Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Introduction
  • Password Policy Standards
  • Essential Password Policy Components
  • Basic Requirements
  • Blacklisted Elements
  • Policy Enforcement Methods
  • Creating Strong Passwords
  • Methods
  • Password Managers
  • Types
  • Core Features to Consider
  • Alternative Authentication Methods
  • Passwordless Options
  • Major Passwordless Providers
  • Best Practices Summary
  1. Password Attacks

Password Management

Introduction

  • Password management is crucial for organizational security

  • Example: New employee "Mark" trying to set password "password123" but getting rejected due to policy requirements

  • Password security consists of two key components:

    • Policy definition (guidelines)

    • Policy enforcement (technical implementation)

Password Policy Standards

  • Common industry standards include:

    • NIST SP800-63B

    • CIS Password Policy Guide

    • PCI DSS

  • Standards provide baseline security controls but shouldn't be the only measure

  • Different standards may have conflicting approaches (e.g., password expiration requirements)

Essential Password Policy Components

Basic Requirements

  • Minimum length: 8 characters

  • Character complexity:

    • Uppercase letters

    • Lowercase letters

    • Numbers

    • Special characters

  • Change frequency: Every 60 days (though this is debatable based on modern standards)

Blacklisted Elements

  • Company name and variations

  • Industry-related terms

  • Temporal terms (months, seasons)

  • Common words:

    • "welcome"

    • "password"

    • Simple sequences (123456, abcde)

Policy Enforcement Methods

  • Technical Implementation:

    • Active Directory Password Policy GPO

    • Identity Management Systems

  • Organizational Implementation:

    • Clear communication of policies

    • Documented processes and procedures

    • Regular audits and compliance checks

Creating Strong Passwords

Methods

  1. Password Generator Tools:

    • Example: Generated password like "CjDC2x[U"

    • Pros: Very secure

    • Cons: Hard to remember

  2. Passphrase Method:

    • Example: "()The name of my dog is Poppy!"

    • Pros: Easier to remember

    • Cons: Could be vulnerable to OSINT if based on personal information

Password Managers

Types

  1. Online Password Managers:

    • Popular options:

      • 1Password

      • Bitwarden

      • Dashlane

      • Keeper

      • LastPass

      • NordPass

      • RoboForm

    • Features:

      • Cloud synchronization

      • Multi-device support

      • Zero Knowledge Encryption

      • Master password protection

  2. Local Password Managers:

    • Popular options:

      • KeePass

      • KWalletManager

      • Pleasant Password Server

      • Password Safe

    • Features:

      • Local storage

      • No third-party dependency

      • Complete control over database

Core Features to Consider

  • 2FA support

  • Multi-platform compatibility

  • Browser extension availability

  • Autocomplete functionality

  • Import/export capabilities

  • Password generation tools

Alternative Authentication Methods

Passwordless Options

  • Multi-factor Authentication (MFA)

  • FIDO2 authentication standard

    • Hardware keys (e.g., Yubikey)

  • One-Time Password (OTP)

  • Time-based One-Time Password (TOTP)

  • IP-based restrictions

  • Device Compliance systems:

    • Endpoint Manager

    • Workspace ONE

Major Passwordless Providers

  • Microsoft

  • Auth0

  • Okta

  • Ping Identity

Best Practices Summary

  1. Implement strong password policies

  2. Use password managers for complex password management

  3. Consider modern authentication alternatives

  4. Regularly review and update security measures

  5. Provide user training and support

  6. Monitor and audit password-related security events

PreviousFiles & Archives CrackingNextInteracting with Common Services