Passwords

Passwords #

Advice #

  • Best practices
    • Show password to prevent typos, password managers, store secrets with salts and secure hashing methods, locking after multiple attempts and MFA
  • Guideliness - NIST 800-63
    • Reduce password complexity requirements and instead emphasize length.
    • Not require special characters
    • Allow ASCII and Unicode
    • Allow pasting into passwords fields (for password managers)
    • Monitor new passwords to ensure that easily compromised ones are not used
    • Eleminate Password Hints
  • Recomendations
    • Length is the best defense against brute force
    • Complexity - prevent repeated characters and common words
    • Reuse limitations
    • Expiration dates to force renewal
    • Age limitations - Sometimes people keep resetting till the “reuse” limitation is circumvented.
  • Password Managers
  • Passwordless
    • Instead depending on what you know primarily, it focuses on what you have (security tokens, certificates,…)
    • An option: hardware security key (like UbiKey)
      • Protocols: FIDO, Universal 2nd Factor (U2F), ..
      • FIDO: Open Authentication Standard supporting W3C Web Authentication and Client to Authenticator Protocol (CTAP)
    • Goal is to remove friction

Default Passwords #

Password Attacks #

Brute-Force - Iterate through passwords until they find one that works #

  • This can include using lists with generic commonly used passwords or tailored to the target
  • Many passwords attempts for a single user

Password Spraying - a brute-force variation #

  • Few passwords attempts but for many users
  • Example: On a sports fan website, most likely one user, uses the teams name or player as password

Dictionairy Attacks - a brute-force variation #

  • Uses a distinct list of words
  • Popular Tool: John The Ripper and Tutorials
  • Envirment
  • Online: Run and test passwords against life system with risk getting blocked/caught
  • Offline: You have the hashes or offline copy and you can in all peace go at it.
    • For example a precomputed list of hashes (Rainbow table attack)
      • Hash salts and peper is used to counter rainbow table attack