AuthenticationWorld.com
The business of authentication
- Authentication Categories
- Password Authentication
- Password Mangement Policies
- Password Strengthening
- Single Sign On Authentication
- Access Control Authentication
- Authentication - Enterprise Security
- Authentication Strength
- Authentication Transaction
- Authentication Management
- User Authentication
- Authentication Federation
- Biometric Authentication
- PKI Authentication
- Token Authentication
- Wireless Authentication
- Document Authentication
- Authentication -Outsourcing
Password Strengthening
Most medium to large enterprises are concerned about their security. It is becoming standard business practice to routinely measure the effectiveness of their users' password strength as a means of avoiding some forms of dictionary attacks.
As was referred to in the Password Management Policies of this website, password strengthening refers to the:
- Number of characters used in the password
- Longer passwords i.e. longer than 8 characters take longer to crack by dictionary and other forms of attack
- The type of characters used in the password.
A strong password should include:
- Upper and lower case characters
- Numbers
- Special characters
Passwords should not use dictionary words.
To enforce this, enterprises use password testing software. I recommend Elcomsoft's Proactive Password Auditor. This product is:
- A password security test tool that's designed to allow Windows 2003, Windows XP, Windows 2000 and Windows NT-based systems administrators to identify and close security holes in their networks.
- Proactive Password Auditor helps secure networks by executing an audit of account passwords, and exposing insecure account passwords. If it is possible to recover the password within a reasonable time, the password is considered insecure.
- The software supports a few different methods of obtaining password hashes for further attack/audit: from dump files (generated by 3rd party tools like pwdump), Registry of local computer, binary Registry files (SAM and SYSTEM), memory of local computer, and memory of remote computers (Domain Controllers), including ones running Active Directory.
- It can use brute-force and dictionary attacks on LM and NTLM password hashes, effectively optimized for speed.
- By using this software on a routine basis, enterprise can inform their users that the type of password they are using is prone to easy attack and request them to change it. This then improves the overall enterprise security.
Note however, that even the strongest password is totally susceptible to attacks from hardware and software keyboard loggers. Thus, my recommendation as mentioned throughout this website is to use a layered identity strategy using stronger forms of authentication (e.g. security tokens, digital certificates, smart cards, biometrics and combinations thereof) for medium and high risk applications and system access. A good consultant can help you design this strategy.
I strongly recommend that you use Password Safe to keep track of all your many ids and passwords. This is free software designed by Bruce Schneier, the noted securtity guru. It allows you to safely store all your ids and passwords in an encrypted vault.Note that the vault is protected by a password. This could be broken by a dictionary or brute force attack or by a software or hardware key logger on your computer. Having said that, it is much better to store passwords this way than to write them down or store them unsecurely on your computer.
Password
Authentication
Single
Sign On Authentication Access
Control Authentication Authentication-Enterprise
Security Authentication
Strength Authentication
Transaction
Authentication
Management User
Authentication Authentication
Federation Biometric
Authentication PKI
Authentication Token
Authentication Wireless
Authentication Document
Authentication
Authentication - Outsourcing
