Author of the article
Kompaniets Elizaveta, student of MBOU Secondary School No. 28, 11th grade A
Goals
What is the history of passwords?
How do passwords protect data on computers and disks?
How do hackers crack passwords?
How to make a password resistant to hacking?
Hypothesis
The password is the most acceptable and therefore the most commonly used means of establishing authenticity, based on the knowledge of the access subjects.
Protecting data using a computer
Password history
Password(French parole - word) is a secret word or set of characters designed to confirm identity or authority. Passwords are often used to protect information from unauthorized access. In the majority computing systems the username-password combination is used to authenticate the user. Passwords have been used since ancient times.
Polybius describes the use of passwords in ancient Rome as follows:
The way in which they ensure safe passage at night is as follows: from the ten maniples of each branch of infantry and cavalry, which is located in the lower part of the street, the commander chooses who is exempt from guard duty, and he goes every night to the tribune, and receives his password is a wooden tablet with the word. He returns to his unit, and then goes with the password and sign to the next commander, who in turn passes the sign to the next one.
Passwords are used to prevent unauthorized access to data stored on your computer. The computer allows access to its resources only to those users who are registered and have entered the correct password. Each specific user can be allowed access only to certain information resources. In this case, all unauthorized access attempts can be recorded.
Protecting access to your computer.
User settings are protected in the operating system Windows (when the system boots, the user must enter his password), however, such protection is easily overcome, since the user can refuse to enter a password. Password login can be set in the program BIOS Setup , the computer will not start loading operating system, if the correct password is not entered. It is not easy to overcome such protection; moreover, there will be serious problems access to data if the user forgets this password.
Protecting data on disks.
Every drive, folder and file local computer, as well as a computer connected to local network, can be protected from unauthorized access. They can have specific access rights (full, read-only, password), and the rights can be different for different users.
Hacking computer passwords
Password hacking is one of the common types of attacks on information systems that use password or username-password authentication. The essence of the attack comes down to the attacker taking possession of the password of a user who has the right to log into the system. The attractiveness of the attack for an attacker is that if he successfully obtains a password, he is guaranteed to receive all the rights of the user whose account was compromised, and in addition, logging in under an existing account usually causes less suspicion among system administrators. Technically, an attack can be implemented in two ways: multiple attempts at direct authentication in the system, or by analyzing password hashes obtained in another way, for example, by intercepting traffic. The following approaches can be used:
Direct search. Searching through all possible combinations of characters allowed in a password. For example, the “qwerty” password is often hacked because it is very easy to guess by looking at the first keys on the keyboard.
Dictionary selection. The method is based on the assumption that the password uses existing words of a language or combinations thereof.
Method of social engineering. Based on the assumption that the user used personal information as a password, such as his first or last name, date of birth, etc. E.g. Vasya Pupkin, born December 31, 1999 often has a password like “vp31121999” or “vp991231”. Many tools have been developed to carry out the attack, for example, John the Ripper.
Password Strength Criteria
Based on the approaches to carrying out an attack, it is possible to formulate criteria for password strength against it. The password should not be too short, as this makes it easier to crack through brute force. The most common minimum length is eight characters. For the same reason, it should not consist of only numbers.
The password should not be a dictionary word or a simple combination of them; this simplifies its selection from a dictionary.
The password should not consist only of publicly available information about the user.
Recommendations for creating a password include using a combination of words with numbers and special characters (#, $, *, etc.), using less common or non-existent words, and maintaining a minimum length.
Conclusion
Passwords have been used since the early days of their creation to this day. They successfully help us protect information from unauthorized access.
Greetings to everyone who watches this video!
This is not my first article, but it is the first in the field of teaching users not to do stupid things.
In this video and the text of the article, I will tell and show what you should do and what you should not do when entering a password or selecting one.
There are different passwords, some people store them in their heads, some write them down on a piece of paper, some in text documents.
Keeping passwords in your head means the following:
passwords will be:
1. short length;
2. the same on different resources,
and therefore if you register by mail, and then in the chat, then after hacking the chat the person will have access to your mail, which is not good...
storing passwords on a piece of paper is also not an option, although it is better than the first, but since we are moving away from even paper books,
electronic storage media, then I suggest storing passwords in text form.
This method also has disadvantages as well as advantages.
Disadvantage: an attacker, having access to your password file, will know all the resources and can gain access on your behalf.
Advantages: getting access to resources (more difficult for third parties) since you can create complex passwords and don't be afraid to forget them
Can be improved this method, remembering 1 complex 10-digit password or more,
and simply use it to decrypt a password-protected archive with passwords.
I'll show you later...
Now I’ll show you how difficult it can be to decrypt a normal password.
Currently, quite a lot of encryption algorithms have been invented. The most popular, in my opinion, is MD5 and its modifications.
Let's take for example different passwords and their hashes, and we’ll try to decrypt them, and see how much time it will take.
And so, now we will decipher and look at the time...
At first we will use only numbers, and then increase the complexity...
Split seconds...
The same…
The same thing, but we know that the password contains only numbers, and if it also contained characters it would take much more time...
Next password...
We didn’t find the password using numbers... let’s add symbols... lowercase...
added 1 character (not a number and that's how it simplified the process)
On a fairly weak machine, a password of 8 characters using upper and lower case letters will take a very, very long time to decrypt, and this is provided that the MD5 is not modified...
It’s a pity that not every site/service/server can use additional characters...
Pay attention to the screen, this is how they use them would complicate the process of direct search...
