Comment on the importance of Honeypots and Password Management?

Honeypots: It’s a decoy systems to lure attackers

    • away from accessing critical systems
    • to collect information of their activities
    • to encourage attacker to stay on system so administrator can respond
  1. are filled with fabricated information
  2. instrumented to collect detailed information on attackers activities
  3. single or multiple networked systems
  4. cf IETF Intrusion Detection WG standards

Password Management: front-line defense against intruders

  1. users supply both:
    • login – determines privileges of that user
    • password – to identify them
  2. passwords often stored encrypted
    • Unix uses multiple DES (variant with salt)
    • more recent systems use crypto hash function
  3. should protect password file on system

Password Studies: Purdue 1992 – many short passwords

  1. Klein 1990 – many guessable passwords
  2. conclusion is that users choose poor passwords too often
  3. need some approach to counter this

Managing Passwords – Education: can use policies and good user education

  1. educate on importance of good passwords
  2. give guidelines for good passwords
    • minimum length (>6)
    • require a mix of upper & lower case letters, numbers, punctuation
    • not dictionary words
  3. but likely to be ignored by many users

Managing Passwords – Computer Generated: let computer create passwords

  1. if random likely not memorisable, so will be written down (sticky label syndrome)
  2. even pronounceable not remembered
  3. have history of poor user acceptance
  4. FIPS PUB 181 one of best generators
    • has both description & sample code
    • generates words from concatenating random pronounceable syllables

Managing Passwords – Reactive Checking: reactively run password guessing tools

    • note that good dictionaries exist for almost any
  1. cracked passwords are disabled
  2. but is resource intensive
  3. bad passwords are vulnerable till found

Managing Passwords – Proactive Checking: most promising approach to improving password security

  1. allow users to select own password
  2. but have system verify it is acceptable
    • simple rule enforcement (see earlier slide)
    • compare against dictionary of bad passwords
    • use algorithmic (markov model or bloom filter) to detect poor choices

Leave a Reply

Your email address will not be published. Required fields are marked *