to react then when such a situation occurs. Besides this, companies shouldshred all printouts having usernames, passwords and other standardised confidential information in order to prevent dumpster diving attacks.Countermeasures against Network sniffing attacksTodays hackers are using many network sniffing programs to retrieve users passwords, while they are transmitted over distant networks or intimate organizations corporate network. Most businesses facing this threat and considering the consequences due to this type attack implement and use different network protocols for the secure transmission of confidential information. More often organizations indicate detailed security policies that specify ways, encryption methods and protocols to be used for the secure transmission of any important information. The most important defense mechanism against network sniffing attacks is the use of well- cognise secure network protocols such as SSL/TLS and IPSec protocols. These protocols have the ability to build secure channels based on cryptographic keys, dual-lane between trusted parties, for the safe transfer of passwords and other confidential information in any systems networkCountermeasures against Trojan LoginA defense mechanism against Trojan Logins is to have a trust street for all functions that require users to enter or present authentication information for purpose of authentication. This trusted path must be established between the user trying to login and the operating system. Secure Attention Sequence (or SAS) is a trusted path mechanism used in many modern operating systems such as Windows 2000. When user requires to log on, by executing the sequence Ctrl+Alt+Del is guaranteed that he is communicating with the operating system and not malicious software such as Trojan Login.Another important countermeasure against this type of attack is the installation of commercial available anti-virus software programs (such as Norton Antivirus and MacAfee Antivirus). These anti-virus softwares have the ability to detect and prevent sniffing attack programs such Trojan Logins to be installed, downloaded and operate in operating systems. 9Countermeasures against Van Eck sniffing attacksThe types of countermeasures used to protect against Van Eck Sniffing attacks are known as Transient electromagnetic Pulse Equipment Shielding Techniques (TEMPEST). The U.S TEMPEST standard is one guideline that manufacturers have to follow in order to reduce electromagnetic signals and prevent these types of attacks against passwords and other secrets displayed on video screens and monitors. TEMPEST mechanisms include Faraday cages, white noise and control zones. A Faraday cage is a box, a room or an sinless building that is designed with an external metal skin that fully surrounds an area on all six sides. As a result all electromagnetic sign als transmitted from PCs monitors are blocked inside the building, preventing eavesdroppers from revealing users passwords.Countermeasures against Keystroke sniffing attacks.A good defense mechanism against keystroke sniffing attacks is to protect mainframes memory. In particular the keyboard input buffer is the exact location where keystrokes typed by users are stored. It is clear that this area should be protected using various encryption techniques in order to become impossible for an intruder to retrieve its contents in plaintext form when they are intercepted.Countermeasures against Hardware Key LoggersThere are not well-known defense mechanisms against Hardware Key Loggers. The only countermeasure against them is to state clearly in the organisations password policy that all sides of electronic equipment, and especially computers, should be visible to users and security officers. Moreover system administrators may be obligated to check all hardware and electronic devices plug ged on users computers, or forced to check all hardware connections in computers rooms periodically.Countermeasures against Password Storage attacksThe types of defense mechanisms against password storage attacks include the use of various encryption and hashing techniques. These techniques are used to encrypt password files and never leave passwords exposed in plaintext form. Usually modern operating systems (Windows, UNIX) use one-way encryption systems to encrypt users passwords. In one-way encryption systems the password is transformed in such a way that the original password can not be recovered. When a user is logging onto such a system, the password that is entered by the user is one-way encrypted and compared with the stored encrypted password. The same encryption method and key must be used to encrypt the valid password before storage and to encrypt the entered password before comparison.Besides the use of one-way encryption, strong access control mechanisms (such as Role-B ased and Clark-Wilson access control models) should be implemented and applied to the files that keep systems hashed passwords. Without implementing tough access control mechanisms, the operating system is unable to check who is accessing these files. As a consequence an adversary could easily copy them and mount different kinds of attacks on them.Countermeasures against computer software BugsAs was mentioned in the previous section (section 2.2 software bugs), sometimes badly designed features in operating systems and applications can lead to software bugs which do all the hard work for malicious hackers. A defense mechanism to prevent such software bugs is to have a good software design. Software should be designed in an organized way keeping procedures simple, reviewed periodically for vulnerabilities and threats, and hardened with the latest patches. Where a software bug is found in any operating system or application, people discovering it should report this problem directly t o the security officer and the correspondent company sell and providing licenses for this specific product should be informed to solve this problem.3. Password Policies3.1 IntroductionPassword policies are necessary to protect the confidentiality of information and the integrity of systems by keeping unauthorized users out of computer systems. Usernames and passwords are the fundamental protection of computers and networks against intruders. Password policies specify rules about the secure administration of usernames, rules used to define valid passwords and the type of protection needed for secure password storage. password policy is a good place to start to build the security of a companys network and protect its assets. The next sections treat issues related to the secure usage and management of both usernames and passwords.3.2 Administration of UsernamesThe front gate within an organizations network is where the user or the service identifies themselves and presents some type of authentication information only known to them in order to grant access. The failure to have a accepted Login protection Policies activated is like having a big building with the stovepipe guards and security mechanisms around it with the main front gate open to anyone.3.2.1 Login Security Policies and Usernames Within a secure system, the first thing that should be anticipate for any login attempt is to identify who is the person requesting entry. Regardless of the protocols used, you need to know who is trying to access the network services and who they want the network services to think they are. In high-security military environments the user identifications are assigned based on a random sequence of characters. Other organizations, such as commercial, use something that can uniquely identify the user without worrying about how to create usernames.If the usernames can give away information about the organization, then the implementation of random names could be a good sol ution. Although by using these random

No comments:

Post a Comment