Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Completed Assignment

advertisement 
Dear Mr. Farnsworth:
Recognizing that the individual password is one of the potentially weakest links in
computer security is a vital step in establishing and enforcing a strong password policy
for your organization.
As per your request, I evaluated the strength of the employees’ passwords by
attempting an intrusion like an average attacker would. I ran a program that was able to
efficiently and effectively process large quantities of letter and number combinations in
different languages until a match for a password is found.
The passwords that the software was able to match and guess were:
● Passwords that are the same as the person’s username
● Passwords that are the same as the person’s username spelled backward
● Passwords that are all numbers
● Passwords that were based on English and foreign dictionary words
● Passwords followed by a single number
● Passwords that have an easily predictable pattern of letters and numbers
Due to the alarming number of weak passwords that were audited, new password
policies must be strictly enforced immediately. These sets of policies are specifically
tailored for the different units of the company based on their responsibilities,
professional background, and exposure to varying levels of sensitive information. The
different factors aforementioned were carefully considered in order to try and inculcate
the idea that security should not be a tedious task - this way, users would be more
inclined or make an effort to create strong passwords.
Establishing a strong password policy that users will be able to adhere to will definitely
prevent loss, exposure, or corruption of company data, client information, or personal
information. Our goal is to make it as difficult as possible for hackers to attack the
system, since there are numerous easily accessible programs that can steal passwords
without requiring much effort, but would cost the company millions of dollars’ worth of
exploited data.
The following pages contain detailed information about the new password policies and
the list of usernames with weak passwords.
Sincerely,
Jennifer Garcia
Daytona State College
D1 Unit Password Policy
I. Overview and Purpose
There are approximately 1.5 million attempts to breach Massachusetts Institute of
Technology’s network, daily. Attacks like these are done by automated software that
uses a range of simple to sophisticated pattern matching and dictionary attack
algorithms. On average, a 6 letter password that contains small letters can be guessed
in 155 seconds. In 155 seconds, years’ worth of intellectual property could potentially be
exploited or corrupted. The risk is not worth the value and time you put into YOUR work.
Since this unit works with extremely sensitive data, it is definitely under constant and
heavy attack. Implemented hardware and software security can only go so far without
users exercising utmost caution when creating, writing down, or storing passwords.
II. Guidelines
❏ Based on password length, the rules on character combinations are as follows:
❏ 8-11 characters: mixed case letters, numbers, and symbols
❏ 12-15 characters: mixed case letters and numbers
❏ 16-19 characters: mixed case letters
❏ 20-25 characters: no restrictions
❏ Passwords that have these characteristics will be denied by the system:
❏ Passwords that are equal to your current password, previous passwords,
or username
❏ A single word that appears in an English or non-English dictionary
❏ Two dictionary words in a row
❏ Passwords that are all white space
❏ Dictionary words spelled backward
❏ Passwords with phone number patterns or all numbers
❏ Characters that are not in the US keyboard
❏ Predictable combination of letters, numbers, or characters
❏ Passwords with several repeating characters that are not combined with
other special characters or words
❏ Common names or places that are not combined with other characters or
words
❏ Passwords are subject to change every 90 days.
❏ Never share passwords with anyone and must be treated as confidential
information.
❏ Immediately notify the Information Systems Security Department of any
suspicions of your password being compromised or if your password was
actually compromised.
❏ If using a password manager, be sure to make your master password a strong
one.
III. Examples of Good Passwords
❏ ImuK@t!!1 (I am a cat spelled phonetically and substituting some characters and
see character guidelines for 8-11 characters)
❏ XxXtraCh33zePLZ (mixed case letters and numbers, misspelled word and see
character guidelines for 12-15 characters)
❏ DonutZeroCalorie (combination of words that will never make sense and see
character guidelines for 16-19 characters)
❏ veryiphonemanydollaspend (misspelled words in a phrase that are complexly
combined and see character guidelines for 20 characters)
IV. Password Protection
❏ Only write down hints that will help you jog your memory, never the actual
password
❏ If written down, keep and protect it as you would a credit card
VI. Enforcement
Random password audits must be performed by the Information Systems Security
Department. Users that have weak passwords as deemed by the audit will have their
data backed up and shall be submitted to a mock breach or hack scare that emulates
data loss or corruption. These employees will be subject to either disciplinary action or
training, depending on the frequency of using weak passwords.
Sources:
MIT: http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords
Stanford: https://itservices.stanford.edu/service/accounts/passwords
Symantec: http://www.symantec.com/connect/articles/simplest-security-guide-betterpassword-practices
Z7 Business Unit Password Policy
I. Overview and Purpose
A 6 letter password that contains all small letters has 456,976 possible combinations
and can be guessed at an average of 155 seconds by an automated software that uses
a range of simple to sophisticated pattern matching and dictionary attack algorithms. In
155 seconds or less, thousands of the company’s, charities’, or agencies’ private
information could be stolen and exploited. Just for a short period of time, not only data,
but also reputation could be compromised. The risk is not worth what could possibly be
lost. Implemented hardware and software security can only go so far without users
exercising utmost caution when creating, writing down, or storing passwords.
