Best Practices for Password Security and User Authentication

Password security is crucial for protecting sensitive information. Passwords should not be shared and should be changed regularly to prevent unauthorized access. Implementing strong passwords, two-factor authentication, and biometric security measures can greatly enhance security. Additionally, maintaining a secure operating system is essential to prevent vulnerabilities and unauthorized software installations. Follow industry best practices to ensure a robust security framework and protect against potential threats.

• Password Security
• User Authentication
• Two-Factor Authentication
• Biometric Security
• Operating System Security

hove_r Follow

Uploaded on Nov 15, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure) AIS, 2014 1

2. Passwords Long, at least 8 characters Alphanumeric Hashed (one-way scrambling) System should allow only a few attempts before locking out account AIS, 2014 2

3. Password Cracking Methods Random trials haphazard, low chance but easier Dictionary attacks try scrambling the common names and all dictionary words Brute force try scrambling all possible combinations of characters, most time consuming Systematic deduction try name followed by month, etc. AIS, 2014 3

4. Passwords An 8-letter password is 676 times stronger than a 6- letter password. A 6-character alphanumeric password is 6 times stronger than a 6-letter password. A completely random 8-character alphanumeric is virtually uncrackable with a modern PC, takes about 1 year. Strength should depend on user s privilege and locality of system. AIS, 2014 4

5. Two-factor Authentication (general or application) Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. Uses what the user has and what the user knows. Examples are to use a token with a dynamic password and ATM. AIS, 2014 5

6. Biometrics (general or application) Can include fingerprint, hand geometry, voice etc. Held back by privacy concerns. Not recognised legally in place of signature AIS, 2014 6

7. Operating System Security (general control) Use a standard checklist for configuration Locks down workstation access by employees to prevent unauthorized installation of software Use scanning software to detect vulnerabilities before implementation and periodically Use automated patching tools to install security fixes. AIS, 2014 7

8. Operating System Security The standard configuration checklist should comply with the workstation and server security standards in the organization. It is called hardening. It should enable only minimal services. A service is a system program in the OS that performs repetitive functions like remote connection to a server. AIS, 2014 8

9. Operating System Security Have a server profile to define security parameters for the entire server, e.g., password length. Define the access control list to each file on the server (program and data), who can access what file and read or write or delete ; the who may be a person, a class of users or a program. AIS, 2014 9

10. Firewall (general control) Can be hardware based only, e.g., a router. Can be a server with sophisticated software, more granular and reliable than a router, provides better logs. Can use artificial intelligence to check for patterns. AIS, 2014 10

11. Firewall Every organization that hosts a web site should have a firewall to protect its internal network from hackers The firewall would block traffic that is definitely unacceptable. AIS, 2014 11

12. Firewall A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address. AIS, 2014 12

13. Firewall A port is a logical connection point in a network device including a computer. It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443. AIS, 2014 13

14. Firewall to Prevent Spoofing Should not allow own IP addresses from coming in. Should load the unassigned addresses from Internet Assigned Numbers Authority (IANA) on firewall. AIS, 2014 14

15. TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Firewalls, Intrusion Detection Systems, and Antivirus Software (continued) Network address translation (NAT) Provides an additional layer of protection Conceals the IP address of the host computer to sniffer programs. AIS, 2014 15

16. Firewall Management Firewall should not be remotely administerable in order to reduce the risk of hacking. Firewall logs should be reviewed frequently to avoid the log getting full and firewall collapsing. AIS, 2014 16