Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Encyption of passwords

Posted on 2012-09-17
7
Medium Priority
?
469 Views
Last Modified: 2012-10-23
If someone asks

Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.

Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?
0
Comment
Question by:Nick_D
7 Comments
 
LVL 75

Expert Comment

by:käµfm³d 👽
ID: 38405198
Are you storing passwords in clear-text, or some easily reversible "encryption" method (e.g. base-64 encoding--not really encryption, btw)? If yes, then this would be a no to that question.
0
 
LVL 2

Author Comment

by:Nick_D
ID: 38405216
We don't store any password in clear text.  If you had to give an example of a strong method for storing and encrypting passwords electronically, what would it be?
0
 
LVL 12

Expert Comment

by:Chris
ID: 38405231
There are two types of encryption. Reversible and non-reversible.

With reversible encryption, provided with the relevant details it's possble to use an algorithm to decrypt the password to a readable value.

With non-reversible encryption this isn't possible. The password will have been originally encrypted using a one-way algorithm that is impossible to reverse (md5, sha1 etc). The only way to find the value of a password encrypted this way is to run words through the same algorithm, cross referencing the result with the encrypted password until you find one that matches.

In order to make passwords more secure a salt is often used when encrypting the password. A salt is essentially a string, unknown to all but the software. This often works by encrypting the password then adding the salt to the resulting hash and then encrypting the combination. This way it's much harder to launch a successful brute force attack on the password hash as even after successfully attacking the initial hash they would be left with a second hash (and salt) which they would also need to brute force.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 24

Expert Comment

by:Eirman
ID: 38405267
The biggest risks to password security are from .....
> Keystroke loggers
> Humans writing down passwords
> Humans using simple passwords
> Shoulder Surfers

If you are really concerned about data security when the server is off, just encrypt everything with a free program like truecrypt (www.truecrypt.org) or a easier to use one such as bestcrypt (www.jetico.com)
0
 
LVL 58

Expert Comment

by:McKnife
ID: 38407778
Hi.
To make this question answerable, you should add
-what passwords you are talking about: local user passwords/domain user passwords/passwords stored inside the browser (what browser)/passwords stored inside other applications/cached passwords/...
-who you are protecting against: local admins working directly at your server (physical access)/weak rdp-users (no physical access)
-what OS' are involved
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38409011
Windows stores passwords as either a hash or a pair of hashes, depending on if AD is active and the security level set. Pair of hashes is the default.

The lowest security of the two (LANMAN) limits to 14 character passwords and is there for backwards compatibility purposes.

have a look here:
http://www.infosecwriters.com/hhworld/hh9/lmcrack.htm
0
 
LVL 2

Accepted Solution

by:
JGTechie earned 2000 total points
ID: 38475421
Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.

Password hashing - means the password is unreversible mathematically.

The only way to crack a hash:

1. Find the hash, This would be difficult to do as you need system/administrative privileges In the windows world.
You could use an exploit such as sql injection if on the webside or some type of session-riding if you can hack or mitm kerberos (good luck) to obtain the hash.

2. Determine the type of hash - easy this is determining the type of hashing algorithm being used to "Hash the password"

3. Since password un-hashing is impossible - mathematically, the only other way to find out what a password is when you have it is to. guess a password -> use the hashing algorithm to hash the password and see if it matches the hash you obtained from the windows machine.

Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?


1.  Yes I think so, they are stored in an easily cracked format.

check this out: http://cyberarms.wordpress.com/2012/07/15/154-billion-hashes-per-second-with-multiforcer-password-cracker/

2. The easiest way to protect against this form of attack is to use complex passwords that are at least 9 characters long and use one of the un-commonly used Ascii Symbols that are found on this website:
http://www.tedmontgomery.com/tutorial/altchrc.html


according to: http://www.mindwerks.net/online-tools/password-cracking-calculator/

it would take the multiforcer from the first link i showed that was fully working:

1 Millenia exactly to crack a password that was 9 characters and used the full 255 character ascii table.

For 8 characters using the same ascii table it would take: 4 years but of course I am paranoid and like to see a millenia.

The other way to defend against it is to set your policy at least on your administrative usernames to change every 60 days.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question