Nick_D
asked on
Encyption of passwords
If someone asks
Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.
Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?
Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.
Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?
kaufmed
Are you storing passwords in clear-text, or some easily reversible "encryption" method (e.g. base-64 encoding--not really encryption, btw)? If yes, then this would be a no to that question.
ASKER
We don't store any password in clear text. If you had to give an example of a strong method for storing and encrypting passwords electronically, what would it be?
There are two types of encryption. Reversible and non-reversible.
With reversible encryption, provided with the relevant details it's possble to use an algorithm to decrypt the password to a readable value.
With non-reversible encryption this isn't possible. The password will have been originally encrypted using a one-way algorithm that is impossible to reverse (md5, sha1 etc). The only way to find the value of a password encrypted this way is to run words through the same algorithm, cross referencing the result with the encrypted password until you find one that matches.
In order to make passwords more secure a salt is often used when encrypting the password. A salt is essentially a string, unknown to all but the software. This often works by encrypting the password then adding the salt to the resulting hash and then encrypting the combination. This way it's much harder to launch a successful brute force attack on the password hash as even after successfully attacking the initial hash they would be left with a second hash (and salt) which they would also need to brute force.
With reversible encryption, provided with the relevant details it's possble to use an algorithm to decrypt the password to a readable value.
With non-reversible encryption this isn't possible. The password will have been originally encrypted using a one-way algorithm that is impossible to reverse (md5, sha1 etc). The only way to find the value of a password encrypted this way is to run words through the same algorithm, cross referencing the result with the encrypted password until you find one that matches.
In order to make passwords more secure a salt is often used when encrypting the password. A salt is essentially a string, unknown to all but the software. This often works by encrypting the password then adding the salt to the resulting hash and then encrypting the combination. This way it's much harder to launch a successful brute force attack on the password hash as even after successfully attacking the initial hash they would be left with a second hash (and salt) which they would also need to brute force.
The biggest risks to password security are from .....
> Keystroke loggers
> Humans writing down passwords
> Humans using simple passwords
> Shoulder Surfers
If you are really concerned about data security when the server is off, just encrypt everything with a free program like truecrypt (www.truecrypt.org) or a easier to use one such as bestcrypt (www.jetico.com)
> Keystroke loggers
> Humans writing down passwords
> Humans using simple passwords
> Shoulder Surfers
If you are really concerned about data security when the server is off, just encrypt everything with a free program like truecrypt (www.truecrypt.org) or a easier to use one such as bestcrypt (www.jetico.com)
Hi.
To make this question answerable, you should add
-what passwords you are talking about: local user passwords/domain user passwords/passwords stored inside the browser (what browser)/passwords stored inside other applications/cached passwords/...
-who you are protecting against: local admins working directly at your server (physical access)/weak rdp-users (no physical access)
-what OS' are involved
To make this question answerable, you should add
-what passwords you are talking about: local user passwords/domain user passwords/passwords stored inside the browser (what browser)/passwords stored inside other applications/cached passwords/...
-who you are protecting against: local admins working directly at your server (physical access)/weak rdp-users (no physical access)
-what OS' are involved
Windows stores passwords as either a hash or a pair of hashes, depending on if AD is active and the security level set. Pair of hashes is the default.
The lowest security of the two (LANMAN) limits to 14 character passwords and is there for backwards compatibility purposes.
have a look here:
http://www.infosecwriters.com/hhworld/hh9/lmcrack.htm
The lowest security of the two (LANMAN) limits to 14 character passwords and is there for backwards compatibility purposes.
have a look here:
http://www.infosecwriters.com/hhworld/hh9/lmcrack.htm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.