Information Systems Security

Week 02 Lab Practical

Objectives

1. Learn about the different types of passwords

2. Learn about password policies and management

3. Learn about the downfall and common mistakes when using passwords

4. Learn about attacks against passwords and their countermeasures

Historically Passwords have been an easy target for cyber attacks. Because users are responsible for their
own passwords, most security experts consider this to be the single most insecure aspect of a well-planned
network. Security professionals typically establish guidelines and policies that will limit the number of user
account compromises on a network.

Windows and UNIX System do not actually store the password at all. Instead, a unique obscured
representation of the password is stored. The OS uses the password as a parameter in an irreversible
mathematical function that calculates a hash value. This value is stored in the system password database.
When a logon attempt is made, the system uses the password supplied by the user, performs the
mathematical function, and then compares the hash value with the value stored in the password database.
If the has values are equal, then the passwords used to generate the hash values must also be equal.

There are three methods of cracking passwords:

1. Dictionary attack
2. Hybrid attack
3. Brute Force method

The most powerful password-cracking method is called the "Brute force Method". Although this method can
take a long time, it usually takes far less time than most password policies specify for password changing.
Brute force randomly generates passwords and their associated hashes. Theoretically all passwords are
"crackable" from a brute force attack given enough time and processing power.

Task 1

Read and study the paper entitled “About Passwords” by András Keszthelyi. Summarize the main points.

(1) Discuss why it is important for an organization, such as University of Mauritius, to ensure that the
passwords are strong and follow best practices.

(2) Draft a list of the key components of a good password policy that can be adopted for UoM student
email account. Include specifications such as password length, aging etc.

Task 2 Password Cracking Tools

Analyse and compare the features of three popular password cracking tools (available freeware) for
windows or Linux.

1
Task 3 (Take home lab)

Setting Password Policy (in Windows)

A. Setting Password Length

1. Log on as admin

2. Select Start | Control Panel | Administrative Tools | Local Security Policy

3. Find Password Policy in Account Policies

4. What is the minimum password length?

5. Change the minimum length to 9 and click OK

B. Password Complexity

1. Enable Password must meet complexity requirements and click OK

C. Preventing the Display of Last Logon Name

1. Find Security Option in Local Policies

2. Enable Do not display last user name in login screen

D. Setting Account Lockout Policy

1. Find Account Lockout Policy in Account Policies

a. How many invalid logon attempts are permitted?

b. Change invalid logon attempts to 3.

c. How long is the account locked out?

d. Change the time to 20 minutes.

Answer the following questions -

(i) What are the minimum and maximum password age on this computer? Why are they important?
(ii) What is the difference between Local Polices and Account Policies?
(iii) How complex is the password complexity? Can you modify the complexity? What should be included?
(iv) What is the purpose of setting a lockout policy?
(v) What is a reasonable set of minimum password requirements?
(vi) How do these minimum requirements fit with the ease-of-use for the users?