How to make essay writing easy
Drug Research Paper Topics
Thursday, September 3, 2020
Choosing a Secondary Storage Essay
Presentation These days, information is the backbone for todayââ¬â¢s advanced association. The trustworthiness, accessibility and the assurance of the date are fundamental to a business profitability and achievement, in this manner stockpiling arrangements are as yet the need in IT spending plans. G&J Consultation Sdn Bhd right now is confronting a capacity issue. Their capacity framework performanceââ¬â¢s bottlenecks seriously affecting their business profitability. The languid essential stockpiling execution and upkeep issue were easing back down the companyââ¬â¢s reaction to client demand which influencing the general business profitability. Additionally, their reinforcement arrangement was getting hard to successfully secure date inside ever contracting back up window. Hence G&J Consultation Sdn Bhd now expected to look for an auxiliary stockpiling which can take care of the considerable number of issues. They require a capacity that can improve capacity reaction time, guarantee catastrophe recuperation, execute an exceptionally arrangement and the most significant is to guarantee a superior access to client date and ensure more than 100TB of information without including substantial expense and complex administration. The time of information and data plainly shows that there is a rising interest for more stockpiling. There are a quantities of alternatives accessible in the market. The most pervasive would be immediate connected stockpiling (DAS), arrange joined capacity (NAS) and capacity region organize (SAN). There is nobody is the best for everybody. It is critical to concentrate on the particular needs and the business objectives of the association. In this way, there are a few variables to consider which incorporate limit, execution, unwavering quality, information assurance and spending concerns. We will investigate that in more detail later. Numerous individuals will contend that SAN are all the more remarkable that NAS, yet for G&J Consultation Sdn Bhd, I recommend that the Network Attached Storage (NAS) would be the most reasonable stockpiling answer for tackle their capacity issues. The variables that influencing of pick an optional stockpiling will be talked about in the following segment. NAS is an information stockpiling frameworks with a specific equipment and programming connected to a system. NAS items is a data information stockpiling server, they have united to serve across the board servers for date based applications. A NAS is to give stockpiling and access to information. Picture 1.1 show the Network-joined capacity. 2.0 Factors influencing of picking an optional stockpiling A capacity arrangement can be characterized as an equipment whose principle work is to store and sharing information or data. There are numerous sorts of capacity with a wide range of capacities. The capacity for business typically is as servers. To pick a correct stockpiling for your business, there are a few factors that should consider while picking stockpiling which incorporate dependability, limit and versatility, the spending concern. Limit The primary factor that need to mulled over while picking stockpiling is the limit of the capacity. It is significant that we should clear that what is the size and extent of the information that you need to store and what limit is expected to store it? The firm ought to pick the capacity which appropriate for the association or business reason and capacities. The firm ought to likewise think about the kinds of information to store and the recurrence of access the information while picking a capacity. NAS frameworks can give numerous terabytes of capacity in high thickness. G&J Consultation Sdn Bhd is a counseling firm which offers types of assistance in money and business methodology to driving law offices and government organizations. They have a ton of date that need to store and offer with client which some of it may delicate. Along these lines it is recommended that they ought to pick a record level stockpiling. A NAS gadget is a solitary stockpiling unit most appropriate for record level stockpiling associated straightforwardly to arrange. NAS regularly arranges particularly for document sharing. Execution and Speed Distinctive capacity will have diverse return pace of paces for information. On the off chance that the date store is month to month use, implies that you no need the quickest stockpiling; if the date store will be utilize as often as possible, is smarter to pick the quick execution stockpiling. Realizing this can assist you with sparing in cost. A business typically will search for a superior document get to speed. G&J Consultation may require a quick presentation stockpiling since they are giving advisor administrations to clients which the date put away may be use much of the time and need to reaction to clients rapidly. Move speed over the system is the essential pointer of a NAS since it utilizes document level convention while transferring or downloading enormous records. NAS can give execution benefits. For instance, NAS can assume control over crafted by serving the email information, liberating assets on the email server for email-explicit procedures. Adaptability Adaptability is significant as far as both registering force and capacity limit. The exhibition and limit should scale freely of each other. Adaptability is significant in light of the fact that the capacity of the capacity would should be extended in future so as to adapt to expanded use. NAS is a reasonable stockpiling which proposed for G&J Consultation Sdn Bhd on the grounds that it is anything but difficult to set up and simple to utilize, even a non IT based staff can deal with the NAS. Unwavering quality Unwavering quality of capacity likewise is one of the elements which is significant and should be concerned. Unwavering quality is significant in light of the fact that the loss of information and vacation can prompt misfortune in income and undermine the endurance of the business. In todayââ¬â¢s world, a large portion of the individuals request a profoundly dependability, shared capacity gadget that is open to numerous system gadgets. NAS is the more current form of capacity after DAS (information connected capacity), it utilization of most elevated performing drives with premium parts that been able to outrageous premium condition. NAS is reasonable for G&J Consultation Sdn Bhd since it produce the most solid and best information stockpiling arrangement. NAS is same dependable with typical server. From the capacity useful framework, ideas are similarly. The two of them can go about as server. Indeed, even lower end NAS frameworks have the high dependability highlights, for example, RAID and hot swappable drives and parts. Cost or spending concern Generally is the fundamental worry of an association to buy a specific items or administrations. Cost in here methods the gear cost, however the board and support cost too. The executives and upkeep cost at here implying that the expense to keep up the capacity, the expense to employ the IT specialist to give preparing on the approaches to utilize the capacity, etc. G&J Consultation Sdn Bhd is having a capacity issue and they need to purchase an appropriate stockpiling which can assist them with taking care of the difficult they are confronting right now without including substantial expense for their business. Here, it is proposed to the firm that arrange connected capacity (NAS) would be a reasonable stockpiling arrangement which is more affordable if contrast with others. The administration and support cost is lower additionally in light of the fact that NAS is anything but difficult to set up and simple to utilize. Security The organizations have a great deal of date and a portion of the information may be touchy which identify with legitimate should be store and offer between clients, hence information insurance can be one of the variables that should be mulling over moreover. NAS gives information insurance benefits in information assurance design and give excess stockpiling to touchy information. Each na machine incorporates client security to permit or confine document get to dependent on username and passwords. The executives The executives here methods the head who responsible for the capacity arrangement. He should know about the difficulties that may be emerge for the arrangement and consider what are the observing devices are accessible to screen execution and caution for the potential disappointments. The capacity ought not be too intricate to even consider managing so as to spare the expense of the board and support. 