Page 70 - DCAP516_COMPUTER_SECURITY
P. 70

Computer Security




                    Notes          4.  Proactive password checking:
                                       (i)  The system checks at the time of selection if the password is allowable.
                                       (ii)  With guidance from the system, users can select memorable passwords that are
                                            difficult to guess.

                                   6.3.3 Advanced Password Strategies

                                   Changing passwords – some people say that changing your password every 30 days is a good
                                   rule-of-thumb, and you should never go longer than 90 days before picking a new password.
                                   The longer you wait before changing passwords, the more difficult it will be to get used to the
                                   new one.


                                       !
                                     Caution  Whatever you do, do not reuse any previous password you have used and do not
                                     write a password on a sticky piece of paper and put it near your computer.

                                   Also, please note that if someone cracks your GPG, PGP or SSH private key file password and
                                   makes a copy of your keyring, then you can change your GPG password all you want and they’ll
                                   still be able to decrypt their copy of your keyring with the old password. So in the case of GPG,
                                   you should set your public key to expire and change your public key (I set mine to change every
                                   year) in addition to changing your password.
                                   Self Assessment


                                   State whether the following statements are true or false:
                                   1.  Password crackers are computing all possible passwords and their hashes in a given
                                       system and putting the results into a lookup table called a rainbow table.

                                   2.  The most popular Windows password hash extractor is the Pwdump family of programs.
                                   3.  Many password cracking programs are actually password guessers.
                                   4.  Dictionary attacks work on the assumption that most passwords consist of whole words,
                                       dates, or numbers taken from a dictionary.
                                   5.  The most common type of attack is password resetting.
                                   6.  A password that changes frequently is called a dynamic password.

                                   6.4 Authentication Process

                                   Authentication in the Windows Server 2003 family consists of two parts: an interactive log on
                                   process and a network authentication process. Successful user authentication depends on both of
                                   these processes. We will discuss briefly about these two now.
                                   6.4.1 Interactive Log on Process


                                   The interactive log on process confirms the user’s identification to either a domain account or a
                                   local computer. Depending on the type of user account, the interactive log on process is different:
                                   1.  With a domain account, a user logs on to the network with a password or smart card by
                                       using single sign-on credentials stored in Active Directory. By logging on with a domain
                                       account, an authorized user can access resources in the domain and any trusting domains.




          64                                LOVELY PROFESSIONAL UNIVERSITY
   65   66   67   68   69   70   71   72   73   74   75