Security Operations: Examining Password Security

Question 1

How can you edit password complexity locally?

Answer 1

Microsoft Edit Group Policy

Question 2

What is the best way to avoid password attacks?

Answer 2

Do not involve character strings eg. P@ss

Question 3

How can you keep up and manage passwords?

Answer 3

Password manager & Credential manager

Question 4

What are the additional considerations?

Answer 4

Zero Trust (Always verify, always assume breach)
Passwordless Authentication (non-knowledge base secrets)
MFA
HOTPs and TOTPs
Fast Identity Online (FIDO) (UAF,FIDO2)

Question 5

What are the examples of HOTPs and TOTPs?

Answer 5

Example Use Cases

HOTP:

Hardware Tokens: Physical devices that generate OTPs by pressing a button, which increments the counter.

Transaction Authentication: Situations where each transaction needs to be uniquely authenticated.

TOTP:

Mobile Authentication Apps: Apps like Google Authenticator or Authy generate OTPs based on the device’s current time.

Web Services: Online platforms that require a second layer of authentication use TOTP for generating OTPs.

Question 6

What is FIDO UAF/FIDO2?

Answer 6

This authentication system does not use username and password that request via server.

FIDO uses public key cryptography which means when request happens to a server the device just tells it that the user wants to log in.

System authenticates via finger scan/face scan/ Pattern and avoids man in the middle and phishing attacks?

https://www.youtube.com/watch?v=k55tRpnI-6o

You can use ubikeys (usb tokens to authenticate)