3.0 Advantages of looking for a higher performing stockpiling An auxiliary stockpiling gadget for PCs are not just for putting away up records, they additionally permit PCs clients to extend their capacity to move an a lot of information starting with one PC then onto the next. For G&J Consultation Sdn Bhd, as I notice prior, the recommended stockpiling that generally reasonable if the Network Attached Storage (NAS). There are a few focal points of looking for a higher performing stockpiling which recommended here. Mass Storage The limit of the optional stockpiling is exceptionally high that permit us to store a lot of information. We can store the information into the auxiliary stockpiling as gigabyte and terabytes. All things considered, we can back up the all information effectively and need not stress for losing information. Typically an association will have a lot of information that should be put away to help the business activities. For this, the essential stockpiling would not have the option to do it. NAS give a proficient of sharing a huge individual records among singular clients. NAS can store and deal with the information up to terabytes level. In addition, NAS permitted us to include more stockpiling without closing down the system. Dependability and Security It is viewed as protected that putting away information into the auxiliary stockpiling. The information can be store in the optional stockpiling which is the NAS in perpetual structure. Along these lines the firm no requirements to stress of loss of information or absence of information significantly after numerous years after the fact. NAS give information assurance benefits so it is sheltered to store the touchy information. This is one of the favorable circumstances by picking NAS in light of the fact that G&J Consultation Sdn Bhd is handle exceptionally delicate information. The information put away on live database server will be put away to NAS in a similar time with the goal that the information will exist regardless of whether the database server confronted physical disappointment. Execution The PC could have a superior exhibition with including an auxiliary stockpiling. This can assist clients with increasing the speed of putting away information, get to information or moving information which by implication increment the efficiency of the firm. With an optional stockpiling, the PC of the association can completely work successfully. Perfor
Wednesday, August 26, 2020
Attributes of the employees
Characteristics of the workers Characteristics of the workers Workers are the most basic piece of an association as they give their abilities to an associations activities and they are the person who can drag the authoritative execution as a result of these reasons the businesses needs to recruit the individuals having the best properties. In the accompanying I have chosen out the properties of the workers esteemed by the business through from various sites and various books likewise address similar traits. 1. Interchanges Skills By a wide margin, the one expertise referenced regularly by managers is the capacity to tune in, compose, and talk adequately. Effective correspondence is basic in business. It spares time, limits botches diminishes clashes. 2. Expository, Research Skills Manages capacity to evaluate a circumstance, look for different points of view, assemble more data if important, and distinguish key issues that should be tended to. 3. PC, Technical Literacy Practically all occupations currently require some fundamental comprehension of PC equipment and programming, particularly word handling, spreadsheets, printers, phone and email. 4. Adaptability, Adaptability, Managing Multiple Priorities Manages capacity to deal with various assignments and errands, set needs, and adjust to changing conditions and work assignments. 5. Relational Abilities The capacity to identify with associates, motivate others to take an interest, and moderate clash with colleagues is basic given the measure of time went through busy working every day. 6. Administration, Management Skills While there is some discussion about whether administration is something individuals are brought into the world with, these aptitudes manage capacity to assume responsibility and oversee collaborators. 7. Multicultural Sensitivity, Awareness There is potentially no greater issue in the work environment than assorted variety, and employment searchers must exhibit an affectability and attention to others and societies. 8. Arranging, Organizing Manages capacity to configuration, plan, sort out, and execute activities and errands inside an apportioned time period. Likewise includes objective setting. 9. Critical thinking, Reasoning, Creativity Includes the capacity to discover answers for issues utilizing inventiveness, thinking, and past encounters alongside the accessible data and assets. 10. Collaboration Since such a significant number of occupations include working in at least one work-gatherings, representative must be able to work with others in an expert way while endeavoring to accomplish a shared objective. 11. Individual Values Employers Seek in Employees Of equivalent significance to abilities are the qualities, character attributes, and individual attributes that businesses look for. 12. Trustworthiness, Integrity, Morality Bosses most likely regard individual honesty more than some other worth, particularly considering the numerous ongoing corporate embarrassments. 13. Commitment, Hard-Working, Work Ethic, Tenacity Bosses look for work searchers who love what they do and will keep at it until they take care of the issue and take care of business. 14. Constancy, Reliability, Responsibility Theres no inquiry that all businesses want representatives who will show up to work each day on schedule and prepared to work, and who will assume liability for their activities. 15. Faithfulness Businesses need workers who will have a solid dedication to the organization even on occasion when the organization isn't really faithful to its representatives. 16. Uplifting Attitude, Motivation, Energy, Passion The activity searchers who get recruited and the workers who get advanced are the ones with drive and energy and who show this excitement through their words and activities. 17. Polished methodology Manages acting in a mindful and reasonable way in all employeer individual and work exercises, which is viewed as an indication of development and fearlessness; abstain from being insignificant. 18. Self-assurance Take a gander at it along these lines: if worker dont have confidence in employeerself, in employeer one of a kind blend of aptitudes, instruction, and capacities, for what reason should a planned manager? Be certain about employeerself and what worker can offer businesses. 19. Self-Motivated, Ability to Work With Little or No Supervision While cooperation is constantly referenced as a significant aptitude, so is the capacity to work autonomously, with negligible oversight. 20. Readiness to Learn Regardless of what employeer age, regardless of how much experience representative has, worker ought to consistently be eager to become familiar with another aptitude or procedure. Occupations are continually changing and advancing, and worker must demonstrate a receptiveness to develop and learn with that change. Various individuals have communicated various qualities of the representatives like Be on schedule, Be wonderful and supportive, Follow organization norms, Go the additional mile, Commitment and demeanor and so on however more are less those properties are shrouded in this record.
Saturday, August 22, 2020
New Gillette Razor Pricing For Asian Market Essay
New Gillette Razor Pricing For Asian Market - Essay Example Gillette Research and Development has built another sterile razor item, and Gillette Information Management expects to give choice help to the reason for valuing the new item. Here, we research the market for shaving items as for this undertaking. Gillette Information Management has gathered 90 pertinent perceptions. With that information, we delivered the fundamental enlightening insights and histograms about cost by sexual orientation, number of cartridge edges, and nation of procurement. We apply the mean and middle to portray the focal inclination of information and the standard deviation to depict the inconstancy of information (Table 1). The coefficient of variety looks at changeability over the example (Table 1). The information is inside the scope of typical circulation in light of the fact that Kurtosis and Skewness are both among 2.0 and - 2.0 (Table 1). Female razors comprised over 70% of the example. They are a normal of .36 more costly than the whole example. The coefficient of variety, Skewness and Kurtosis were all practically identical to the example everywhere (Table 2). Male razors are a normal of .90 more affordable than the whole example. Skewness and Kurtosis were all practically identical to the example everywhere, except the coefficient of variety was more than 20 rate focuses lower (Table 3). A histogram of the information uncovers a unique pattern in the information where there are less intelligent receptacles than the female items costs and the yield. Each container appears to have a distant recurrence, and the base is .80 lower than the yieldââ¬â¢s (Figure 3). Our strategy is the utilization of expressive insights and histograms to address the specific inquiry that will help us in deciding the cost. We note the informational index is totally left-slanted. The greater part of the items are focused on ladies so our bundling should focus on that segment. The outcomes are restricted in view of the high coefficient of change of the yield.â
The Types of Features Used in Different Television Shows
