GCHQ: Forget complicated passwords to increase security

8:52:00 PM
GCHQ: Forget complicated passwords to increase security -

Forget using complex passwords - that is recommendations of a new report " orientation Password: Simplify your approach "by the British intelligence agency GCHQ and the Centre for the protection of national infrastructure (CPNI) - which has been reported by a number of new exits. But is this really what GCHQ warning

After reading the report "Guidance Password: Simplify your approach" ? GCHQ are not really ask people to use weak passwords, they ask iT to simplify things for users, which I think is common sense. A chain is as strong as its weakest link and if you ask the average user to do too much, human nature shows that shortcuts and therefore weaknesses, will be introduced. Since most of people can remember 7 (+ / - 2) characters (which is why the license plates and telephone numbers easily fall into this range) - most passwords are around the same length because they are easy to remember you . Nothing more than that, or if the password is too complicated, leading to headaches for most people.

It has long been known that if you give a user a complex password, they will more often than not simply write it on a Post-it to someone one happens to walk into the office to see. If, for example, I wanted to break into a bank, I'll try to get a temporary job, or get on the cleaning staff because it would be likely that someone would have stuck a major password somewhere around their workstation.

In any event, if a government agency wanted to see the data that has been password protected they would have no problem at all, as they had either issue an order court, threatening user / admin with jail time or just breaking in themselves. Or a combination of the three

.

As for malicious attackers, once they are in a system, it is almost game over. Once inside, just copy a password file to offline cracking is easy.

Using arc table an attacker has the world all the time to crack your password offline. They simply watch the encrypted value of the password that is stored in the file, and a rainbow will give you the clear text table - something that usually take days or weeks to brute force be by yourself . When a password is stored on a server, it is usually "chopped", which means it is encrypted so no one can read it.

For example, the MD5 hash ILoveSausages 2738855a9d9c78488616e1fa7180f125 =

how hashing works, is that it can not go one direction, which means that you can hash ILoveSausages to obtain the hash value, but you can not take the hash value, in this case 2738855a9d9c78488616e1fa7180f125 and work out what the original text was.

Therefore, the only way to find the password would be to try to hash each combination of letters, numbers and characters until you finally get one that corresponds to the hash value you have. As you can imagine, this could take forever, given the processing power of today's computers.

With a rainbow table, someone, or a group of people have already done the hard work if you simply feed your hash 2738855a9d9c78488616e1fa7180f125 and it should give you the original text -. ILoveSausages

Think of a rainbow table as a reverse phone book. In a telephone directory, you look at the names, in alphabetical order, and it gives you a number. But if you only have the number? You need to start the first page and go to the bottom of each page to see if you can find a match, all the way from Mr. Aardvark Mrs Zulu.

rainbow tables have cracked some passwords up to 10 characters, so using three words strung together to create a password is around 15-20 characters much better than a complex password of 7, which is what GCHQ recommends in its report

eg "orientation Password Simplify your approach." ILikeToEat2BigMacsDaily could be sure E14Fg * &

and the Big Mac password is much easier to remember, so it would not need to be written, and I doubt he is one of 10,000 common passwords that can be found simply by searching the web.

GCHQ also recommends that IT admins put a more robust logging and auditing system in place, so they can quickly identify and isolate any behavior that appears suspicious.

Basically, GCHQ notify IT Admins to follow a " defense in depth " approach, something decent IT administrators have done for decades, and stressing simply that user passwords are only part of the picture -. a party that has become unnecessarily complex for users over the years

There are chances that, in reality, you are more likely to have your password guessed / used to get into your accounts by someone you know. Whether an audit partner curious emails, a child trying to overcome the age restrictions on Netflix or a disgruntled employee looking to embezzle funds or simply destroy data / cause chaos.

