Authentication

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Authentication: The learning objectives for
00:00
this lesson are to describe
00:00
credential management and password systems,
00:00
and to explore a federated trust methods.
00:00
Let's get started. Password policies.
00:00
We've all dealt with passwords and where we're
00:00
told we have to use complex passwords.
00:00
This is how those complex passwords are described.
00:00
First we have password length: the
00:00
minimum or maximum number of characters.
00:00
Then password complexity: no use of username,
00:00
must contain upper and lower letters,
00:00
numbers, and characters.
00:00
Password aging: select a new password after a set time.
00:00
Password reuse and history:
00:00
you may not use the same password,
00:00
and then we also determine how
00:00
many of those old passwords are blocked.
00:00
Character classes: we have 94 possible characters,
00:00
26 upper, 26 lower,
00:00
10 numbers, and then 33
00:00
special characters or punctuation.
00:00
Finally, auditing: this ensures that
00:00
passwords comply with our policies.
00:00
Also, it's important to know that we do not
00:00
want to store our passwords using reversible encryption.
00:00
This is when passwords are stored in
00:00
a way that can be decrypted.
00:00
This is a massive security risk
00:00
and they should never be used.
00:00
This is why strong passwords are necessary.
00:00
This chart gives us
00:00
the estimate of how long it would take to
00:00
crack a password given certain circumstances.
00:00
On the left, we have the number of characters from 4-18.
00:00
Then going across the top of the right,
00:00
we have numbers only lowercase letters,
00:00
upper and lowercase letters, numbers,
00:00
upper and lowercase letters,
00:00
and then finally, numbers,
00:00
upper and lowercase letters and symbols.
00:00
You can see why it's very important to use
00:00
longer passwords that contain everything from numbers,
00:00
upper and lower, and punctuation.
00:00
Some of these can be cracked so quickly that
00:00
even a long password that is say
00:00
15 characters long that's only numbers,
00:00
or 10 characters with
00:00
lowercase n numbers is only 58 minutes.
00:00
It's very important to oppress
00:00
upon users that they need to use
00:00
longer passwords with all
00:00
of the possibilities that they could use: upper,
00:00
lower, numbers, and special characters.
00:00
Instructor's side note: NIST special publication,
00:00
800.63b, has changed some of
00:00
the passwords sacred cows that have
00:00
been used for a very long time.
00:00
For example, password changes and password complexity.
00:00
What NIST is now saying is
00:00
that strong method for making passwords that
00:00
users can easily remember is to
00:00
take three or four random words and put them together.
00:00
For example, horse, stove, and strawberry.
00:00
This is 20 characters long.
00:00
If we add some capitalization, a number,
00:00
and a character, we can make
00:00
this password nearly uncrackable.
00:00
In fact, according to security.org,
00:00
this password would require
00:00
200 sextillion years to crack.
00:00
The reason NIST did this is they
00:00
determined that if a strong password was
00:00
chosen upfront that met these type of guidelines,
00:00
it doesn't need to be changed often,
00:00
and it doesn't have to be super complex.
00:00
For example, the password here,
00:00
horsestove@strawberry by adding just a few changes to it,
00:00
is very resistant to cracking.
00:00
Privileged access management: This
00:00
protects against credential theft
00:00
and then also credential misuse.
00:00
People, processes,
00:00
and technology to secure, control, monitor,
00:00
and audit identities used by people, services and apps.
00:00
It also stores credentials in a secure vault
00:00
that requires additional authentication to be used.
00:00
Some examples of this would be CyberArk,
00:00
Beyond Trust, and Centrify.
00:00
Federated trust models: Federation;
00:00
it's trusting accounts made
00:00
and use by another organization.
00:00
This allows these organizations
00:00
to connect across each other.
00:00
Example is using your Google ID
00:00
to login to other websites.
00:00
OpenID allows for a single ID to be used by
00:00
anyone in the participating OpenID network websites.
00:00
OpenID has authentication to OAuth 2.0.
00:00
Security Assertion Markup Language,
00:00
or SAML: This is
00:00
a protocol for cloud and network federation.
00:00
Attestations or authorizations are written in XML.
00:00
Communications are performed over HTTP/HTTPS,
00:00
and simple object access protocols or SOAP.
00:00
Secure tokens are signed
00:00
using XML signatures specifications.
00:00
Examples of this would be Amazon AWS,
00:00
the customers can access apps,
00:00
and resources on the AWS
00:00
without the need to create AWS accounts.
00:00
Federated trust models: Shibboleth based on SAML,
00:00
often used by universities
00:00
and public service organizations.
00:00
The user contacts the Shibboleth site via SAML.
00:00
The site redirects to
00:00
an identity provider
00:00
that verifies using SAML information.
00:00
The identity provider responds to
00:00
the site with authentication information,
00:00
and then the site validates and gives
00:00
access based on the user SAML information.
00:00
Transitive trust: If resource A,
00:00
trust resource B,
00:00
and B trust C,
00:00
than A trust C.
00:00
A good example of this in action is Active Directory.
00:00
Security Assertion Markup Language or SAML
00:00
: We first start with user accesses Salesforce,
00:00
and then Salesforce redirects
00:00
itself to Amazon for authentication.
00:00
Amazon authenticates the user
00:00
and allows the user to access Salesforce.
00:00
This is a simplified breakdown of how SAML works.
00:00
Let's summarize what we went over in this video.
00:00
We discussed credential management.
00:00
We explained the importance of
00:00
strong passwords and password policies,
00:00
and we discussed the various types
00:00
of federated trust models.
00:00
Let's do some example questions.
00:00
Question 1: This
00:00
describes storing passwords in
00:00
a way that passwords can be decrypted.
00:00
Reversible encryption.
00:00
Question 2: Blank is based on SAML,
00:00
and is often used by
00:00
universities and public service organizations.
00:00
Shibboleth. Question 3:
00:00
Blank is designed to
00:00
protect against credential theft and misuse.
00:00
Privileged Access Management.
00:00
Question 4: which federated trust method allows users
00:00
to have a single account for
00:00
all sides participating in the same system?
00:00
OpenID. I hope this video
00:00
was useful to you, and I will see you in the next one.
Up Next