• Last modified: 4 November 2013 20:34:17

Introduction

A password is usually the first and often the last line of defense for information systems. Participants need to be convinced during this lesson that it is not reasonable or secure to have a weak password protecting important information nor is it a good idea to have one strong password protecting all the user's different accounts.

Password Insecurity

Discuss password profiling, social engineering attacks and installation of keyloggers, via email or drive-by downloaders.

Demonstrate how a password cracker works. Demonstrate Windows password crackers, like Ophcrack; Advanced Office Password Recovery and the winlockpwn attack over a firewire cable.

Install Cain on a local machine and demonstrate the withdrawal of its local passwords.

Ask one of the participants to prepare a Word document with an easy password, and crack it using Advanced Office Password Recovery for example.

Ask the participants to test out their favourite password's security from http://www.cryptool-online.org/index.php?option=com_cto&view=tool&Itemid=159&lang=en

Goal

Explain the principles of brute force and the need for password complexity.

Trainer's notes

You'll need to prepare in advance for password cracking and make sure you've tested your software. You'll need Rainbow Table for opchrack. The trial version of AOPR can only crack 4 character passwords.