A basic security requirement to attempting to ensure the security of a computer system is the user password.
There are different aspects of password security that can be used in order to make the unauthorised access of a user account more difficult.
Within a Windows based system, these settings are available within the Password Policy option within Account Policies/Local Security Policy menu within Administrative Tools of a Windows based system.
Minimum Length of the Password
To make a password more difficult to guess or brute force attack, the length of a password is important.
If the password is too short then it is easy to crack, however, if it is too long or contains too many pre-requisite requirements then it becomes more difficult for the user to remember.
Therefore, the system administrator should request a minimum length of password, however, allow the user to select the password length beyond that so that they can use a memorable phrase and be able to remember the password.
The password history setting allows an administrator to ensure that the user does not use the same password that they used previously, ensuring that a potentially compromised password is not reused and that a pre-determined number of passwords are used before a previously used password can be used again.
The Amount of Time Between Password Changes
The administrator is also able to determine the minimum and maximum amount of time that a password can be changed or can be retained for.
If the minimum amount of time for the password to be able to change is too short then it would be possible for a user could request sufficient changes in order to allow the password history setting to be reset and they could then use their original password.
If the maximum age of the password is too long then the password is more likely to become compromised.
When a predetermined number of incorrect attempts are made to access an account, Account Lockout takes place which is when the bad logon counter records a certain threshold.
Once Account Lockout is activated then no further logon attempts are allowed and this function prevents repeated attempts to guess a password by an intruder.
Windows allows 3 settings to lockout an account being, Account Lockout Threshold – the number of failed logon attempts, Account Lockout Duration – the amount of time a lockout will remain in place before a further attempt is allowed and Reset Account Lockout Counter After – the amount of time required before the bad logon counter resets to 0.
Account Lockout is also seen on other devices such as an iPhone or iPad.
On an iPhone the number of passcode attempts to access a device can vary, however, when an incorrect code is entered up to 4 times there is no effect to the operation of the device.
When an incorrect passcode is entered 5 times, the device will display a message on the screen stating that it is disabled for 1 minute.
When an incorrect passcode is entered on the sixth occasion, the device will display a message on the screen stating that it is disabled for 5 minutes, 15 minutes on the seventh occasion, an hour on the eighth and ninth and then it is completely disabled when the tenth incorrect code is attempted.
A message stating that the device has been disabled and the length of time before it is re-enabled is displayed on the screen after each incorrect passcode is entered between 5 and 9 attempts.
When 10 incorrect passcodes are entered into the device it either permanently disables it, requiring that it is connected to a computer and restored from a backup, or, if the settings had been altered by the user, it will erase all data present.
Enforce Security through Password Group Policies
The Group Policy Object are a set of rules that provide the administrator with control over the processes for restricting access to files and folders on the network. The Group Policy Object can also provide the administrator with the ability to enforce password controls within the Active Directory.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on email@example.com, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.