[Webinar] Longer is stronger - why passphrases are a powerful security tool
-
Upload
specops-software -
Category
Technology
-
view
69 -
download
1
description
Transcript of [Webinar] Longer is stronger - why passphrases are a powerful security tool
LONGER IS STRONGER
The value of passphrases
Kevin SullivanDirectory of Sales Engineering Specops Software
Agenda
• Password Management overview• Limitations and mitigations• Math behind password strength• Walk through
– DDP– FGPP– PowerShell– Specops Password Policy
• Questions
AGENDA
PASSWORD MANAGEMENTOverview
Security
• Password policies that are in line with the business role of the end-user– Flexible targeting– Deep control over complexity
• Balance end-user efficiency and security needs
LOCK IT UP
Self-Service
• What can they self-serve?• What is the cost value of self-service
password reset– Estimates are up to 2 calls per year per user– Short calls – relatively easy– Roughly $20 per call average
• Branded, intuitive, helpful, informative
OPEN IT UP
Global Identity Management
• SSO – implementation cost vs. value to business?
• Password Sync– Typically far less $$$ than SSO– Maybe not for all users – requires flexibility– Sync targets may be unknowns
MOVE IT OUT
LIMITATION AND MITIGATIONSLet’s talk about Passwords
What are the concerns?
• Rainbow tables• Dictionary attacks• Brute Force attacks
RISKS
Home Work
Some ‘techniques’ to strengthen
• Random password generation• Character substitution
– Common character substitution is built into most brute force attacks!
• Passphrases
+-*/
Random
• 3!pIcn&P• The problem
– Super hard to remember– Super easy to crack
• < 1 day
+-*/
Character Substitution
1. “Fred and Wilma sat down for a dinner of eggs and ham”
2. F+Wsd4adoe&h
• The problem – #1 is cracked in 170 centuries based on some
common algorithms– #2 is cracked in 10 years
+-*/
Example from Sophos’s Graham Cluley https://www.youtube.com/watch?v=VYzguTdOmmU
THE MATH AND SCIENCEBack to school
LONGER IS STRONGER
Which is stronger?
• D0g.....................• PrXyc.N(n4k77#L!eVdAfp9• ‘The Grateful D3@d is my Favorite Band!’
SAY NO TO PASSWORD1!
Re – Steve Gibson GRC.com
Concepts
• Entropy – Lack of order or predictability• How Big is Your Haystack?
– https://www.grc.com/haystack.htm– Every password is a needle in a haystack– A single character, only allowing alpha characters
is a very small haystack!
HEAD ACHES!
Basic Stuff – brute force
• If I ask you to guess a number between 1 and 10, you have 10 possibilities– Single digit– 10 = 10
• If I ask you to guess a number between 1 and 100, you have 100 possibilities– Two digits– 10 x 10 = 100
• If I ask you to guess number between 1 and 1000, you have 1000 possibilities– Three digits– 10 x 10 x 10 = 1000
FUNDAMENTALS
Brute Force – cont.
• What if I ask you for a single character and it can be either a number or a letter (English)?– 26 letter + 10 number– 36 possibilities
• OK… now 2 characters– 36 x 36 = 1296
• 3?– 36 x 36 x 36 = 46,656
• Upper case, lower case, number, special character?– 94 possibilities for each character– 3 required characters
• 94 x 94 x 94 = 830,584 possibilities
FUNDAMENTALS
Passphrases
• Longer is stronger• Number of possible letters – 52 in English • Number of digits – 10 (0 – 9)• Special characters – 32 • Add them together 94 possibilities for each
required character in length• Entropy is 94n where n is the number of required
characters
+-*/
With just alpha in a 25 character passphrase the ability to crack is astronomical
Additional Considerations
• Do all systems support passphrases?• How to train your end-users?
– http://success.specopssoft.com
• User multi-factor when you can, consumer and corp
• Preferences vs. Facts– I like peanut butter - preference– I lived in Towson MD - fact
Questions
• Do you believe passphrases increase security?
• Do you believe passphrases are easier for users to remember than traditional passwords?
• Do you think you will receive fewer password reset calls if you enable passphrases?
THOUGHTS?
Wrap Up
• Use Two/Multi Factor where you can, always!– https://twofactorauth.org
• Understand the vulnerability– Haystack – https://www.grc.com/haystack.htm– Passfault –
https://passfault.appspot.com/password_strength.html?#menu
• Some fun reading– http://
cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf
– https://howsecureismypassword.net/
TAKE AWAYS