QSTN 4

Why does the use of passwords put the overall security of the network in jeopardy?  in responding to your peers’ posts, discuss whether additional measures could have been taken in order to reduce the threat potential. BELOW ARE FIVE PEER POST TO REPOND TO.

 1.B) Passwords put the overall security of a network in jeopardy because they can be accessed by someone that is unauthorized.  A password can be guessed, stolen, or even shared.  (Shinder, 2003)

There are a ways that hackers can gain access to passwords.  Below are a few.

·         Brute force – If at first you don’t succeed try, try, again.  This type of attack just goes through every possible combination.  When the Powerball gets up to that crazy jackpot do you ever think of playing every combination?  (O'Donnell, 2017)

·         Dictionary threat - In a dictionary attack the attacker tries to breach the security by just going through every word in their dictionary to see if it gets a hit on the decryption key and gains access to the data.   (Techopedia, 2017)

·         Rainbow tables – a bunch of pre-computed tables that contain possible passwords with hash values.  These tables allow reversing of the hashing functions and gain access.  Rainbow tables tend to be faster than the other 2 methods I mentioned but they take up a lot more space.  (O'Donnell, 2017)

My current LAN password at work showed an online attack scenario of 1.83 billion centuries, offline of 18.8 centuries and 1.83 years for massive cracking array.  A normal lazy password (asdfghjkl) came up with an online of 1.80 centuries, offline of 56.47 seconds and massive cracking of .0565 seconds.   A password of 123456 is a fraction of the lazy password mentioned above.    Anytime I added some kind of combination of numbers or symbols to go with uppercase or lowercase letters those timings got larger.  My LAN password at work has a symbol and then is a mix of numbers and letters.  It could probably be even more complex but I have been there for 20 years and we have to change it every 90 days.  I have run out of things to use as a password.

2.H) One of the most popular ways to compromise a password is to simply ask for it. Yes. Social Engineering, in terms of technology is the manipulation of people into doing something that divulges personal or confidential information. Example, you get a call at work from someone claiming to be from the IT Department or working with the IT Department and needs to ask you some questions to help assist with a network issue they are having. They sound convincing, they can even spoof the phone number so it looks like it is coming from your company. Malware is another technique used to get your password. A user downloads malicious code that puts a key logger on your computer and the attacker has all your login credentials. Open wireless networks can be a heaven for criminals trying to steal your information. Packet sniffing on an unsecure wireless network is another tactic that can be used to compromise your password. Because password polices are not implemented and enforced, attackers can simply try to guess the password. People are still creatures of habit and sometimes they stick with things that just makes their life easier, not necessarily safer. 12345, QWERTY, password, and 123456789 are some of the most popular passwords that are used. (Smith, 2011)

The site www.grc.vom/haystack was an eye opener and would be something that people who do not take passwords seriously should spend some time with.  In regards to passwords, size does matter. Using the password 123456789 it calculated an online attack scenario of 1 week or a massive attack of .0000111 seconds. Using a simple phrase like ‘1lovetheColts!’ which has 14 characters bumps up those attack times to an online attack of 1.57 thousand trillion centuries. It proves that passwords need to be taken more seriously. Having a passcode (think of it as a passphrase) that is 13+ charters with complexity and you are making it a lot harder for someone to compromise your password.

3. MU) There are a couple ways to guess and crack passwords of users.  Two of the most common ways are dictionary attacks and brute-force attacks.  A dictionary attack uses a file containing words, phrases, common passwords, and other strings that are likely to be used as a password (Hornby, 2016).  A hacker will try all possible combinations to compromise the passwords using this technique.  Another method is to use a brute-force attack.  A brute-force attack tries every possible combination of characters up to a given length (Hornby, 2016).  This attack is not efficient and is the most “computationally expensive”.  These are the two most common methods hackers use. 

Haystack:

On the website I tried and played with different passwords all using different requirements.  I found that actually using a short memorable password but adding a unique padding policy actually work.  With my strongest password, the time it’ll take for an online attack scenario (1,000 guesses per second) would be 1.83 billion centuries.  For a massive cracking array scneario (one hundred trillion guesses per second) would take 1.83 years. Without exposing the password, it contained one uppercase, one lowercase, 1 digit, and 8 symbols. I found that using something that is simple length in addition to unique personal padding often provides the best password protection. 