II. Guidelines
❏ Using a pass phrase that has 20-25 characters with no casing restrictions,
instead of a password, will be enforced. A pass phrase is composed of different
words. It is a longer but simpler version of a password.
❏ Pass phrases that have these characteristics will be denied by the system:
❏ Phrases that contain your current password, previous passwords, or
username
❏ Repeating dictionary words consecutively that appear in an English or
non-English dictionary
❏ Repeating dictionary words spelled backward consecutively
❏ Repeating the same numbers consecutively 5 times
❏ Repeating the same special character consecutively 5 times
❏ Characters that are not in the US keyboard
❏ Predictable combination of letters, numbers, or characters
❏ Phrases with several repeating characters that are not combined with
other special characters or words
❏ Common names or places that are not combined with other characters or
words
❏ Phrases that are all white space
❏ Pass phrases are subject to change every 90 days.
❏ Never share pass phrases with anyone and must be treated as confidential
information.
❏ Immediately notify the Information Systems Security Department of any
suspicions of your pass phrase being compromised or if your pass phrase was
actually compromised.
❏ If using a password manager, be sure to make your master password a strong
one.
III. Examples of Good Passwords
Combine unrelated words but have a personal meaning. Throw in some numbers,
characters, misspellings, spaces, some Klingon or foreign language, or different
character casing for the ultimate secure password.
❏ daughtererrdaymakeeatveg
❏ 1SOLUVmondayzJKHEHE!
❏ P1ZZAeveryBREAKFASTwoo+
❏ LoveMeLikeALoveSongWhatNO
❏ jIyajbe'. IT ppl why?!
IV. Password Protection
❏ Only write down hints that will help you jog your memory, never the actual
password
❏ If written down, keep and protect it as you would a credit card
V. Enforcement
Random password audits must be performed by the Information Systems Security
Department. Users that have weak passwords as deemed by the audit will have their
data backed up and shall be submitted to a mock breach or hack scare that emulates
data loss or corruption. These employees will be subject to either disciplinary action or
training, depending on the frequency of using weak passwords.
Sources:
MIT: http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords
Stanford: https://itservices.stanford.edu/service/accounts/passwords
Symantec: http://www.symantec.com/connect/articles/simplest-security-guide-betterpassword-practices
Password Audit Results
Dictionaries used:
password.lst : http://www.openwall.com/john/doc/EXAMPLES.shtml
cain.txt : downloads.skullsecurity.org/passwords/cain.txt.bz2
english.txt : downloads.skullsecurity.org/passwords/english.txt.bz2
Username
jclark
jfox
jplain
ssummers
Password
jclark
5551234
5551212
sremmuss
Method
single
single
single
single
sjones
sjones1
single
lscott
123456789
ncuta
password1
wordlist + word
mangling rules
wordlist + word
mangling rules
jscott
trustno1
wordlist + word
mangling rules
pdill
abc123
wordlist + word
mangling rules
jpoogle
password1
wordlist + word
mangling rules
jgrumby
summer
wordlist + word
mangling rules
Reason
same as username
all numbers
all numbers
username spelled
backward
same as username
followed by a single
number
all numbers
dictionary word
followed by a single
number
common phrase
followed by a single
number
predictable simple
letter and number
combination
dictionary word
followed by a single
number
dictionary word
shagar
qwerty
wordlist + word
mangling rules
predictable pattern /
combination of
letters
common phrase
rdavid
letmein
gjefferson
money
reagle
password
jkimmel
111111
wordlist + word
mangling rules
wordlist + word
mangling rules
wordlist + word
mangling rules
wordlist + word
mangling rules
Username
Password
Method
Reason
bstubbin
Password
dictionary word
smyers
cutiepie
kstubbin
PASSWORD
root
foobar
pc
foobar
jpatrick
afgesloof
jweiss
zoftig
qlrng
matzo
abeard
cave
avanhalen
daytona
qlrng
zoftig
wordlist + word
mangling rules
wordlist + word
mangling rules
wordlist + word
mangling rules
wordlist + word
mangling rules
wordlist + word
mangling rules
wordlist using
Afrikkans dictionary
wordlist using
Yiddish dictionary
wordlist using
Yiddish dictionary
wordlist using
cain.txt
wordlist using
cain.txt
wordlist using
english.txt
dictionary word
dictionary word
all numbers
common word
dictionary word
common variable
name
common variable
name
foreign dictionary
word
foreign dictionary
word
foreign dictionary
word
predictable phrase
place name
dictionary word
Related documents
Password-Based Football
Password-Based Football
password - Department of Computer Science
password - Department of Computer Science
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
NID Password Change Frequency
NID Password Change Frequency
windowsAuthentication
windowsAuthentication
slides
slides
Slide 1
Slide 1
Tutorial Sheet 06
Tutorial Sheet 06
Password_security_terminology_research_task_brenna
Password_security_terminology_research_task_brenna
Download
advertisement