2. Stay connected to Allidm
Find us on Facebook:
http: //www. facebook.com/allidm
Follow us on Twitter:
http: //twitter.com/aidy_idm
Look for us on LinkedIn:
http: //www. linkedin.com/allidm
Visit our blog:
http://www.allidm.com/blog
3. Disclaimer and Acknowledgments
The contents here are created as a own personal endeavor and
thus does not reflect any official stance of any Identity and
Access Management Vendor on any particular technology
4. Contact Us
On this presentation we’ll talk about some useful topics that
you can use no matter which identity and access management
solution or product you are working on.
If you know one that make a big difference please tell us to
include it in the future
aidy.allidm@gmail.com
5. Introduction
User names and passwords are commonly used by
people during a log in process that controls access to
protected
computer operating systems,
mobile phones,
cable TV decoders,
automated teller machines (ATMs),
Video Games consoles,
etc.
6. What’s a password?
A password is a secret word or string of characters that is
used for authentication, to prove identity or gain access to
a resource
A sequence of characters that one must input to gain
access to a file, application, or computer system.
The password should be kept secret from those not
allowed access.
Also called passkey.
7. Common Issues
Users employ the same password for accounts on
different systems
User forget the password
Users put short password or common password
Name, birthday,company name, etc
8. Form of stored passwords
Clear Text
If an attacker gains access to such an internal password store, all passwords—and
so all user accounts—will be compromised.
cryptographically
access to the actual password will still be difficult for a snooper who gains internal
access to the system
A common approach stores only a "hashed" form of the plaintext password.
When a user types in a password on such a system, the password handling
software runs through a cryptographic hash algorithm, and if the hash value
generated from the user's entry matches the hash stored in the password
database, the user is permitted access.
10. Password Features
Passwords have the following login controls and
management features that you should configure in
accordance with an organization's security policy and
security best practices
Length
Complexity
Aging
History
Limited attempts
Lockout duration
Limited time periods
11. Length
The longer the better
Longer passwords are more difficult to crack,
Configure systems to require a minimum password
length of six to eight characters.
Of course, users can easily forget long passwords or
simply find them too inconvenient, leading to some of
the human-nature problems.
12. Complexity
Strong passwords contain a mix of upper- and
lowercase letters, numbers, and special characters
such as # and $
Remember that some systems may not accept certain
special characters, or those characters may perform
special functions
13. Aging
Set maximum password aging to require password
changes at regular intervals: 30-, 60-, or 90-day
periods are com
Set minimum password aging
One day is usually recommended to prevent users from
easily circumventing password history controls
for example, by changing their password five times within
a few minutes, then setting it back to the original password
14. History
Password history settings allow a system to
remember previously used passwords for a specific
account.
five is usually recommended
This security setting prevents users from
circumventing maximum password aging by
alternating between two or three familiar passwords
when they're required to change their passwords
15. Limited attempts
This control limits the number of unsuccessful log-on
attempts
Consists of two components
counter threshold (three is usually recommended)
The counter threshold is the maximum number of
consecutive unsuccessful attempts permitted before some
action occurs
such as automatically disabling the account).
counter reset (30 minutes is usually recommended).
16. Limited attempts…
The counter reset is the amount of time between
unsuccessful attempts.
For example, three unsuccessful log-on attempts within
a 30-minute period may result in an account lockout for
a set period (for example, 24 hours)
Two unsuccessful attempts in 25 minutes, and then a
third unsuccessful attempt 10 minutes later, wouldn't
result in an account lockout.
A successful log-on attempt also resets the counter.
17. Lockout duration
Lockout duration
When a user exceeds the counter threshold the account is
locked out.
Organizations commonly set the lockout duration to 30
minutes, but you can set it for any duration.
If you set the duration to forever, an administrator must
unlock the account.
Some systems don't notify the user when it locks out an
account, instead quietly alerting the system administrator
to a possible break-in attempt.
18. Limited time periods
This control restricts the time of day that a user can
log in.
For example, you can effectively reduce the period of
time that attackers can compromise your systems by
limiting users to access only during business hours.
19. Best Practices
Log-on banner
Welcome messages literally invite criminals to access your
systems.
Disable any welcome message and replace it with a legal warning
that requires the user to click OK to acknowledge the warning
and accept the legal terms of use.
Last username
Many popular operating systems display the username of the
last successful account log-on.
Disable this feature.
Users (who only need to type in their password) find this feature
convenient — and so do attackers (who only need to crack the
password without worrying about matching it to a valid user account)
20. Best Practices …
Last successful log-on
After successfully logging on to the system, this
message tells the user the last time that he or she
logged on.
If the system shows that the last successful log-on for a
user was Saturday morning at 2 a.m. and the user knows
that he couldn't possibly have logged in at that time
because he has a life, he knows that someone has
compromised his account, and he can report the
incident accordingly.
21. Good criteria
Don't pick a password that someone can easily guess if
they know who you are
not your Social Security number, birthday, or maiden name
Don't pick a word that can be found in the dictionary
there are programs that can rapidly try every word in the
dictionary
Don't pick a word that is currently newsworthy
Don't pick a password that is similar to your previous
password
Do pick a mixture of letters and at least one number
Do pick a word that you can easily remember
22. Generate your password
Mix upper- and lowercase characters
for example, eXaMple
Replace some letters with numbers
for example, replace e with 3 , a with @ , s with 5
Combine two words by using a special character
for example, sALT&pEPPER or BaCoN+EgGs
Use the first letter from each word of a nonsense phrase or
nonsense song, title, or quote
for example, "Oops! ...I Did It Again" becomes O!Idia
Use a combination of all tips above
for example, "Snow White and the Seven Habits of Highly Effective
People" becomes SW&t7HoHEP!
23. Tools
To generate a password you can always employ a software tool
that helps users evaluate the quality of their passwords when
they create them.
These tools are commonly known as password/passphrase
generators or password appraisers.
Password tools
https://www.microsoft.com/security/pc-security/passwordchecker.aspx
https://secure.pctools.com/guides/password/
http://www.securesafepro.com/pasgen.php