[webinar] longer is stronger - why passphrases are a powerful security tool
DESCRIPTION
It takes a hacker four days to crack a traditional password like "N^a&$1nG" and eighteen years to crack a passphrase like "GoodLuckGuessingThisPassword."; When it comes to password security, longer is stronger! Learn why passphrases are more secure than traditional passwords and how they can make life easier on your end users.TRANSCRIPT
LONGER IS STRONGER
The value of passphrases
Kevin SullivanDirectory of Sales Engineering Specops Software
Agenda
• Password Management overview• Limitations and mitigations• Math behind password strength• Walk through
– DDP– FGPP– PowerShell– Specops Password Policy
• Questions
AGENDA
PASSWORD MANAGEMENTOverview
Security
• Password policies that are in line with the business role of the end-user– Flexible targeting– Deep control over complexity
• Balance end-user efficiency and security needs
LOCK IT UP
Self-Service
• What can they self-serve?• What is the cost value of self-service
password reset– Estimates are up to 2 calls per year per user– Short calls – relatively easy– Roughly $20 per call average
• Branded, intuitive, helpful, informative
OPEN IT UP
Global Identity Management
• SSO – implementation cost vs. value to business?
• Password Sync– Typically far less $$$ than SSO– Maybe not for all users – requires flexibility– Sync targets may be unknowns
MOVE IT OUT
LIMITATION AND MITIGATIONSLet’s talk about Passwords
What are the concerns?
• Rainbow tables• Dictionary attacks• Brute Force attacks
RISKS
Home Work
Some ‘techniques’ to strengthen
• Random password generation• Character substitution
– Common character substitution is built into most brute force attacks!
• Passphrases
+-*/
Random
• 3!pIcn&P• The problem
– Super hard to remember– Super easy to crack
• < 1 day
+-*/
Character Substitution
1. “Fred and Wilma sat down for a dinner of eggs and ham”
2. F+Wsd4adoe&h
• The problem – #1 is cracked in 170 centuries based on some
common algorithms– #2 is cracked in 10 years
+-*/
Example from Sophos’s Graham Cluley https://www.youtube.com/watch?v=VYzguTdOmmU
THE MATH AND SCIENCEBack to school
LONGER IS STRONGER
Which is stronger?
• D0g.....................• PrXyc.N(n4k77#L!eVdAfp9• ‘The Grateful D3@d is my Favorite Band!’
SAY NO TO PASSWORD1!
Re – Steve Gibson GRC.com
Concepts
• Entropy – Lack of order or predictability• How Big is Your Haystack?
– https://www.grc.com/haystack.htm– Every password is a needle in a haystack– A single character, only allowing alpha characters
is a very small haystack!
HEAD ACHES!
Basic Stuff – brute force
• If I ask you to guess a number between 1 and 10, you have 10 possibilities– Single digit– 10 = 10
• If I ask you to guess a number between 1 and 100, you have 100 possibilities– Two digits– 10 x 10 = 100
• If I ask you to guess number between 1 and 1000, you have 1000 possibilities– Three digits– 10 x 10 x 10 = 1000
FUNDAMENTALS
Brute Force – cont.
• What if I ask you for a single character and it can be either a number or a letter (English)?– 26 letter + 10 number– 36 possibilities
• OK… now 2 characters– 36 x 36 = 1296
• 3?– 36 x 36 x 36 = 46,656
• Upper case, lower case, number, special character?– 94 possibilities for each character– 3 required characters
• 94 x 94 x 94 = 830,584 possibilities
FUNDAMENTALS
Passphrases
• Longer is stronger• Number of possible letters – 52 in English • Number of digits – 10 (0 – 9)• Special characters – 32 • Add them together 94 possibilities for each
required character in length• Entropy is 94n where n is the number of required
characters
+-*/
With just alpha in a 25 character passphrase the ability to crack is astronomical
Additional Considerations
• Do all systems support passphrases?• How to train your end-users?
– http://success.specopssoft.com
• User multi-factor when you can, consumer and corp
• Preferences vs. Facts– I like peanut butter - preference– I lived in Towson MD - fact
Questions
• Do you believe passphrases increase security?
• Do you believe passphrases are easier for users to remember than traditional passwords?
• Do you think you will receive fewer password reset calls if you enable passphrases?
THOUGHTS?
Wrap Up
• Use Two/Multi Factor where you can, always!– https://twofactorauth.org
• Understand the vulnerability– Haystack – https://www.grc.com/haystack.htm– Passfault –
https://passfault.appspot.com/password_strength.html?#menu
• Some fun reading– http://
cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf
– https://howsecureismypassword.net/
TAKE AWAYS