1
00:00:01,360 --> 00:00:07,440
In our next section we will talk about password policies elements and passwords.

2
00:00:07,460 --> 00:00:08,680
Elton Matthews

3
00:00:11,160 --> 00:00:19,800
so most systems in an enterprise network use some form of authentication to grant or deny user access

4
00:00:20,370 --> 00:00:27,990
when users access a system a user name and password are usually invoked as you know at the most of the

5
00:00:27,990 --> 00:00:35,730
time it is like that and it might be fairly easy to guess someone's user name based on that person's

6
00:00:35,760 --> 00:00:36,730
real name.

7
00:00:37,170 --> 00:00:46,680
If the user's password is set to some default value or to a word or text text string that is easy to

8
00:00:46,710 --> 00:00:52,220
guess an attacker might easily gain access to the system too.

9
00:00:52,320 --> 00:01:00,870
So guys think like an attacker for a moment and see if you can make some guesses about passwords you

10
00:01:00,870 --> 00:01:05,310
might try if you want to log in to a random system.

11
00:01:05,490 --> 00:01:14,540
Perhaps you told totes of passports like Password password 1 3 1 2 3 4 5 6 and so on right.

12
00:01:14,970 --> 00:01:23,940
And perhaps you could try a username as admin and password like admin an attacker can launch an online

13
00:01:24,000 --> 00:01:27,300
attack by actually entering each password.

14
00:01:27,360 --> 00:01:31,620
Yes as the system prompts for user credentials.

15
00:01:31,620 --> 00:01:39,960
In contrast to an offline attack occured when the attacker is able to retrieve the encrypted or hashed

16
00:01:39,960 --> 00:01:50,370
passwords ahead of time then goes off line to an external computer and uses software there to repeatedly

17
00:01:50,370 --> 00:01:53,790
attempt to recover the actual password.

18
00:01:53,790 --> 00:02:02,740
So attackers can also use software to perform dictionary attacks to discover a user's password.

19
00:02:02,940 --> 00:02:12,120
The software will automatically attempt to log in with passwords taking from a dictionary or worthless.

20
00:02:12,120 --> 00:02:20,880
In this meta guys and it's might be a I'm sorry it's mine I have to go through thousands or millions

21
00:02:20,880 --> 00:02:25,130
of attempts before discovering the real password.

22
00:02:25,140 --> 00:02:33,990
In addition the software can perform a brute force attack by trying every possible combination of letter

23
00:02:34,050 --> 00:02:43,290
number and symbols strings and brute force brute force attacks Rick are really very power powerful computing

24
00:02:43,290 --> 00:02:52,830
resources and a large amount of time and to mitigate password attacks an enterprise should implement

25
00:02:52,880 --> 00:02:56,600
a password policies for all users guys.

26
00:02:56,730 --> 00:03:04,590
Such a policy might include guidelines that require a long password string made up of a combination

27
00:03:04,590 --> 00:03:11,220
of upper and lower case characters along with numbers and some special characters.

28
00:03:11,220 --> 00:03:20,760
Maybe the goal is to require all passwords to be complex strings that are difficult to guess or reveal

29
00:03:20,760 --> 00:03:24,290
by a password attack as well.

30
00:03:24,300 --> 00:03:32,790
Password management should require all passwords to be changed periodically so that even length the

31
00:03:32,940 --> 00:03:39,300
brute force attacks would not be able to recover a password before it is changed again.

32
00:03:41,070 --> 00:03:42,390
And yes.

33
00:03:42,750 --> 00:03:51,180
Passports have some vulnerabilities sometimes and for critical systems enterprises mostly consider to

34
00:03:51,180 --> 00:04:00,450
use passwords alternatives and they are multi factor authentication physical access control certificates

35
00:04:00,480 --> 00:04:01,820
and their biometrics.

36
00:04:01,830 --> 00:04:06,710
And let's take a look to these alternatives and learn about them.

37
00:04:09,040 --> 00:04:17,230
As simple passwords passwords string in the single factor that a user must enter to be authenticated

38
00:04:18,010 --> 00:04:26,440
because a password should be remembered and not written down to anywhere you might think of your password

39
00:04:26,530 --> 00:04:32,290
as something you know hopefully nobody else knows this too.