With so many of our daily activities online, social media to online banking, we have many different passwords for user names and passwords, and of course, remember all those passwords is difficult - though we often write them down, or just forget. The BBC recently reported that British citizens had each an average of 22 online passwords

"orientation Password: Simplify your approach ". also touch the subject of blacklists. A simple Google search will bring up lists of common passwords, made up of 10,000 other passwords that hackers use to try to brute force a connection (ie simply try each password up that one works, known as dictionary attack .) If the iT department uses as a black list and makes sure no one is allowed to use one password common, it stops almost the dictionary attack in its tracks.

do and not to do to create a secure password

  • not store passwords in plain text on a server, or written down on paper - that a huge security risk
  • Do use a safe password, such as KeePass
  • not use personal information in your passwords (like the name of your pet, or anniversary from someone). A hacker can easily find these personal information from your Facebook or other social media profile
  • not share passwords with anyone
  • Do use two-factor authentication that provides another layer of protection

GCHQ's report also notes that "the change password regular harms rather than improves security, so avoid placing the burden on users. However, users must change their password on the indication or suspicion of compromise. "The idea behind this advice is that IT Admins should try to make everything as simple as possible for users, because once a password is stolen, it is generally used in a few days, thus forcing users to change 3 months later does not really add to safety.

what is a "strong password?"

Microsoft sets the minimum requirements for a complex password as: -

  • passwords must not contain any samAccountName (account name) value or displayName (full name) value . both the user checks are not case sensitive.

- the samAccountName is verified in its totality to determine whether it is part of the password If the samAccountName is less than three characters, this check is ignored

- the displayName is analyzed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is divided and all analyzed sections (chips) are confirmed not to be included in the password. Tokens that are less than three characters are ignored, and substrings tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens :. "Erin", "M" and "Hagens" Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password

  • Passwords must contain characters from three of the five following categories:

- uppercase characters from European languages ​​(a to Z, with diacritics, Greek and Cyrillic characters)

- tiny European languages ​​(a through z, sharp -s, with diacritics, Greek and Cyrillic characters)

- base 10 digits (0 to 9)

- the non-alphanumeric characters: ~ @ # $% ^ & * _- = + `| () {} []:;" '<> /

-.? Any Unicode character is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode Asian languages ​​

A complex password can be either :.

  • A personally chosen password, which is complicated by adding numbers and / or special characters in it (for example susi - !?> susi98 #).
  • These types of passwords are pretty easy to remember, so there is no need to write them. And if there is a need, store them in the vault password apps ONLY.
  • The complexity here is the result of a less likely chance that the password can be guessed by the hacker using personal information, such as a hacker could find on Facebook that the name of the spouse of the victim is "susi" and thus attempts to connect with this. They will of course fail if the victim has added numbers and special characters, as they can not know eventually those who were used
  • A password randomly generated - . These are not of course to remember and should be safely stored (password vault). When generating passwords with maximum complexity of parameters (eg, numbers, letters, special characters, uppercase, lowercase), it is not only impossible for a hacker to guess the password using the personal information of the victim, they can not even brute force, it (trying random strings to succeed) if it is of sufficient length, because there is just too combinations

using simplified password is meaningful only when :.

  • The password is something unimportant, as no huge problems could result from unauthorized access
  • Make at least a little complex adding numbers and / or random characters in it (susi -.> susi 9421!)

Ideally, passwords should -

  • never contain personal information such as names of friends, family members or pets, streets, dates of birth, etc.
  • never be alphabetic only, as it is too easy to guess and brute force
  • always contain figures (not obvious numbers such as birthdays though)
  • always contain special characters (not necessarily at the end but the beginning or middle)
  • Be as long and varied as possible

a good tip is to use numbers on your passwords do mean something to you. For example, 6210 (an old Nokia phone belonging to you once) or the date you had a wonderful holiday 041985. These are the numbers you can remember because of a relationship with her, and is something that you would never declare publicly as you do with birth dates, streets, etc.

there are many settings too - for example, when you want to use someone's birth date in your password, the reverse. (For example susi102085 -> susi580201)

The proper behavior is to use personal passwords, but complex, or randomly generated passwords -.! And in both cases, only save them in password boxes, and nowhere else

I think GCHQ really make some good points in their report, although, of course, it is too easy to be skeptical of a government agency spying wanting everyone to use weak passwords.

Previous
Next Post »
0 Komentar