Password protection of personal data. Protecting data using a password Cracking computer passwords

Greetings to everyone who is watching this video!
This is not my first article, but in the field of teaching users not to do stupid things the first.

In this video and the text of the article, I will tell and show what should and should not be done when entering a password or choosing it.

Passwords are different, someone keeps them in his head, someone writes on a piece of paper, someone in text documents.
Keeping passwords in your head means the following:
passwords will be:
1.small length;
2.the same on different resources,
and therefore if you register by mail, and then in the chat, then the person after hacking the chat will get access to your mail, which is not good ...

storing passwords on a piece of paper, the same is not an option, although it is better than the first, but since even from books on paper we go to the side,

electronic media, I suggest storing passwords in plain text.

This method also has disadvantages as well as advantages.
Disadvantage: an attacker gaining access to your password file will know all the resources and can gain access on your behalf.

Advantages: it is more difficult to get access to resources (third-party ones) because you can create complex passwords and not be afraid to forget them
You can improve this method by remembering 1 complex 10-digit password or even more,
and just use it to decrypt a password-protected archive.
I'll show you later ...

And now I'll show you how difficult it can be to decipher a normal password.

Currently, a lot of encryption algorithms have been invented. The most popular in my opinion is MD5 and its modifications.

Let's take, for example, different passwords and their hashes, and try to decrypt, and clearly see how long it will take.

And so, now we will decrypt and look at the time ...

at first we will use only numbers, and then increase the complexity ...

Fractions of a second ...
Same…
The same, but we know that the password contains only numbers, and if it contained signs, it would take much longer ...
Next password ...
We couldn't find the password by numbers ... let's connect the characters ... lower case ...
added 1 character (not a number and this is how it simplified the process)
On a rather weak machine, a password of 8 characters with the use of upper and lower case letters will be decrypted for a very, very long time, and this is provided that MD5 is not modified ...
It's a pity not every site / service / server can use additional characters ...

Pay attention to the screen, here's how they would complicate the brute-force process ...
With their use, the password is practically not vulnerable, unless, of course, supercomputers are used to decrypt it.

And as promised, I show how you can store passwords for accessing resources knowing one password:

Of course, such a password is difficult to remember, so let's simplify it a little ... a little later
w1W4W5a $ 4PYi

By using such a password, your passwords will be safe.
You can shorten it, as I said, to 10 characters ... Well, or so ...
It is easier to remember, in fact, how to hack, but I don't think that your passwords will be cracked on purpose
Yes, and the name of the file "Passwords" will attract attention, so change the name to something less catchy ...

That's all!

What are the requirements for organizing password protection of information in an educational institution?

Organizational and technical support of the processes of using, changing and terminating passwords, as well as monitoring the work with passwords in an educational institution, it is advisable to entrust the system administrator.

Personal passwords it is desirable to generate and distribute centrally. However, users of the information system can choose them independently, taking into account the following requirements:

1. the password must be at least 8 characters long;
2. among the symbols, letters (in upper and lower case) and numbers must be present;
3. the password must not contain easily computable combinations of characters (names, surnames, well-known names, slang words, etc.), sequences of characters and signs, common abbreviations, abbreviations, pet names, car numbers, telephone numbers and other combinations of letters and signs, which can be guessed based on information about the user;
4. the user has no right to disclose his personal password to anyone.

If the formation of personal user passwords is carried out centrally, the responsibility for their correctness rests with the system administrator of the educational institution.

If there is a technological need to use the employee's password in his absence, it is recommended to change the password as soon as possible and transfer it to the person responsible for information security for storage in a sealed envelope. Sealed envelopes with passwords should be kept in a safe.

In case of termination of the user's authority (dismissal, transfer to another job, etc.) System Administrator must delete his account immediately after the end of the last session with information system.

An urgent (unscheduled) change of passwords should be carried out in the event of termination of the powers of administrators of the information system and other employees who have been granted the authority to manage password protection.

In an educational institution, it is recommended to develop instructions for organizing password protection of information, with which password owners should be familiarized with signature. The instructions must define security measures, the observance of which will prevent information leakage. Here is a possible formulation.
It is forbidden to write passwords on paper, in a file or other storage media. When entering a password, the user must not say it aloud.

It is forbidden to provide other users with a personal password and register them in the system under their own password.
Storing the password on paper is allowed only in the safe.

Password holders should be warned of responsibility for the use of passwords that do not meet institutional requirements, as well as for the disclosure of password information.

Official source

How is the information security monitoring of automated systems processing personal data in an educational institution carried out? Monitoring of the performance of the hardware components of automated systems that process personal data is carried out during their administration and during the maintenance of equipment. The most essential components of the system (servers, active network equipment) must be constantly monitored by the administrators of the respective systems.

Password protection monitoring provides for: setting passwords validity periods (no more than 3 months); periodic (at least once a month) checking of user passwords for the number of characters and obviousness in order to identify weak passwords that are easy to guess or decrypt using specialized software (password crackers).

Monitoring software integrity includes the following actions:

1. verification of checksums and digital signatures of catalogs and files of certified software tools when loading the operating system;
2. detection of duplicate user IDs;
3. recovery of system files by system administrators from backups in case of mismatch of checksums.

Prevention and timely detection of unauthorized access attempts is carried out using the operating system and special software and provides for:

1. fixing unsuccessful login attempts in the system log;
2. logging of network services;
3. identification of the facts of scanning a certain range of network ports in short periods of time in order to detect network analyzers that study the system and identify its vulnerabilities.

Monitoring of the performance of automated systems that process personal data is carried out on requests from users, during system administration and preventive maintenance to detect unauthorized access attempts that have resulted in a significant decrease in system performance.

