Allidm.com

Discovering Identity and Access Management Solutions

Password Managementhttp://academy.allidm.com

Find us on Facebook:http: //www. facebook.com/allidm

 Follow us on Twitter: 

http: //twitter.com/aidy_idm Look for us on LinkedIn: 

http: //www. linkedin.com/allidm Visit our blog:

http://www.allidm.com/blog

Stay connected to Allidm

Disclaimer and Acknowledgments

The contents here are created as a own personal endeavor and thus does not reflect any official stance of any Identity and Access Management Vendor on any particular technology

Contact Us

On this presentation we’ll talk about some useful topics that you can use no matter which identity and access management solution or product you are working on.

If you know one that make a big difference please tell us to include it in the future

aidy.allidm@gmail.com

Introduction

User names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), Video Games consoles, etc.

What’s a password?

A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource

A sequence of characters that one must input to gain access to a file, application, or computer system.

The password should be kept secret from those not allowed access.

Also called passkey.

Common Issues

Users employ the same password for accounts on different systems

User forget the password

Users put short password or common password Name, birthday,company name, etc

Form of stored passwords

Clear Text If an attacker gains access to such an internal password store, all

passwords—and so all user accounts—will be compromised.

cryptographically access to the actual password will still be difficult for a snooper who

gains internal access to the system

A common approach stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password

handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access.

Password Management

Some common password operations are Password Change Password Reset Password Recovery Password Expiry

Password Features

Passwords have the following login controls and management features that you should configure in accordance with an organization's security policy and security best practices Length Complexity Aging History Limited attempts Lockout duration Limited time periods

Length

The longer the better Longer passwords are more difficult to crack, Configure systems to require a minimum

password length of six to eight characters. Of course, users can easily forget long

passwords or simply find them too inconvenient, leading to some of the human-nature problems.

Complexity

Strong passwords contain a mix of upper- and lowercase letters, numbers, and special characters such as # and $

Remember that some systems may not accept certain special characters, or those characters may perform special functions

Aging

Set maximum password aging to require password changes at regular intervals: 30-, 60-, or 90-day periods are com

Set minimum password aging One day is usually recommended to prevent

users from easily circumventing password history controls for example, by changing their password five

times within a few minutes, then setting it back to the original password

History

Password history settings allow a system to remember previously used passwords for a specific account. five is usually recommended

This security setting prevents users from circumventing maximum password aging by alternating between two or three familiar passwords when they're required to change their passwords

Limited attempts

This control limits the number of unsuccessful log-on attempts

Consists of two components counter threshold (three is usually

recommended) The counter threshold is the maximum number

of consecutive unsuccessful attempts permitted before some action occurs such as automatically disabling the account).

counter reset (30 minutes is usually recommended).

Limited attempts…

The counter reset is the amount of time between unsuccessful attempts. For example, three unsuccessful log-on

attempts within a 30-minute period may result in an account lockout for a set period (for example, 24 hours)

Two unsuccessful attempts in 25 minutes, and then a third unsuccessful attempt 10 minutes later, wouldn't result in an account lockout.

A successful log-on attempt also resets the counter.

Lockout duration

Lockout duration When a user exceeds the counter threshold the

account is locked out. Organizations commonly set the lockout duration to

30 minutes, but you can set it for any duration. If you set the duration to forever, an administrator

must unlock the account. Some systems don't notify the user when it locks

out an account, instead quietly alerting the system administrator to a possible break-in attempt.

Limited time periods

This control restricts the time of day that a user can log in. For example, you can effectively reduce the

period of time that attackers can compromise your systems by limiting users to access only during business hours.

Best Practices

Log-on banner Welcome messages literally invite criminals to access your

systems. Disable any welcome message and replace it with a legal warning

that requires the user to click OK to acknowledge the warning and accept the legal terms of use.

Last username Many popular operating systems display the username of the last

successful account log-on. Disable this feature.

Users (who only need to type in their password) find this feature convenient — and so do attackers (who only need to crack the password without worrying about matching it to a valid user account)

Best Practices …

Last successful log-on After successfully logging on to the system, this

message tells the user the last time that he or she logged on.

If the system shows that the last successful log-on for a user was Saturday morning at 2 a.m. and the user knows that he couldn't possibly have logged in at that time because he has a life, he knows that someone has compromised his account, and he can report the incident accordingly.

Good criteria

Don't pick a password that someone can easily guess if they know who you are not your Social Security number, birthday, or maiden name

Don't pick a word that can be found in the dictionary there are programs that can rapidly try every word in the

dictionary Don't pick a word that is currently newsworthy Don't pick a password that is similar to your previous

password Do pick a mixture of letters and at least one number Do pick a word that you can easily remember

Generate your password

Mix upper- and lowercase characters for example, eXaMple

Replace some letters with numbers for example, replace e with 3 , a with @ , s with 5

Combine two words by using a special character for example, sALT&pEPPER or BaCoN+EgGs

Use the first letter from each word of a nonsense phrase or nonsense song, title, or quote for example, "Oops! ...I Did It Again" becomes O!Idia

Use a combination of all tips above for example, "Snow White and the Seven Habits of Highly

Effective People" becomes SW&t7HoHEP!

Tools

To generate a password you can always employ a software tool that helps users evaluate the quality of their passwords when they create them.

These tools are commonly known as password/passphrase generators or password appraisers.

Password tools https://www.microsoft.com/security/pc-security/password-

checker.aspx https://secure.pctools.com/guides/password/ http://www.securesafepro.com/pasgen.php

Allidm.com

Discovering Identity and Access Management Solutions

Allidm Academy

http://academy.allidm.com