With their use, the password is practically invulnerable, unless, of course, supercomputers are used to decrypt it
And as promised, I show how you can store passwords for accessing resources knowing one password:
This password is of course difficult to remember, so let’s simplify it a little... a little later
w1W4W5a$4PYi
By using such a password, your passwords will be safe.
You can shorten it, as I said, to 10 characters... Or so...
It’s easier to remember, just like hacking, but I don’t think that your passwords will be hacked on purpose
Yes, and the file name “Passwords” will attract attention, so change the name to something less catchy...
That's all!
What are the requirements for organizing password protection of information in an educational institution?
It is advisable to entrust the organizational and technical support for the processes of using, changing and terminating passwords, as well as control over the work with passwords in an educational institution, to the system administrator.
Personal passwords it is desirable to generate and distribute centrally. However, users of the information system can choose them independently, taking into account the following requirements:
- The password must be at least 8 characters long;
- characters must include letters (in upper and lower case) and numbers;
- the password should not contain easily calculated combinations of characters (first names, surnames, well-known names, slang words, etc.), sequences of symbols and signs, generally accepted abbreviations, abbreviations, names of pets, car numbers, telephone numbers and other combinations of letters and characters, which can be guessed based on user information;
- The user has no right to disclose his personal password to anyone.
If the generation of user personal passwords is carried out centrally, responsibility for their correctness rests with system administrator educational institution.
If there is a technological need to use an employee’s password in his absence, it is recommended to change the password at the first opportunity and transfer it for safekeeping to the person responsible for information security in a sealed envelope. Sealed envelopes containing passwords must be kept in a safe.
In case of termination of the user's authority (dismissal, transfer to another job, etc.) System Administrator must delete his account immediately after the end of his last session with information system.
Urgent (unscheduled) change of passwords should be carried out in the event of termination of the powers of information system administrators and other employees who have been granted powers to manage password protection.
It is recommended that an educational institution develop instructions for organizing password protection of information, which password owners should be familiar with upon signature. The instructions must define security measures, the observance of which will prevent information leakage. Let's give a possible formulation.
It is prohibited to write passwords on paper, in a file or other storage media. When entering a password, the user should not say it out loud.
It is prohibited to disclose your personal password to other users and to register them in the system using your password.
Storing your password on paper is only allowed in a safe.
Password owners must be warned of responsibility for using passwords that do not meet the requirements established by the institution, as well as for disclosing password information.
Official source
How is monitoring carried out? information security automated systems processing personal data in an educational institution? Monitoring the performance of hardware components of automated systems processing personal data is carried out during their administration and during work on maintenance equipment. The most essential components of the system (servers, active network equipment) must be constantly monitored as part of the work of the administrators of the corresponding systems.
Monitoring password protection includes: setting password expiration dates (no more than 3 months); periodically (at least once a month) checking user passwords for the number of characters and clarity in order to identify weak passwords that are easy to guess or decrypt using specialized software(password crackers).
Integrity monitoring software includes the following actions:
- check checksums and digital signatures of directories and files of certified software when loading the operating system;
- detection of duplicate user IDs;
- recovery system files system administrators with backup copies if the checksums do not match.
Prevention and timely detection of unauthorized access attempts is carried out using operating system tools and special software and provides for:
- recording unsuccessful login attempts in the system log;
- logging work network services;
- identifying scans of a certain range of network ports in short periods of time in order to detect network analyzers that study the system and identify its vulnerabilities.
Monitoring the performance of automated systems that process personal data is carried out based on user requests, during system administration and preventive maintenance to identify unauthorized access attempts that have resulted in a significant decrease in system performance.
System audit performed quarterly and in special situations. It includes conducting security reviews, system testing, and monitoring changes to system software.
Official source
- Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (as amended on July 25, 2011)
- Regulations on ensuring the security of personal data during their processing in information systems personal data, approved. Decree of the Government of the Russian Federation dated November 17, 2007 No. 781
- Regulations on methods and means of protecting information in personal data information systems, approved. by order of FSTEC dated 02/05/2010 No. 58
In the modern world, more and more personal data ends up on the Internet. These include various financial services and applications. This data must be reliably protected.
You ensure the protection of your own data yourself, using various passwords, on which the security of various accounts depends. So, how can you make your password so that it is easy to remember and difficult to hack?
Common Mistakes
Many users around the world do not pay special attention when selecting secure password, thanks to which they find themselves victims of Internet scammers who hack their accounts after 5-6 attempts. For many years, users have been using the simplest combinations - 1234567, 12345554321, 1q2w3e4r5t6y: thereby exposing themselves to the threat of hacking.
Most cyber security experts point out that the two main criteria for a secure password are complexity and length. In their opinion, when creating a password, you need to use a long combination using various characters - numbers, letters, symbols, punctuation marks.
How to create passwords correctly
- Use more than 8 characters
- For each account use your unique password, because if you use the same password on all accounts, if one of them is hacked, the fraudster will be able to open other accounts as well
- You should change your passwords periodically – at least once every 3 months. To do this, set an automatic reminder so as not to forget about such an important procedure.
- A variety of characters in a password is a guarantee of reliability. But do not use the recently common replacement of letters with numbers or symbols, for example, “FOR” with “4”.
- Use the full range of symbols available on the keyboard
Also, do not forget - passwords must be stored in a place that only you have access to.
Avoid using as much as possible when creating passwords:
- Vocabulary words in any language
- Repetitions or symbols placed sequentially one after another. For example: 1234567, 55555, abcwhere, etc.
- Passwords using personal data: full name, date of birth, serial numbers documents and so on.
In general, take password creation seriously, as your financial well-being or reputation may depend on what they protect.
Loading...