Systemic audit produced quarterly and in special situations. It includes conducting security reviews, testing the system, monitoring changes to the system software.

Official source

• Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" (as amended on July 25, 2011)
• Regulation on ensuring the security of personal data during their processing in personal data information systems, approved by Resolution of the Government of the Russian Federation of November 17, 2007 No. 781
• Regulations on the methods and ways of protecting information in personal data information systems, approved by by order of FSTEC of 05.02.2010 No. 58

In the modern world, more and more personal data goes to the Internet. These include various financial services and applications. This data must be under reliable protection.

The protection of your own data is provided by you yourself, using different passwords, on which the security of various accounts depends. So how do you make your password so that it is easy to remember and difficult to break?

Common mistakes

Many users around the world do not pay special attention to the selection of a secure password, which makes them victims of Internet scammers who hack their accounts in 5-6 attempts. For many years, users have been using the simplest combinations - 1234567, 12345554321, 1q2w3e4r5t6y: thereby exposing themselves to the threat of hacking.

Most cyber security experts point out two main criteria for a secure password - complexity and length. In their opinion, when creating a password, you need to use a long combination using various characters - numbers, letters, symbols, punctuation marks.

How to create passwords correctly

• Use more than 8 characters
• For each account, use your unique password, since when using the same password on all accounts, if one of them is hacked, the fraudster will be able to open other accounts as well.
• Passwords should be changed periodically - at least once every 3 months. To do this, set an automatic reminder so as not to forget about such an important procedure.
• A variety of characters in a password is a guarantee of reliability. But do not use the lately widespread substitution of letters for numbers or symbols, for example, "FOR" with "4".
• Use the full range of characters available on the keyboard

Also, do not forget - passwords must be stored in a place to which only you have access.

As much as possible, avoid using in password creation:

• Vocabulary words in any language
• Repetitions or symbols placed sequentially one after another. For example: 1234567, 55555, abcgde, etc.
• Passwords using personal data: full name, date of birth, serial numbers of documents, and so on.

In general, take your password creation seriously, as what they protect can affect your financial health or reputation.

The author of the article

Kompaniets Elizaveta, student of MBOU secondary school №28, 11th grade A

Objectives

What is the history of passwords?

How do passwords protect data on computers and disks?

How do hackers crack passwords?

How to make a password resistant to hacking?

Hypothesis

The password is the most appropriate and therefore the most commonly used means of authentication based on the knowledge of the access subjects.

Protecting data using a computer

Password history

Password(French parole - word) is a secret word or set of characters designed to confirm identity or authority. Passwords are often used to protect information from unauthorized access. Most computing systems use a username-password combination to authenticate a user. Passwords have been used since ancient times.

Polybius describes the use of passwords in ancient Rome as follows:

The way in which they ensure safe passage at night is as follows: out of ten maniples of each type of infantry and cavalry, which is located at the bottom of the street, the commander chooses who is exempt from guard duty, and he goes to the podium every night, and receives from his password is a wooden sign with the word. He returns to his unit, and then passes with a password and a sign to the next commander, who in turn passes the sign to the next one.

Passwords are used to prevent unauthorized access to data stored on your computer. The computer allows access to its resources only to those users who are registered and entered the correct password. Each specific user can be allowed access only to certain information resources. In this case, all unauthorized access attempts can be registered.

Protection of access to the computer.

Protection of user settings is available in the operating system Windows (when loading the system, the user must enter his password), however, such protection is easily overcome, since the user can refuse to enter the password. Password entry can be set in the program BIOS Setup , the computer will not start loading the operating system unless the correct password is entered. It is not easy to overcome such protection, moreover, serious problems of data access will arise if the user forgets this password.

Data protection on disks.

Each disk, folder and file of a local computer, as well as a computer connected to a local network, can be protected from unauthorized access. Certain access rights can be set for them (full, read-only, by password), and the rights can be different for different users.

Cracking computer passwords

Password cracking is one of the most common types of attacks on information systems that use password or username / password pair authentication. The essence of the attack comes down to the seizure of the password of the user who has the right to enter the system. The attractiveness of an attack for an attacker is that if the password is successfully obtained, he is guaranteed to obtain all the rights of the user whose account was compromised, and besides, logging in under an existing account usually causes less suspicion among system administrators. Technically, the attack can be implemented in two ways: by multiple attempts to directly authenticate in the system, or by analyzing password hashes obtained in another way, for example, by intercepting traffic. In this case, the following approaches can be used:

Direct search. Enumeration of all possible combinations of characters allowed in the password. For example, the password “qwerty” is often cracked as it is very easy to guess it by the first keys on the keyboard.

Selection by dictionary. The method is based on the assumption that existing words of any language or their combinations are used in the password.

Social engineering method. Based on the assumption that the user has used personal information as a password, such as his first or last name, date of birth, etc. Ex. Vasya Pupkin, born December 31, 1999 often has a password like "vp31121999" or "vp991231". Many tools have been developed to carry out the attack, for example, John the Ripper.

Password strength criteria

Based on the approaches to carrying out an attack, it is possible to formulate criteria for the strength of a password to it. The password should not be too short, as this makes it easier to brute-force it. The most common minimum length is eight characters. For the same reason, it should not consist of only numbers.

The password should not be a dictionary word or a simple combination of them; this makes it easier to guess it using a dictionary.

The password should not consist only of public information about the user.

As a recommendation for creating a password, you can call the use of a combination of words with numbers and special characters (#, $, *, etc.), the use of uncommon or nonexistent words, and the observance of the minimum length.

Output

Passwords have been used since the early days of their creation to the present day. They successfully help us protect information from unauthorized access.