 4. JUL) Your username and password is what most networks use to authenticate user accounts. This is also a door for a criminal to crack open and have access to the network. Passwords can be a strength and a weakness. With a password, the user is only using one authentication method, the “something you know” category. If this is all that is being used for authenticating, the password needs to be a strong one that is changed frequently, and is never shared, or written down.

With weak passwords, a user is susceptible to dictionary attacks, brute force attacks, social engineering (where someone calls up impersonating a system admin, saying they need your password to fix your account), & shoulder surfing, these are just a few examples on how passwords can be a weak point in network security (Bishop & Klein, 1995).

Using the website, How Big is Your Haystack, putting in random passwords that are frequently used shows just how “safe” you think would be safe to use. The complexity of a password and a time framed password change is the only thing that can keep your password safer, not safe, but safer.

5. TH) I discussed briefly last week how my organization handles passwords and find as I read about password security they are onto something.  My organization requires passwords to be a minimum of 10 characters in length, they must have at least 2 upper case characters, 2 lower case characters, 2 special characters, 2 numbers and we must change passwords every 3 months (it automatic).  The systems we utilize also track old passwords so we can not reuse old passwords.  I tried to use 3 passwords and cycle through it and the system flagged the first password when I tried to reuse it.  When I change my password it really makes for a bad day trying to remember what I am using, especially because we have different systems all having passwords and we have been told we should not use the same password for every system.  I do know some people do.  I also know many people in the office write them on paper and hide it around the desk and hope the IT manager does not see the list.  It is a terrible thing having a list of passwords.

The US Government on a Homeland Security website indicates this about passwords:

"1: Use different passwords on different systems and accounts.

2: Don't use passwords that are based on personal information that can be easily accessed or guessed.

3: Use a combination of capital and lower case letters, numbers and special characters.

4: Don't use words that can be found in any dictionary of any language.

5: Develop mnemonics such as passphrases for remembering complex passwords.

6: Consider using a password manager program to keep track of your passwords"

(US-Cert. 2017)

Hackers can use a different methods to try and hack your account.  They can use dictionary attacks, brute force attacks, or combination of these.  One that I actually witnessed was a keylogger trojan.  Norton indicates, "Keyloggers are a type of spyware that can be used legitimately by parents to watch the activity of their children online.  But these tools are being used more and more for illegitimate purposes" (Norton, 2017) Once you have a keylogger virus/trojan on your computer a hacker can see every keystroke you complete as you type them.  Make sure you have up to date and active virus protection. 

I have seen phishing attacks.  In this type of attack you may get an email indicating your account might be in jeapordy and you might be asked to immediately to click on a link to fix or update your account.  Beware in this type of attack you are not hitting the site you might think you are.  You are probably hitting a fake site from the hacker who is just sitting waiting for you to enter your user name and password.  Once you do he has access to your account.  This is one reason to keep different passwords for different accounts.  INFOSEC Institue reports, "The British have reported that they are already up to 8000 phising attacks occuring monthly" (Inforsec, 2017) Other types of phishing attacks are out and about.

PLEASE READ THIS.IT IS VERY IMPORTANT

Allow your discussion posts to be detailed and capable of sharing knowledge, ideas and points.  You must discuss the topic using your own words first.  Using your own words indicate you understand the topic of discussions.  Secondly, you must cite your sources in-text.  This is necessary to justify your points. Sources from several sources showed good research abilities.  Lastly, you must provide references at the bottom of your post.  A discussion post without justification with sources does not show proper research abilities. A terse and not detailed discussions represent post that would not provide enough sharing of knowledge or proper understanding of the topic. DO NOT just copy and paste a sentence from online with citation at the end as your own discussion. I have not asked for definitions, I asked for discussions and will not buy this.  You must show understanding of the discussion topic by using your own words to describe the topic and then justify that with sources.

www.citationmachine.net to format references into the APA style if necessary. Extremely important. Intext citations is very essential and highly needed as well.

use double spacing, 12-point Times New Roman font, and one-inch margins. Sources should be cited according to APA citation method (citation should be relevant and current). Page-length requirements: 2 PARAGRAPHS FOR EACH PROMPT ANSWER. Make sure you cite if you take a piece of someone’s work, very important and your reference should relate to your writing (don’t cite a reference because it relates to the course and not this very paper) at least 2 current and relevant academic references. No heavy paraphrasing of others work.