The Types of Features Used in Different Television Shows Presentation Television stations present different sorts of shows running from syndicated programs, comedies, dramatization arrangement, motion pictures, news and narratives. TV slots assume a significant job in forming the assessment of general society (Barnlund, 2008). To viably catch the focused on watchers, a few elements must be considered by the TV stations.Advertising We will compose a custom basic composing test on The Types of Features Used in Different Television Shows explicitly for you for just $16.05 $11/page Learn More Some of the components considered by the TV slots before setting up shows incorporate when the shows will be publicized. Various times draw in various sorts of watchers. Different variables that the TV slots consider incorporate the arrangement of the studios or the show rooms, the characters that will take an interest in the demonstrates and the sorts of dialects to be utilized in the shows. The reason for this investigation is to for the most part break down the kinds of highlights utilized in various network shows. The investigation will likewise feature the importance of the physical set up of a show room concerning the picture the demonstrate needs to depict to its crowd. The investigation will likewise inspect the utilization of language in various network shows. Looking into the Power Breakfast Show with Tyra Bankââ¬â¢s Show Power Breakfast is a syndicated program. It is facilitated by a neighborhood national TV channel. It is broadcast live every morning from Monday to Friday beginning from 6.00a.m to 6.00p.m. It is facilitated by two moderators. The clothing standard of the moderators is formal. The foundation shade of the show room is dim orange, with a light orange shade impact on the two corners of each divider. These shading mixes achieve warm and smooth impacts in the show room. On one of the dividers is the showââ¬â¢s logo which is a cup of hot espresso set on a saucer with a spoon alongside it. Close to the log o are a few enrichments which contain three stripes of various hues which are light yellow, dim red and earthy colored. The said hues are all around mixed to shape a lovely foundation of the tea mug. Other physical things found in the showroom are two earthy colored official cowhide couch sets and an end table made of glass put before the two seats. The room is sufficiently bright with little and official divider bulbs. The whole floor is secured with a decent earthy colored carpet.Advertising Looking for basic composition on interchanges media? We should check whether we can support you! Get your first paper with 15% OFF Learn More The show begins with the survey of the two most read every day papers in the nation. The moderators for the most part act top to bottom examinations of the significant title texts of the papers. After the survey, the watchers are approached to take an interest in an intelligent meeting whose significant topic is typically a key issue featured by both of the papers under investigation. The watchers are mentioned to react to the topic by offering their remarks and thoughts by method of sending instant messages through their cell phones. Chosen remarks and assessments of a portion of the watchers are perused out to the general watchers towards the finish of the show. The following piece of the show is a meeting between the moderators and visitors who are ordinarily legislators. With the foreseen presidential decisions, the motivation of the arranged shows are typically about the presidential races. Being a morning appear, the inside enrichments are legitimate for the show. The showââ¬â¢s logo says everything. The hues are welcoming and inviting to the watchers. The furniture also is perfect for a morning appear as it sets the state of mind of unwinding. This is very perfect for the welcomed visitors. This makes an agreeable and favorable condition for the show. The moderators are energetic. They authoritatively welcome the visitors to the show with warm handshakes. The moderators offer short starting remarks about the visitors and the subject of the show. The moderators set the heading of the show by posing applicable inquiries to the visitors in a methodical manner. The visitors thank the hosts for the solicitation to the program. The visitors answer every one of the inquiries posed. Toward the finish of the show, the moderators thank both the watchers and the visitors for taking an interest. The visitors give some end comments and thank the watchers and the hosts. Then again, the Tyra Bankââ¬â¢s Show is a national television show that interviews open figures, big names and models. The point of the show is to bring into the spotlight the ways of life of newsmakers. The host is wearing decent easygoing wear. The show has a crowd of people that is situated in one side of the room and on the opposite side is the showââ¬â¢s have presenter.Advertising We will compose a custom basic composing test on The Typ es of Features Used in Different Television Shows explicitly for you for just $16.05 $11/page Learn More There is captivating looking furniture for the host and for the welcomed visitor. The dividers are covered with appealing hues. The floor is fitted with captivating floor tiles that appear to mix well with the divider hues. The crowd is energized. The host invites the visitor by a warm handshake as well as with an embrace. As the visitor strolls into the show room, the crowd extols him. In the wake of waving to the crowd for a brief timeframe, he is welcome to sit down and is offered a beverage. The syndicated program starts by the host inviting the visitor. The visitor is then approached to acquaint himself with the crowd and the watchers by giving them a short history of his life. The meeting proceeds with the moderator directing the force of the show. Sooner or later, the crowd is allowed to ask the visitor a couple of inquiries. This is the precarious piece of the show for th e moderator needs to mediate in a portion of the inquiries posed. Toward the finish of the show, the moderator thanks the visitor, crowd and the watchers. The visitor is welcome to offer some end comments. The show closes with the energized crowd commending the host and the visitor. The host and the visitor are seen leaving the show room as they wave to the crowd. A segment of the crowd is seen taking photos of both the host and the visitor. From the two TV programs, we can find that the improvements are very proper for every one of the shows. The clothing regulation for the moderators in the two shows is very perfect in regard to the focused on watchers. Contrasting the lounge rooms of two families in Shriek parody arrangement Shriek is one of the neighborhood childrenââ¬â¢s satire arrangement broadcast each Thursday evening. Dylan and Ryan are characters in Shriek satire arrangement and originate from less princely families. They live in a ghetto in Harlem. Walter and Joy are a dditionally characters in Shriek satire arrangement. They originate from well off families and live in a well-off suburb arranged close to the ghetto in which Dylan and Ryan live. All these referenced characters are youngsters. They are companions as well. The present show analyzes the lives of the kids from the four families. In one of the scenes, the youngsters from the well off families are seen taking lavish breakfast while the school transports are hooting at their entryways sitting tight for them at their individual residences.Advertising Searching for basic composition on interchanges media? How about we check whether we can support you! Get your first paper with 15% OFF Find out More In a differentiating scene, the kids from the less princely families are seen grumbling that minor cuts of bread are insufficient for their morning meal. In a brief time, Dylan and Ryan are seen strolling to class in torn shoes. The front rooms of the less prosperous families are multipurpose. The rooms are utilized for cooking, unwinding and furthermore fill in as rooms. The seating territories have single, worn out couch sets and old wooden tables. On the opposite side of the image are best in class family rooms with official couch sets, end tables, water allocators and TVs. The furniture depicted in the two scenes appears to reflect very well the social and financial statuses of the four families. Utilization of language in two TV programs: Cross Fire and Capital Talk Cross Fire is a nearby TV program with five specialists who break down current political issues. The host presents the movement of the day. Being a discussion, the debaters connect each other in warmed conversations. The show is for the most part portrayed by the utilization of formal language. Capital Talk then again depends on a meeting between the host and the visitor. The visitor might be any person who has made some critical commitment of any structure to the general public. Utilization of language is commonly casual. The conversation is normally made in low tones as warmed trades of words are uncommon between the host and the visitor. The disposition of the show much of the time doesn't change. Reference Barnlund, D. C. (2008). A value-based model of correspondence. In. C. D. Mortensen (Eds.), Communication hypothesis second ed. New Brunswick, New Jersey: Transaction.
