Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
44 Cards in this Set
- Front
- Back
How can you get past a password that you don't know |
By doing research on person and trying to guess their recovery questions |
|
What is the dictionary in a dictionary attack |
Lists of strings commonly used for passwords |
|
How to avoid password guessing. 3 |
Choose complicated passwords Memorize passwords Never give passwords to anyone else |
|
What is a static password |
Passwords that do not change |
|
Name the password best practices. 7 |
Memorize password Different passwords for different functions Use at least 6 characters Mix of characters Change periodically Don't reuse password Change from default |
|
When to use substitution in a password |
Use on not well known phrases. Don't use on common words |
|
Recommended password complexity. 2 |
10 character min Have one alpha, one symbol, one number |
|
Recommended duration of password |
45 day The time it would take to brute force it |
|
Recommendation for using previous passwords |
Can't use the last 5 passwords |
|
Recommended minimum age for password |
10 days |
|
Recommended lockout of account |
After 5 guesses |
|
Ed spuds recommends what length of password and why |
15 Because anything below 15 on windows is stored in LM instead of NTLM |
|
Ed skoudis recommends what duration for passwords and why |
60-90 days Because with 30 days users won't memorize passwords and might write then down somewhere |
|
Does windows 7 default store passwords in LM hash? |
No |
|
How does unicode affect security |
Increases number of possible combinations to guess for passwords |
|
What are the 2 methods windows uses for storing passwords |
Hash with md4 Encrypt with DES |
|
Where are windows passwords stored |
In the security account manager SAM |
|
What does Linux and Unix use to store passwords |
Ect/shadow |
|
What are the 6 windows password policies |
History Max age Min age Length Complexity Reversible encryption |
|
What does windows password policies do |
Store passwords used Default is not to store Can store up to last 24 passwords |
|
Windows max password age what is it |
Max time current password is valid Max is 999 days |
|
Windows min password age. What is it |
Min time before password can be changes Default is 0 Max value is 999 days |
|
Windows password complexity requirements. 5 |
Can't contain parts of user account name
Combo of characters
6 characters from 3 of the 4 areas (aA1#)
One upper case
One number or symbol |
|
Does Windows1 meet the requirements of a windows complex password and why |
Yes It is over 6 characters Has 3 of 4 areas Doesn't have part of the user name |
|
John the ripper and L0phtcrack can do what |
Crack the password Windows1 in less than a second |
|
What does Windows Local Authentication do |
Stores passwords in SAM stores them as a hash |
|
How does LAN manager LM work |
Max 14 character password 2 groups of 7 characters Padded with 0s of not long enough password A group of 7 is used as 56 bit des encryption Password converted to uppercase 2 groups of 64 bit strings Encrypted with des then joined together |
|
In LM what if a password is less than 7 characters |
The second keys blank and made into a default hash cypher text |
|
What is hexadecimal numbering |
0-9 a-f |
|
Characteristics of NTLM |
128 characters Case sensative Stored as md4 hash Larger character code set |
|
What did original Unix system use for passwords |
8 character passwords With 12 bit salt added |
|
What is salt |
A random string added to original password before hashed. This way two same passwords would give the same hash |
|
What is in salt |
12 bits represented as 2 characters It's creation is based on time of day Stored in etc/password file First two characters of crypto password is salt |
|
For Linux and Unix where are the encrypted passwords placed |
In the etc/password file |
|
Password cracking about |
A computation of every possible combination of characters of a given length Takes considerable amount of time Cracking is donen offline not live login Hash or encrypt current guess and compare to stored password |
|
What is the most difficult part of password cracking |
Getting the password hash from the target computer Because it's only accessible with admin privileges |
|
Explain the process a brute force password takes to try and Crack a password |
Starts with letters Adds numbers Adds special characters |
|
What is the difference between dictionary and brute force attacks |
Dictionary tries common words. Lists contain thousands of words. Simple passwords are very rapidly cracked Brute guesses every possible combination. Starts with letters, adds numbers, adds special characters. |
|
What is hybrid password cracking |
Cmbo of dictionary and brute force Tries dictionary words first Then common dictionary words with numbers added to the end and beginning of word. |
|
What is a pre-computed hash |
Hash of password has been pre calculated Compare hash values to find match |
|
What are rainbow tables |
Captured hash is compared to stored hash values to create faster matches |
|
How do you go about cracking windows passwords |
You must copy the SAM file containing the cryptographic form of passwords from victim computer |
|
How to bypass windows security and gain access to admin |
Boot off a Linux cd |
|
How do you find out how many bits to borrow |
You take the number of sub-networks needed plus 2 Then do 2 to the power of to get that number. Whatever the power is is what your amount of bits to borrow is Ie sub networks needed 15. So actually 16. 2 to power of 3 3 bits needed |