Best Way Of Password Defenses

There are just as many ways to defend against password hacks as there are ways to attack them.

Complexity and Length
Long and complex passwords make it significantly harder for password guessing and cracking tools to be successful. Longer is better than complexity (unless you can get true strong entropic complexity). Today most password experts recommend 12-character or longer passwords, and that’s just for regular users. Privileged user accounts should be 16 characters or more. The length
of the recommended minimum password size increases over time. However, this has no effect on credential reuse attacks, like PtH attacks.

Frequent Changes with No Repeating
Enforcing a maximum number of days that a particular password can be used (usually 90 days or less) with no repeating is a common password defense recommendation/requirement. The thinking is that it usually takes a password guesser a long period of time to guess or crack a long and complex password, but it can eventually be done with enough time and computing power.
Enforcing periodic changes in the password reduces the risk that the hacker will be successful before the new password is used. Check out Microsoft Research’s “Password Guidance” whitepaper by Robyn Hicock ( and password papers by Dr. Cormac Herley .

Not Sharing Passwords Between Systems
This is one of the best defenses, but very hard (if not impossible) to enforce. Users should never use the same password between any system that has a different authentication database. Re-using credentials between different systems increases the risk that the hacker will compromise one of the systems, capture your shared logon credentials, and then use it to attack another.

Account Lockout
This is a frequent password-guessing defense. For systems where hackers try to guess against active logon screens (for example interactively), the authentication system should lock out or freeze the account after a set number of incorrect password guessing attempts. The lockout can be temporary or require that the end user call the help desk to get it reactivated or to reset it at a password reset portal. This defensive measure defeats many password-guessing hackers and tools, but has its own risks, as the lockout feature can be used by the hacker to create a widespread, denial-of-service, lockout attack.

Strong Password Hashes
Authentication systems should always use strong hashes and prevent the use of weak, vulnerable hashes. Most operating systems default to strong hashes, but some allow weak hashes to still be used for backward compatibility purposes. In Microsoft Windows, LM hashes are considered weak and shouldn’t be used. In Linux, MD5 and SHA-1 hashes are considered weak.

Don’t Use Passwords
These days the conventional wisdom is that password requirements are getting so long and complex that most users might be better off not using a password at all. Instead, users should use 2FA, biometrics, security tokens, digital certificates, and anything other than a simple logon name and password combination. This has been the recommendation for decades, but it is now becoming
fairly common in both company networks on popular online systems. If your web site allows you to use something better than a password, use it.
NOTE: The work of the FIDO Alliance ( to get rid of passwords across the Internet is gaining momentum unlike many of the previous attempts to do the same thing. Check it out.

Credential Theft Defenses
Because credential theft attacks such as PtH attacks have become so popular lately, many operating systems come with built-in anti–credential theft attack defenses. Most of these focus on making sure the passwords or password hashes aren’t available in memory to easily steal, or they don’t share the password or hash across network connections.

Reset Portal Defenses
Password reset portals are often the weakest link in an authentication system. Portals should always allow users to make up their own unique and hard-toguess/research questions and answers. If they don’t, users should give hardto-guess “non-answers” to the questions and securely save the answers for later on use. For example, if the question is “What was your mother’s maiden
name?,” the answer could be “giraffedogfish.” You are essentially turning the password reset question answer into another alternate password.


Hacking: The Underground Guide to Computer Hacking, Including Wireless Networks, Security, Windows, Kali Linux and Penetration Testing 
This book will provide you with the best tools for hacking and also point out ways you can protect your systems. Step by Step instructions with command prompts are included.
Below are some of the topics that are covered in this guide:
  • Hacking into Wireless Networks
  • Hacking into Computers and Smartphones
  • Ethical Hacking and the best tools for each kind of hacking
  • Scanning Your Systems
  • Pinpointing Specific Vulnerabilities
  • Cracking Encryption
  • Flaws in Websites and Applications
  • Attacking with Frameworks
  • Linux and Penetration Testing
  • Step by Step Commands to perform
  • Phishing
  • Advantages and Disadvantages of WEP, WPA, WPA2, etc
  • Other Wireless Hacking Resources and Other subjects related to hacking
If you really want to learn more about hacking, then this book will definitely provide you with detailed information as well as other resources you can learn from.

No comments

Powered by Blogger.