Friday, August 21, 2020
To Kill a Mockingbird by Harper Lee :: To Kill a Mockingbird Essays
To Kill A Mockingbird By: Harper Lee Synopsis To Kill a Mockingbird opens with Dill staying with his Aunt for the mid year. Dill turns into an old buddy with the Finches, Jean-Louise, who is nicknamed Scout and her sibling, Jeremy Finch, who is nicknamed Jem. They live with their dad, Atticus, who is a legal advisor who had been given a case to deal with and didn't have any decision yet to get it and work his best for his customer. The case was about an African man, named Tom Robinson, who was blamed for assaulting a white lady. The kids start to play together and are absent to the pressure of their environmental factors. In the end they begin investing their energy attempting to get Boo Radley out of his home. None of the kids have ever observed or even conversed with the baffling Boo Radley, yet they realize he lives shut up in the house close to the Finches. Jem, Scout and Dill go through hours-formulating plans and undertakings to convince Boo out of his home. Toward the finish of summer the three youngsters haven't effectiv ely even had a look at Boo. Dill leaves his Aunt's and gets back before school begins. Scout begins school and promptly gets in a difficult situation since she as of now can peruse and compose. During that year Scout and Jem start discovering blessings in a tangle in one of the Radley's trees. They keep discovering blessings on their path home until one day the bunch is fixed with concrete. Dill restores the following summer and the youngsters continue attempting to get Boo out of his home. One night the kids sneak into the Radley's lawn. They nearly make it to the Radley's window however they are frightened away after somebody takes shots at them. Jem misfortunes his jeans escaping when he returns soon thereafter he discovers his jeans repaired and hanging tight for him. By and by, summer end and Dill gets back. Late that fall Miss Maudie's home torches during the night. As a precautionary measure the Finches remain outside watching the fire. Strangely Scout gets up the following m orning enveloped by a cover that are not hers. A brief period before Christmas, Scout and Jem start to get tormented that there father, Atticus, is a nigger darling. Atticus argues for the kids to not quarrel over it. Scout figures out how to limit herself until her cousin Francis says it. Scout whips her cousin and afterward leaves.
Thursday, August 13, 2020
Four things you should know about the FAFSA COLUMBIA UNIVERSITY - SIPA Admissions Blog
Four things you should know about the FAFSA COLUMBIA UNIVERSITY - SIPA Admissions Blog As graduate school deadlines continue to pass and come up, donât forget to continue planning on how to finance your degree. For applicants applying to the upcoming fall term, who are U.S. citizens or permanent residents, donât forget to complete the 2020-21 FAFSA. Submitting the FAFSA is free. You do not have to pay to complete the FAFSA, and any website or service offering to do it for you is a scam. You can also complete the FAFSA using the MyStudentAid App. If youâre a U.S. citizen or permanent resident and applying for a SIPA Scholarship, submit the FAFSA by the stated deadline on your admissions application. To ensure we receive your information, designate Columbia University: School of International and Public Affairs as the recipient by using our school code number: 002707. You should not put your parentsâ information when completing this FAFSA. In graduate school students are considered independent when filing the FAFSA application. The information you submit should be your own. For Columbia SIPA, the FAFSA is required to determine eligibility for fellowships and federal aid. For graduate students, federal aid options come in the form of an Unsubsidized Loan, Federal Work Study, and Graduate PLUS Loan. You are not required to accept any federal loans offered. We encourage students to create a financing plan that covers the duration of the program, and to reach out to our Financial Aid team if you want guidance.
Sunday, June 21, 2020
Password management security system - Free Essay Example
Project Aim: Passwords management is an important aspect of computer security, its the front line of protection for user terminals and it is by far the most common user authentication method within the largest multinational organizations. A poorly chosen password will increase the probability for an information system to be compromised. As such, all organization employees are responsible for taking the appropriate steps, to select good password security policies. Does that happen in reality? No, thats why software password generators are activated to handle password management problems and enforce password management policies requested from the organization in order to comply with national standards, and undertake problems of selecting strong passwords. So the aim of this project is to analyze and test a standard password generator system and propose a technique for helping people to remember strong passwords easily. Project Objectives: According to the above facts the objectives that must be undertaken and strongly research in this Bachelor project report are the following: ÃÆ'ÃÅ" Identify the importance of passwords as it concerns the advantages and disadvantages in their daily use in home and corporate environments. ÃÆ'ÃÅ" Identify the weaknesses raised from these poorly chosen passwords and describe the modern attacking techniques against these passwords. Besides propose possible countermeasures to address and eliminate these attacks. ÃÆ'ÃÅ" Examine the characteristics of an effective password policy which can be applied in a corporate environment in order to establish and manage the appropriate defenses to eliminate the dangerous posed by insecure passwords systems. ÃÆ'ÃÅ" Conduct a critical analysis of different techniques used to facilitate users to remember strong passwords easily. ÃÆ'ÃÅ" Propose a mnemonic system which is based on users favorite passphrases. ÃÆ'ÃÅ" Analyze the operating principles of the Password Mnemonic System (PA.ME.SYS) and the processes that it enforces in order to produce safe passwords. ÃÆ'ÃÅ" Test this password generator system (PA.ME.SYS) for the strength of all passwords it generates. In order to achieve the above purposes of this project a series of logical steps were taken: In order to achieve the first and second objective of this project, a survey was conducted in the Internet, in books and in the Web application design 1 and Web application design 2 lecture notes. This survey was concerned with the importance of passwords in an organizations security framework, the reasons they are widely used in todays businesses and the catastrophic consequences posed by the exposure of insecure passwords to unauthorized people. Another survey in books and in the Internet was necessary to identify the weaknesses raised from these poorly chosen passwords, the attacks which are forced by modern attackers to gain unauthorized access to users passwords and the possible defense mechanisms used to address and eliminate such attacks. For the third objective of this report, a survey was conducted in the Internet and in books. The aim of this survey was to find and understand different password policies which can be applied in an organizations global security policy to establish and manage the defenses used to eliminate the dangerous posed by insecure passwords. A university password policy analyzed for the rules they apply in order to define the secure creation and storage of strong passwords. In addition the relationship between the users and the password policies was examined together with the risks that businesses face due to the implementation of inadequate password policies. For the fourth objective, which defines the added value of this project report, it was important to conduct a search on the Internet for different techniques used to help users to remember strong passwords easily. These techniques were analyzed for their operation and the disadvantages they have. For fifth objective, it was important to propose a mnemonic system which is based on users favorite passphrases. The proposal of this mnemonic system was based on the research we made of different mnemonic techniques described on the previous chapter. For the sixth and seventh objective which also defines the added value of this project report it was to analyze and test the proposed Password Mnemonic System (PA.ME.SYS). After the end of the survey a mnemonic system based on users favorite passphrases was developed and implemented. For the development analysis and design data flow diagrams were used to clearly show the processes and data that make up the system. For the implementation and testing visual basic language was used which shows in a graphical environment how this mnemonic system works 1. Introduction to Authentication and Something you know 1.1 Identification and Authentication Techniques Controlling access to system resources is an important aspect of computer security. Access control is about managing which users can access which files or services in an organizations computer system. All entities involved with receiving, accessing, altering or storing information in a computer system, are separated to active and passive ones. The term active entities is used to describe all subjects (users, processes, threads) that are accessing, receiving or altering information in a system. The term passive entities is used to describe all objects (files, database) that actually hold or store information accessed by subjects. Without having access control mechanisms it is not possible to protect the confidentiality, integrity and availability (CIA triad) of system resources.