Defensive Security Handbook by Lee Brotherston

Defensive Security Handbook by Lee Brotherston

Author:Lee Brotherston
Language: eng
Format: epub
Publisher: O'Reilly Media
Published: 2017-04-07T04:00:00+00:00


8 characters at upper- and lowercase equals 52^8. Still not the best, will crack in < 6 hours.

8 characters at uppercase, lowercase, and numbers equals 62^8. A little better, will crack in < 24 hours.

10-character passphrase with uppercase, lowercase, numbers, and symbols 94^10. Approximately 600 years.1

Rainbow tables are a relatively modern twist on the brute-force attack as the cost of storage has become cheaper, allowing for a processing time/storage trade-off. A rainbow table contains a list of precomputed and stored hashes and their associated cleartext. A rainbow table attack against a password hash does not rely on computation, but on being able to look up the password hash in the precomputed table.

While long and complex passwords won’t matter if the backend encryption is weak or there has been a breach involving them, it will protect against brute-force attacks.

Teaching users and requiring administrators to create complex passwords is an overall win for everyone. One way of making secure passwords easier to remember is using phrases from books, songs, expressions, etc., and substituting characters. They then become a passphrase instead and are inherently more secure. For example:

Amanda and Lee really love their password security = A&LeeR<3TPS

Another learning opportunity for end users, and possibly even an enterprise-wide shift in process, would be to not trust others with passwords. Helpdesk staff should not be asking for passwords, ever, period. Users should be educated to the fact that no one in the organization would ask for their password, and to do the right thing and report anyone who does. The idea of keeping passwords to yourself doesn’t only apply to humans. Internet browsers store passwords encoded in a way that is publicly known, and thus easy to decode. Password recovery tools, which are easily available online, enable anyone to see all the passwords stored in the browser and open user profiles.



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.