40
00:04:32,410 --> 00:04:40,620
Otherwise they could use it to impersonate when you authenticating right multi factor authentication.

41
00:04:40,960 --> 00:04:49,990
Which is also known as MFA is an authentication method in which a computer user is granted access only

42
00:04:49,990 --> 00:05:00,110
after successfully persisting two or more pieces or of evidence or factors to an authentication mechanism.

43
00:05:00,190 --> 00:05:10,090
No Lich and something the user and only the user knows that means and possession something the user

44
00:05:10,120 --> 00:05:22,120
and the only the user has and inherits something the user and the only the user s and two factor authentication

45
00:05:22,120 --> 00:05:30,700
for example also known as to FAA is at type or subset of multi factor authentication.

46
00:05:30,700 --> 00:05:38,380
It is a method of confirming users claimed identities by using a combination of two different factors

47
00:05:38,980 --> 00:05:51,010
one something they know 2 something they have or 3 something they are a good example of two factor authentication

48
00:05:51,340 --> 00:05:56,350
is the throwing of money for and 18 for example.

49
00:05:56,350 --> 00:05:58,680
All of us do this right.

50
00:05:59,290 --> 00:06:07,510
Then only the correct combination of a bank card and PIN number allows the transaction to be carried

51
00:06:07,510 --> 00:06:08,570
out.

52
00:06:08,590 --> 00:06:17,380
Two other examples are supplement a user controlled password with a one time password to a OTP or code

53
00:06:17,410 --> 00:06:20,770
generated or received by an authenticator.

54
00:06:20,770 --> 00:06:31,710
For example like it may be a security token or a smartphone that only the user possesses let's go ahead

55
00:06:31,710 --> 00:06:40,050
with the digital certificates at digital certificate can serve as one alternative factor because it

56
00:06:40,050 --> 00:06:50,790
serves as a trusted form of identification and adherence to a standardized format and contains encrypted

57
00:06:50,850 --> 00:06:52,520
information guys.

58
00:06:52,590 --> 00:07:03,330
If an enterprise support certificate to use then a user must request and be granted a unique certificate

59
00:07:03,390 --> 00:07:13,680
to use for specific purposes for example certificates used for authenticating users must be approved

60
00:07:13,680 --> 00:07:17,570
for authentication in order to be trusted.

61
00:07:17,580 --> 00:07:27,600
Certificates must be granted to and digitally signed by a trusted certificate authority known as S.A..

62
00:07:27,840 --> 00:07:36,810
As long as these services used by these sent enterprise gnome and the trust to see a then individual

63
00:07:36,810 --> 00:07:41,330
certificate signed by that S.A. can be trusted as well.

64
00:07:44,110 --> 00:07:53,590
Biometric credentials are another password alternative can be used and biometric credentials carry this

65
00:07:53,600 --> 00:08:00,190
scheme even further by providing a factor that represents something you are.

66
00:08:01,090 --> 00:08:10,800
The idea is to use some physical attribute from a user's body to uniquely identify that person physical

67
00:08:10,830 --> 00:08:20,040
attributes are usually unique to each individual's body structure and cannot be easily stolen or duplicate

68
00:08:20,040 --> 00:08:29,700
that right and for example a user's fingerprint can be scanned and used as an authentication factor.

69
00:08:29,700 --> 00:08:41,070
Other examples include face recognition palm prints and voice recognition iris recognition and retinal

70
00:08:41,070 --> 00:08:42,660
scans.

71
00:08:42,660 --> 00:08:51,960
As you might expect some methods can be trusted more than others and sometimes facial recognition systems

72
00:08:51,960 --> 00:09:00,300
can be fooled when presented with photographs or masks of trusted individuals.

73
00:09:00,480 --> 00:09:08,940
Injuries and the aging process can also alter biometric patterns such as fingerprints facial shapes

74
00:09:08,970 --> 00:09:14,970
and iris patterns to help mitigate potential weaknesses.

75
00:09:14,970 --> 00:09:22,280
Multiple biometric credentials can be collected and used to authenticate so users as well.