iam password
DESCRIPTION
The Identity management solutions required specific skill to successfully deploy it. This presentation will help you to star build some of them.TRANSCRIPT
Allidm.com
Discovering Identity and Access Management Solutions
Password Managementhttp://academy.allidm.com
Find us on Facebook:http: //www. facebook.com/allidm
Follow us on Twitter:
http: //twitter.com/aidy_idm Look for us on LinkedIn:
http: //www. linkedin.com/allidm Visit our blog:
http://www.allidm.com/blog
Stay connected to Allidm
Disclaimer and Acknowledgments
The contents here are created as a own personal endeavor and thus does not reflect any official stance of any Identity and Access Management Vendor on any particular technology
Contact Us
On this presentation we’ll talk about some useful topics that you can use no matter which identity and access management solution or product you are working on.
If you know one that make a big difference please tell us to include it in the future
Introduction
User names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), Video Games consoles, etc.
What’s a password?
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource
A sequence of characters that one must input to gain access to a file, application, or computer system.
The password should be kept secret from those not allowed access.
Also called passkey.
Common Issues
Users employ the same password for accounts on different systems
User forget the password
Users put short password or common password Name, birthday,company name, etc
Form of stored passwords
Clear Text If an attacker gains access to such an internal password store, all
passwords—and so all user accounts—will be compromised.
cryptographically access to the actual password will still be difficult for a snooper who
gains internal access to the system
A common approach stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password
handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access.
Password Management
Some common password operations are Password Change Password Reset Password Recovery Password Expiry
Password Features
Passwords have the following login controls and management features that you should configure in accordance with an organization's security policy and security best practices Length Complexity Aging History Limited attempts Lockout duration Limited time periods
Length
The longer the better Longer passwords are more difficult to crack, Configure systems to require a minimum
password length of six to eight characters. Of course, users can easily forget long
passwords or simply find them too inconvenient, leading to some of the human-nature problems.
Complexity
Strong passwords contain a mix of upper- and lowercase letters, numbers, and special characters such as # and $
Remember that some systems may not accept certain special characters, or those characters may perform special functions
Aging
Set maximum password aging to require password changes at regular intervals: 30-, 60-, or 90-day periods are com
Set minimum password aging One day is usually recommended to prevent
users from easily circumventing password history controls for example, by changing their password five
times within a few minutes, then setting it back to the original password
History
Password history settings allow a system to remember previously used passwords for a specific account. five is usually recommended
This security setting prevents users from circumventing maximum password aging by alternating between two or three familiar passwords when they're required to change their passwords
Limited attempts
This control limits the number of unsuccessful log-on attempts
Consists of two components counter threshold (three is usually
recommended) The counter threshold is the maximum number
of consecutive unsuccessful attempts permitted before some action occurs such as automatically disabling the account).
counter reset (30 minutes is usually recommended).
Limited attempts…
The counter reset is the amount of time between unsuccessful attempts. For example, three unsuccessful log-on
attempts within a 30-minute period may result in an account lockout for a set period (for example, 24 hours)
Two unsuccessful attempts in 25 minutes, and then a third unsuccessful attempt 10 minutes later, wouldn't result in an account lockout.
A successful log-on attempt also resets the counter.
Lockout duration
Lockout duration When a user exceeds the counter threshold the
account is locked out. Organizations commonly set the lockout duration to
30 minutes, but you can set it for any duration. If you set the duration to forever, an administrator
must unlock the account. Some systems don't notify the user when it locks
out an account, instead quietly alerting the system administrator to a possible break-in attempt.
Limited time periods
This control restricts the time of day that a user can log in. For example, you can effectively reduce the
period of time that attackers can compromise your systems by limiting users to access only during business hours.
Best Practices
Log-on banner Welcome messages literally invite criminals to access your
systems. Disable any welcome message and replace it with a legal warning
that requires the user to click OK to acknowledge the warning and accept the legal terms of use.
Last username Many popular operating systems display the username of the last
successful account log-on. Disable this feature.
Users (who only need to type in their password) find this feature convenient — and so do attackers (who only need to crack the password without worrying about matching it to a valid user account)
Best Practices …
Last successful log-on After successfully logging on to the system, this
message tells the user the last time that he or she logged on.
If the system shows that the last successful log-on for a user was Saturday morning at 2 a.m. and the user knows that he couldn't possibly have logged in at that time because he has a life, he knows that someone has compromised his account, and he can report the incident accordingly.
Good criteria
Don't pick a password that someone can easily guess if they know who you are not your Social Security number, birthday, or maiden name
Don't pick a word that can be found in the dictionary there are programs that can rapidly try every word in the
dictionary Don't pick a word that is currently newsworthy Don't pick a password that is similar to your previous
password Do pick a mixture of letters and at least one number Do pick a word that you can easily remember
Generate your password
Mix upper- and lowercase characters for example, eXaMple
Replace some letters with numbers for example, replace e with 3 , a with @ , s with 5
Combine two words by using a special character for example, sALT&pEPPER or BaCoN+EgGs
Use the first letter from each word of a nonsense phrase or nonsense song, title, or quote for example, "Oops! ...I Did It Again" becomes O!Idia
Use a combination of all tips above for example, "Snow White and the Seven Habits of Highly
Effective People" becomes SW&t7HoHEP!
Tools
To generate a password you can always employ a software tool that helps users evaluate the quality of their passwords when they create them.
These tools are commonly known as password/passphrase generators or password appraisers.
Password tools https://www.microsoft.com/security/pc-security/password-
checker.aspx https://secure.pctools.com/guides/password/ http://www.securesafepro.com/pasgen.php
Allidm.com
Discovering Identity and Access Management Solutions
Allidm Academy
http://academy.allidm.com