Ãâà Access control is used to force users to provide a valid username and password to gain access to a system resource. The two vital components of access control are the identification and authentication processes. In the identification process the user is obligated to present an identity to a computer system. The information provided by the user trying to log on could be a username or by simply placing his/her hand/face to a scanning device. This action triggers the start of the authentication, authorization and accountability processes.Ãâà Ãâà Today, authentication processes are usually classified according to the distinguishing characteristic they use. These characteristics are classified in terms of the three factors described in the following section. Each factor relies on a different kind of distinguishing characteristic used each time to authenticate people in a system. 1.2 Authentication Factors In a typical system, there are basically three ways for human users to authenticate themselves to a client such as a computer, a mobile phone, a network, or an ATM machine. These three authentication factors are the following. ÃÆ'ÃÅ" Anything you know: a password The distinguishing characteristic is private information that only authorized people know. In modern computer systems, this characteristic might be a password, a Personal Identification Number (PIN), lock combination or a pass phrase. It is the least cost effective factor and most popular method that can be employed easily in any modern system to authenticate authorized users within the organization. They are simpler and cheaper than other, secure forms of authentication but also because they do not require to spend large amounts of money for the implementation of them in comparison with other more modern security mechanisms. Additionally, Users dont have to spend time and effort learning how to use them. The passwords are the only user-friendly way to identify a user in a network or computer system and it is believed that they can provide the same level of strong security as a more modern security mechanism. However the usage of passwords as an authentication technique presents some disadvantages that are directly connected to the way that users are managing these passwords. In more specific the users On the other hand, there are also some disadvantages that need to be taken into consideration such as the need to create complex and strong passwords,, the obligation to change their passwords frequently and the instructions and guidelines on how to keep their passwords secret. ÃÆ'ÃÅ" Anything you have: a token The distinguishing characteristic is that authorized people own and present a specific item to be authenticated. This characteristic is enclosed in a token device such as a magnetic card, smart card, a memory card or a password calculator. ÃÆ'ÃÅ" Anything you are: a biometric The distinguishing characteristic is some physiological feature (static) that is always present in a person, or a certain behavior pattern (dynamic) that is unique to the person being authenticated, and is measured and recorded once in the enrollment process. When the same person requires access entry the biometric identifier compares the current characteristic provided by the user with the previously collected pattern from the original authentic person. This characteristic could be a voice print, fingerprints, face shape, written signature, iris/retina pattern or hand geometry.Ãâà 2. Attacks on Passwords 2.1 Introduction Passwords are a very important aspect of computer security. They are the front line of protection for user terminals and it is by far the most common user authentication method within the largest multinational organizations However the usage of passwords as an authentication technique increases the probability for an information system to be compromised. That happens because these passwords are directly connected to the way that users are creating, remembering, storing and distributing them. In fact passwords are the weakest element inside the security chain of an organizations network system and are susceptible to different types of attacks. The next section presents the weaknesses on users passwords and modern attack techniques performed by malicious attackers to gain unauthorized access. 2.2 Attacks on Passwords Easily Guessed Passwords: The first weakness lies in the composition of the password itself. Most attackers rely on the fact that most people do a bad job in creating passwords and keeping them secret. Most passwords that people select depend on the following: Favorite football player and actor names, Simple strings, such as passwords consisting of the same character (e.g. 11111). Job titles and nicknames. Important numbers, such as insurance numbers, home addresses, telephones, credit card numbers, driver license, birthdays, or vehicle tags. Favorite words found in dictionaries. Children, family or relative names. The most common attack on passwords is that where malicious hackers exploit human nature and try to guesswhat passwords people select. In this case, hackers build a list with all information related to the victim and make attempts to log on hoping to find out the victims password quickly.Ãâà Ãâà Brute-force Attacks: In cryptography, a brute force attack or exhaustive key search is the strategy that can in theory be used against any encrypted data by an attacker who is unable to take advantage of any weakness in an encryption system that would otherwise make his task easier. It involves systematically checking all possible keys until the correct key is found. in the worst case, this would involve traversing the entire search space. The key length used in the encryption determines the practical feasibility performing a brute force attack, with longer keys exponentially more difficult to crack than shorter ones. Brute force attack can be made less effective by obfuscating the data to be encoded, something that makets it more difficult for an attacker to recognize when he has cracked the code.one of the measures of the strenth of an encryption system is how long it would theoretically taken an attacker to mount a successful brute force attack against it. Consequence of this attack is that all users cannot use the network recourses and must wait until system administrator reserts or unlock that account. It is obvious that this kind of attack causes confusion and big delays to users critical job tasks. Dictionary Attacks: In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities. (Shape1.1). Shape1.1 Dictionary attack A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary. In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack) or a bible etc. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit. Social Engineering Attacks: Another weakness lies on the fact that people are not capable to remember and keep their passwords secret. In computer security social engineering is described as a non technical intrusion that is based on the psychological characteristics of the human nature. It is the art of persuading people to reveal vital secrets or to perform actions that comply with the hackers wishes {Shape 1.2}. Social engineering can be conducted into several forms. Reverse Engineering: In this method, a legitimate user is induced into asking an attacker questions to obtain information. The attacker poses as a person of higher authority and tries to deduce the needed information from the questions, which are asked by the user. [emailprotected]/* */: This mode of social engineering involves sending an e-mail to a user asking confidential information. The e-mail is meant to trigger an emotional response from the user. It makes the user unwittingly participate in the hacking by disclosing the confidential information. Webpages: False Webpages, that require users to enter e-mail addresses and passwords, are created by attackers. Hackers hope that users will enter the same passwords at the false websites, as they use at their organizations computer systems. Shoulder surfing: In this type of attack a malicious attacker could look over a users shoulder and watch him while he is typing his/her password to grant access to a system. However shoulder surfing attacks are not always successful but can give important information and strength to a malicious attacker to achieve his goal. Dumpster diving: One of the most intelligent techniques to retrieve users passwords within large commercial organizations is the dumpster diving attack. In this type of attack malicious attackers search through discarded material to find passwords, credit card numbers, confidential records or other useful information related to security policies and passwords. Sniffing Attacks: Except brute-force guessing, dictionary and social engineering attacks todays hackers are using more clever programs and methods to retrieve users passwords. These methods include software sniffer programs which are used to capture and sniff passwords either a) when they are typed during the authentication phase of a network login session (Trojan Login, Van Eck Sniffing, Keystroke sniffing, hardware key loggers) or b) when they are transmitted across complex networks via email and other document delivery systems (network sniffers). {Shape 1.1}. Shape 1.1 Sniffing Attacks The next paragraphs describe in more detail each of these techniques used to sniff users passwords: ÃÆ'ÃÅ" 1.Network Sniffing: Net sniffer is a program, who capable of capturing all traffic made available to one or more network adapters. ÃÆ'ÃÅ" 2. Trojan Login: A Trojan Login sniffer program is a software tool used to capture users passwords during the authentication phase of a network login session. A malicious user who has access to a personal computer connected to a network can easily install a Trojan Login program. The strength of this malicious program is that it has the ability to display perfectly imitations of the operating systems standard login program. As a consequence the user enters his/her username and password without any knowledge of the situation, while the Trojan login program saves this authentication information in a secret file. ÃÆ'ÃÅ" 3. Van Eck Sniffing: These signals, which are called Van Eck radiation, are visible from as far away as 1 kilometer. It is obvious that a malicious hacker using the appropriate Ãâà equipment and without specialized skills could easily sit outside a building and eavesdrop passwords and other secrets displayed on any nearby users video screens and monitors.