Password Security - CompTIA Security+ SY0-701 - 4.6

00:01

When you're choosing a password, you often

00:03

see instructions on creating a password that will be

00:06

difficult for someone to guess.

00:08

This would prevent an attacker from using

00:10

some type of password spraying or brute force attack.

00:14

The goal is to create a password with an increased

00:16

amount of entropy.

00:18

Entropy describes how unpredictable a password

00:21

might be.

00:22

To meet those requirements, you don't

00:23

want to use single words or something

00:25

that might be obvious.

00:27

Ideally, you'd create a password that

00:28

included upper and lowercase letters, numbers,

00:31

and special characters all in the same password.

00:34

And you've probably seen cases where there is

00:37

a minimum length of a password.

00:39

Ideally, you'd want a password that

00:40

is at least eight characters, although we're

00:43

seeing password requirements increase

00:45

that number as the processing speeds

00:47

and capabilities of our systems become that much more

00:50

efficient.

00:51

In some cases, we're encouraged to use a phrase or set of words

00:55

so that we have a much longer password.

00:58

Once a password is set, a timer starts

01:00

that defines the password age.

01:03

This password age is then evaluated

01:05

after a certain duration to determine whether we would

01:08

want to change that password.

01:10

For example, many passwords will expire in 30 days, 60 days,

01:14

90 days, or some other value.

01:17

You've probably seen notifications that remind you

01:19

that your password is going to expire

01:21

in a certain number of days and that you'll

01:23

need to change this password as soon as possible.

01:26

If you don't change the password and the password expires,

01:29

then you won't be able to log in to that account.

01:32

And many systems will remember your password history,

01:35

so you can't reuse a password that you

01:37

may have used in the past.

01:39

Of course, these password expirations

01:41

are determined by the system administrator.

01:43

If this is a critical system, you

01:45

may find that your passwords need to be changed every 15

01:48

days or 7 days so that you constantly

01:51

have a different set of passwords in use.

01:54

The best practice is to use a different password

01:57

for each account.

01:58

This would prevent somebody from gaining access

02:01

to one of your passwords and being

02:03

able to access many accounts with those same credentials.

02:06

The problem, of course, is remembering

02:09

all of these different passwords across all

02:11

of these different accounts.

02:12

For that reason, we may want to take advantage of a password

02:16

manager.

02:16

A password manager allows you to store all of your passwords

02:19

in one single database.

02:21

This database obviously contains a great deal

02:24

of sensitive information, so we add additional security

02:27

to gain access to that database.

02:29

For example, the password manager

02:31

itself encrypts all of the information

02:33

stored in the database.

02:34

And to gain access to the database,

02:36

you may need to provide additional authentication

02:39

credentials or multifactor tokens.

02:41

Many operating systems are including a password manager

02:44

built into the OS itself, and you

02:46

can download and use many third-party password managers

02:49

as well.

02:50

There are also solutions available for the enterprise

02:53

so you can have every employee in your organization taking

02:56

advantage of using a secure password manager.

02:59

Once you log into your password manager,

03:01

you have full access to all of the saved passwords,

03:03

and you can get a summary of how healthy those passwords might

03:06

be.

03:07

This might give you some feedback

03:09

on whether a password may have been compromised

03:11

or whether you need to make passwords a bit more secure.

03:14

I like the feature in my password manager

03:16

that allows me to generate new passwords automatically

03:19

with a random amount of data and to automatically

03:22

add those to the form that I'm filling in.

03:24

This allows me to easily create unique passwords for every site

03:28

that I use.

03:30

Unfortunately, many people don't take advantage

03:32

of password managers or they tend to reuse passwords

03:35

across different sites.

03:37

This makes it very easy for an attacker to gain access

03:40

to a user's data.

03:41

Because of this, many systems have

03:43

moved to a passwordless method of authentication

03:46

where you would not use a password to log into a system.

03:50

This would certainly solve the problem of password reuse,

03:53

and you don't have to remember a password to log into a system.

03:56

You might already be using passwordless authentication.

03:59

If you have a mobile phone and you

04:01

unlock that phone with a face recognition,

04:03

you didn't have to put in any password

04:05

to gain access to that system.

04:07

And when I log into Windows, I use a personal identification

04:10

number instead of using a password.

04:13

In all of these cases, the passwordless authentication

04:16

is often used in conjunction with a password

04:18

or some other type of authentication factor.

04:21

This means that we may need to use our password initially.

04:24

But from that point forward, we can

04:26

use the passwordless authentication.

04:29

The use of passwords becomes much more

04:31

complex in an environment where you have many people logging

04:34

into many different systems, as we do in many IT departments.

04:38

So instead of using single passwords that

04:41

are assigned to an individual user,

04:43

we use just-in-time permissions.

04:46

This allows a technician to receive administrative access

04:49

for a limited amount of time using a set of credentials

04:52

that is also temporary.

04:54

This solves the problem of a technician

04:56

needing administrator rights but not

04:58

having those rights normally associated with their login.

05:01

This allows the technician to use those administrator

05:04

rights to solve a particular problem or fix an issue,

05:07

and then those rights will time out normally.

05:10

This means, if an attacker does manage

05:12

to breach an individual user's account,

05:14

they would not have administrator access

05:17

to the systems.

05:18

To start this process of just-in-time permissions,

05:21

the user would request permission

05:23

from a central clearinghouse.

05:25

This clearinghouse is responsible for allowing or not

05:28

allowing access based on a set of security policies

05:31

that were previously configured.

05:33

That central clearinghouse or password vault

05:35

contains primary credentials that would allow someone access

05:39

to a system.

05:39

But instead of handing out those primary credentials,

05:43

the vault is going to set different controls

05:45

for each individual user.

05:47

The just-in-time process is going

05:48

to create a new set of credentials

05:50

based on those primary credentials.

05:53

Those new credentials will be assigned to a user,

05:55

and they're assigned on an ephemeral basis, which

05:58

means they will only be temporarily assigned.

06:01

This means your primary credentials will never

06:03

be shown to anyone else.

06:05

And once the technician uses those temporary credentials,

06:07

they can then be deleted after that session is complete.