Ãâà ÃÆ'ÃÅ" 4. Keystroke Sniffing: Shape 1.2 shows clearly a classic keystroke sniffing attack associated with most modern operating systems. In this type of attack usernames and passwords are captured directly from the keyboard input buffer. When the user enters the required authentication information in order to gain access to a computer system, this information is stored in a special area of memory RAM.Ãâà While the user enters information, another malicious attacker could run a sniffer program and retrieve the contents of the keyboard input buffer. As a result the users username and password is obtained by the hacker and can be used for later attacks {Shape 1.2}. Shape 1.2: Keystroke Sniffing ÃÆ'ÃÅ" 5.Hardware Key Loggers: A key logger is a hardware device that intercepts and stores strokes of a keyboard. This type of attack can be conducted very easily by a social engineer. The social engineer simply walks into the location of interest and plugs very professionally this small piece of hardware between the keyboard port and the keyboard.Assuming that most users place PC towers under their desks and most of them are unaware of hardware technology, key loggers can record all typed keystrokes and store them to their internal memory without user knowledge.Ãâà Attacks on Password Storage: Passwords have often been vulnerable to different kind of attacks when they are stored in huge databases and password files.Most modern operating systems ask from the user trying to grant access to systems resources, to enter his/her valid username and password. Then the operating system searches on the systems password file for an entry matching the username. If the password in that entry matches the password typed by the user, then the login procedure succeeds and the user is authorized by the system. Shape 1.3 shows clearly how the password checking procedure works [1.3]. Shape1.3 Password Checking The storage of any password immediately breaks one important rule concerned with password security: Do not write passwords down. If the password file containing all users passwords is stolen then automatically the intruder has direct access to all systems passwords. The primary arguments against password storage can be stated as: Single Point of Failure:If the password file is compromised then all passwords are compromised. Compromise of password file can happen due to: Poor encryption mechanisms or use of a weak master password, so its contents are easily accessed by a malicious hacker. Poor protection of the file itself. Poor Audit Trails:Most operating systems keep logs used to review login failed password attempts. Usually these logs contain a large number of wrong usernames and passwords typed by users while they are trying to login on a computer or network system. If these logs are not well protected ,then attacks become easier. For example, a malicious attacker who sees an audit record with a nonexistent username of 7rs or eri67 can be sure that this string is a password or a part of the password for one of the valid users. Software Bugs: One important reason for the success of password attacks is sometimes based on badly designed operating systems and application programs running on them. These badly designed features because software bugs which do all the hard work for malicious hackers and continue to be a major source of many security problems.Ãâà Ãâà One recent software bug was found in the Solaris operating system. Users with low level privileges could force a network application program to end abnormally. As a result this program dumped its memory contents to the hard drive in a file available to all users. This file contained copies of the hashed password values that were normally stored and protected in a shadowed file. As a consequence this file could be used as input to Crack software for an off-line brute-force attack. 2.3 Countermeasures against these Attacks Assuming all the above, it is obvious that attackers use several techniques to capture users passwords. In this section countermeasures against all attacks on passwords (describesin section2.2 Attacks on Passwords) are analyzed and listed in order: Countermeasures against brute-force attacks: A possible solution against login guessing attacks (or on-line brute-force attacks) is to have a password policy which specifies the maximum number of login failed attempts. System administrators by configuring the operating system could limit the number of failed login attempts allowed for each user. If the threshold is reached then the account should be locked and users will not be able to log until the system administrator arrives to reactivate the login process for the specific account. It must be mentioned that using such defenses against login guessing attacks will only delay a hacker from accessing a system and gaining access to confidential information. Failed login thresholds will not prevent a brute force attack from occurring but will identify the attacking attempt to the security administrator. This defense method will deter a malicious attacker from initiating a brute force attack and increase the level of difficulty for executing this attack. There is no actual defense mechanism against an off-line brute-force attack. This type of attack can be applied to any given password database. There are many cracking softwares available on the Internet which are capable of generating character sequences and working through all possible character combinations until the users password is found. The only defense mechanism against this type of attack is to have users that select and use strong password. Countermeasures against dictionary attacks: This type of attack could be eliminated by having a policy which simply prohibits the use of common words found in dictionaries or attackers word lists. If all generated passwords do not appear in such lists, then dictionary attacks will not succeed. Besides system administrators should perform themselves dictionary attacks to test users passwords within an organisation. If any passwords are compromised, then they must inform the users directly of the results and obligate them to change their passwords to more secure ones. Countermeasures against Social Engineering attacks: Education and user awareness must be supported by the organizations global security policy. The users should understand the importance of keeping their passwords secret and be familiar with the different ways that a social engineering attack can be conducted against them. In this case, people are able to take the necessary steps to react accordingly when such a situation occurs. Besides this, companies shouldshred all printouts having usernames, passwords and other similar confidential information in order to prevent dumpster diving attacks. Countermeasures against Network sniffing attacks: Todays hackers are using many network sniffing programs to retrieve users passwords, while they are transmitted over distant networks or inside organizations corporate network. Most businesses facing this threat and considering the consequences due to this type attack implement and use different network protocols for the secure transmission of confidential information. More often organizations indicate detailed security policies that specify ways, encryption methods and protocols to be used for the secure transmission of any important information. The most important defense mechanism against network sniffing attacks is the use of well-known secure network protocols such as SSL/TLS and IPSec protocols. These protocols have the ability to build secure channels based on cryptographic keys, shared between trusted parties, for the safe transfer of passwords and other confidential information in any systems network Countermeasures against Trojan Login: A defense mechanism against Trojan Logins is to have a trust path for all functions that require users to enter or present authentication information for purpose of authentication. This trusted path must be established between the user trying to login and the operating system. Secure Attention Sequence (or SAS) is a trusted path mechanism used in many modern operating systems such as Windows 2000. When user requires to log on, by executing the sequence Ctrl+Alt+Del is guaranteed that he is communicating with the operating system and not malicious software such as Trojan Login. Another important countermeasure against this type of attack is the installation of commercial available anti-virus software programs (such as Norton Antivirus and MacAfee Antivirus). These anti-virus softwares have the ability to detect and prevent sniffing attack programs such Trojan Logins to be installed, downloaded and operate in operating systems. 9 Countermeasures against Van Eck sniffing attacks: The types of countermeasures used to protect against Van Eck Sniffing attacks are known as Transient Electromagnetic Pulse Equipment Shielding Techniques (TEMPEST). The U.S TEMPEST standard is one guideline that manufacturers have to follow in order to reduce electromagnetic signals and prevent these types of attacks against passwords and other secrets displayed on video screens and monitors. TEMPEST mechanisms include Faraday cages, white noise and control zones. A Faraday cage is a box, a room or an entire building that is designed with an external metal skin that fully surrounds an area on all six sides. As a result all electromagnetic signals transmitted from PCs monitors are blocked inside the building, preventing eavesdroppers from revealing users passwords.Ãâà Ãâà Countermeasures against Keystroke sniffing attacks:. Ãâà A good defense mechanism against keystroke sniffing attacks is to protect CPUs memory. In particular the keyboard input buffer is the exact location where keystrokes typed by users are stored. It is clear that this area should be protected using various encryption techniques in order to become impossible for an intruder to retrieve its contents in plaintext form when they are intercepted.Ãâà Countermeasures against Hardware Key Loggers: There are not well-known defense mechanisms against Hardware Key Loggers. The only countermeasure against them is to state clearly in the organisations password policy that all sides of electronic equipment, and especially computers, should be visible to users and security officers. Moreover system administrators may be obligated to check all hardware and electronic devices plugged on users computers, or forced to check all hardware connections in computers rooms periodically.Ãâà Ãâà Countermeasures against Password Storage attacks: The types of defense mechanisms against password storage attacks include the use of various encryption and hashing techniques. These techniques are used to encrypt password files and never leave passwords exposed in plaintext form. Usually modern operating systems (Windows, UNIX) use one-way encryption systems to encrypt users passwords. In one-way encryption systems the password is transformed in such a way that the original password can not be recovered. When a user is logging onto such a system, the password that is entered by the user is one-way encrypted and compared with the stored encrypted password. The same encryption method and key must be used to encrypt the valid password before storage and to encrypt the entered password before comparison. Besides the use of one-way encryption, strong access control mechanisms (such as Role-Based and Clark-Wilson access control models) should be enforced and applied to the files that keep systems hashed passwords. Without implementing tough access control mechanisms, the operating system is unable to check who is accessing these files. As a consequence an adversary could easily copy them and mount different kinds of attacks on them. Countermeasures against Software Bugs: As was mentioned in the previous section (section 2.2 software bugs), sometimes badly designed features in operating systems and applications can lead to software bugs which do all the hard work for malicious hackers. A defense mechanism to prevent such software bugs is to have a good software design. Software should be designed in an organized way keeping procedures simple, reviewed periodically for vulnerabilities and threats, and hardened with the latest patches.Ãâà Where a software bug is found in any operating system or application, people discovering it should report this problem directly to the security officer and the correspondent company selling and providing licenses for this specific product should be informed to solve this problem. 3. Password Policies 3.1 Introduction Password policies are necessary to protect the confidentiality of information and the integrity of systems by keeping unauthorized users out of computer systems. Usernames and passwords are the fundamental protection of computers and networks against intruders. Password policies specify rules about the secure administration of usernames, rules used to define valid passwords and the type of protection needed for secure password storage. ÃŽââ¬Ë password policy is a good place to start to build the security of a companys network and protect its assets. The next sections discuss issues related to the secure usage and management of both usernames and passwords. 3.2 Administration of Usernames The front gate within an organizations network is where the user or the service identifies themselves and presents some type of authentication information only known to them in order to grant access. The failure to have a reliable Login Security Policies activated is like having a big building with the best guards and security mechanisms around it with the main front gate open to anyone. 3.2.1 Login Security Policies and Usernames Within a secure system, the first thing that should be expected for any login attempt is to identify who is the person requesting entry. Regardless of the protocols used, you need to know who is trying to access the network services and who they want the network services to think they are. In high-security military environments the user identifications are assigned based on a random sequence of characters. Other organizations, such as commercial, use something that can uniquely identify the user without worrying about how to create usernames. If the usernames can give away information about the organization, then the implementation of random names could be a good solution. Although by using these random names, users tend to write them down and stick them in front of their monitors. If they are writing their usernames they also could be writing their passwords. This might obligate system administrators to assign usernames that are easily remembered. 3.2.2 Other Policy issues related to usernames There are also other policy issues raised from usernames. Except the policy issues related with the creation of usernames, procedures need to be employed that guide in the overall management of usernames. Administration of usernames consists of the procedures that drive the management of generation, destruction and revocation of those names. It is obvious that good management for usernames is needed and must be strongly undertaken within a large organization.Ãâà 3.3 Password Management After usernames, passwords become the front line of protection and defense against intruders. Companies may have specified good policies about maintaining and assigning usernames, but one weak password can allow an intruder to open the door to the network easily. Password management policies are an important aspect of computer security and it is by far the most common user authentication method within the largest multinational organizations Password policies fall into the following categories: ÃÆ'ÃÅ" what constitutes a valid password ÃÆ'ÃÅ" The storage of those passwords. The following sections (3.3.1, 3.3.2) discuss in more depth these two categories. 3.3.1 Policies Defining Valid Passwords A variety of password policies and guidelines are publicly available on the Internet. Most of them establish and enforce a set of rules which are either required or recommended for the user to follow when creating a password. Such rules used for defining valid passwords may include: ÃÆ'ÃÅ" Passwords should contain a combination of upper and lowercase letters, digits and special characters (all printable ASCII characters) ÃÆ'ÃÅ" Passwords should not be a word that appears in a dictionary or word lists ÃÆ'ÃÅ" Passwords should not be based on well-known personal information ÃÆ'ÃÅ" Passwords should be memorized from users Ãâà Ãâà ÃÆ'ÃÅ" Passwords should be replaced periodicallyÃâà Ãâà ÃÆ'ÃÅ" When old passwords are expired, new passwords should be completely different than the old ones.Ãâà ÃÆ'ÃÅ" Users should never share their passwords with others. ÃÆ'ÃÅ" Password length depends on the value of data it is used to protect. 3.3.2 Storage of Passwords Ãâà Except the main properties that a valid password should have, a good password policy should also specify rules about the secure storage of passwords. Passwords should be stored in the authentication system in a manner which minimizes their exposure to disclosure or unauthorized replacement. Several methods have been used such as the so called LOG ON program. The file is protected by a file access mechanism which checks a protection bit in a file access table. Only the privileged LOGON program has access to read and write the file. In addition these systems encrypt the passwords using one-way encryption systems (described in section 2.3: countermeasures against password storage attacks) using a Data Encrypting Key (DEK) or the password itself as a key. Policies related to password storage should state and specify the type of protection provided to the passwords which must be proportional to the protection desired for the system or data. Furthermore they should indicate access control mechanisms used to control access operations performed on files containing systems passwords. 3.4 Risks due to inadequate Password Policies Password policies are necessary to protect companies assets. However, not all companies realize the risks they are posed due to poor password policies. The risks include user confusion, system denial-of-service attack issues, loss of income, disclosure of sensitive marketing and plan strategies, loss of productivity and user education problems, if the password policy is not communicated clearly to the users. Todays companies dont take password security too seriously. However, the password policy is a good place to start to build the security of a companys network and protect its assets. 3.5 Users and Password Policies Password polices need to be sensible and reviewed periodically for legal issues, human factors and their cryptographic strength of protection. It is obvious that people play an important role to the establishment and maintenance of a well-defined password policy. All people related to password policies such as administrators, security officers, managers and users should co-operate and take all the appropriate steps necessary for a successful company strategy on security processes. 4. Techniques for Remembering Strong Passwords 4.1 Introduction Despite all the sophisticated password generators and data encryption systems available today, passwords typically remain the weakest link in the security chain. That happens because both users and system designers of computer systems tend to different directions. In one hand system designers prefer hard to guess and complex passwords which are usually generated using random password generators (PA.ME.SYS). On the other hand, users: a) use easy to guess passwords, b) use the same passwords across all systems, c) keep records of their passwords and d) forget them from time to time. As a consequence passwords remain a big headache in most organizations and agencies which are trying to find alternative solutions to overcome problems related to weak password choices. Computer experts try to develop and implement modern techniques for helping and improving users memory with remembering strong passwords. Such techniques are discussed in the next three sectionsÃâà 4.2 CryptogicTM Password Protocol In 2004 Sean Gilberston and Murli Bhamidipati proposed a method called The CryptogicTM Password Protocol which provides a simple way of helping people to select and remember passwords that are considered to be secure. The basic idea behind this method is described in the next three simple steps: In step one, the user first decides on a fixed part which never changes and is typically made up of words or letters. In step two, the user decides on a single rule which will be used to derive the variable part of the password, from the system or the website user is logging into. The variable part of the password usually produces digits. In step three, the user decides how to add the variable part to the fixed part. The fixed part represents a word that a user can always remember. This word stays the same across all passwords and it should be within 5 to 10 characters. The variable part is a digit which may represent: the number of characters in the name of the webpage the user visits, the number of vowels in users first name, the number of characters in the name of the computer/network system user logs on, the number of times a particular letter (vowel or consonant) appears in the name of webpage or computer or network user logs. Then user decides how to add the variable part to the fixed part in order to make up the final password. For example a user may add the variable part to the end of the fixed part or to the middle of the fixed part or to the beginning of the fixed part. Assuming all the above information, there are some important disadvantages on the whole procedure used to construct passwords: The passwords generated do not include special symbols (e.g all 95 ASCII characters). As a result all passwords are composed only with mixed alphabetic characters and digits. These passwords are not resistant to brute force attacks NIST Guidelines state that all passwords should not be related to organizations computer or network names which may be known by an attacker (e.g. social engineer). Most cracking softwares available on the Internet have the ability to allow the hacker to define rule sets that control the transformations that are applied to the input dictionaries. As a consequence most of the passwords generated according to the Cryptogic Password Protocol are vulnerable to this kind of dictionary attack. 4.3 Mnemonic System for Bank PINs Another method used by commercial banks in order to help their customers to easily remember PIN numbers is the use of cards. The customers were supposed to conceal their PINs in the following way [shape 1.4]: Suppose users PIN is 2256. User has to choose a secret word e.g. blue. Then the user is writing the four characters of the word blue in the second, second, fifth and sixth column of the card. The remaining empty boxes are filled with random characters (user-defined). This process is shown in figure 1.11:Ãâà 1 2 3 4 5 6 7 8 9 0 E B T W Q W G S K A x L B D L A D W Z D G K M G U P H J F Y c R N I H E A Q B M Shape 1.4: Mnemonic System for bank PINs It is obvious that this technique provides weak security for the following two reasons: A quick check on this card shows that a 4 by 10 matrix of random alphabetic characters may yield about two dozen words (unless there is an s on the bottom row).Ãâà This card may be stolen by an attacker for further analysis. The customer must carry this card with him in every bank transaction which increases the possibility of loosing it. 4.4 Passphrases Another technique used to help users remembering strong passwords is the use of passphrases. A passphrase is a sequence of words or other text used to restrict access to a computer system. Usually passphrases are considered to be more secure than passwords for the following reasons: First, passphrases are usually much longer (20 to 30 characters) than common passwords (8 to 10 characters) making them resistant to brute force attacks. A passphrase may be created with the use of a dice to select words at random from a long list. While such a collection of words might violate the rule do not use words found in dictionaries, the security is based on the large number of possible ways to choose from the list of words and not from any secrecy about the words themselves. If passphrases are well chosen and contain digits or special symbols, then they will not be found in any phrase or quote dictionary. As a result dictionary attacks will be impossible to crack such passwords. . Passphrases can be so structured as to be more easily remembered than passwords without being written down, reducing the risk of having social engineering attacks. 5. Analysis of a Password MnemonicSystem based on favorite Pass Phrases 5.1 Implementation and Testing This section proposes a mnemonic system based on users favorite passphrases. A simple user can remember specific letters of their passphrase and apply them together to form their final password. The mnemonic system proposed is based on a language called LEET (1337) is a written language or cipher used in online gaming, e-mails, text messaging, tweeting, and other electronic communication.Ãâà The root of the term leet is the word elitetranslated as 31337and 1337 was initially developed as an exclusionary language: a way to encode text so that messages could only be read by the initiated.Ãâà The defining characteristic of 1337 is substitution of symbols and numbers for letters (for example, in the term 1337, 1=L, 3=E and 7=T), but the language has also developed to include intentional misspellings, phonetic spelling, and new words. A 4, /-, @, ^, / , //- /= I 1,!, |, ][, [] B 8, ]3, ]8, |3, |8, ]]3, 13% O 0, (), [], , *, [[]] C (, { , [[, , à ¢Ã¢â¬Å¡Ã ¬ P D, |*, |, []D, ][D D ), [}, |), |}, |, [, ]]), ÃÆ'? Q (,) or 0, or O, or O or [] E 3, ii, à ¢Ã¢â¬Å¡Ã ¬ R 2, |?, |-, ]]2 []2 ][2 F |=,(=, ]]=, ph S 5,$,Ãâ¦Ã ¡ G 6, 9, (_, [[6, T 7, +, ], 7`, ~|~, -|-, ][, |, à ¢Ã¢â ¬Ã H #, |-|, (-), )-(, }{, }-{, {-}, /-/, -, |~|, []-[], U (_), |_|, _, /_/, _/, []_[], ]_[, Ãâà µ J _|, u|,;_[],;_[[ V / , //,à ¢Ãâ Ã
¡ K |, |{, ][, ]], [] W //, |/|, [/], (/), VV, ///, ^/, ///, 1//, /1/, 1/1/ L 1, |_, []_, ][_, Ãâà £ X , }{, )(, }[ M //, |/|, [/], (/), /V, []V[], , (T), ^^, ., //., ][//][,JVL Y /,%, `/, j , //, Ãâà ¥, j, |/, -/ N //, ||, (), /|/, [], {}, ][][, [][], ~ Z 2, z, 7_,`/_ Table1.5: LEET (1337) language Steps 1 to 6 describe the operation of the software developed for this mnemonic system: Step1: An Access Database with all LEET (1337) representations for each English alphabet character was created. Each letter has a constant number n (=8) of different representations. If for a given letter there is no n different letter substitutions, then the sequence n is repeated until the number of representations for this letter is equal to 8. Step2: The program gives the possibility to the user to type his/her favorite passphrase. This passphrase may consist of t different words. E.g. If the passphrase is Tolmon Nika then the password will have two characters length.Ãâà Ãâà Step3: The program extracts the first letter of each word and creates a string of t characters. This string represents the length of the password. Step4: The program uses the random function CryptGenRandom to produce one random number for each character of the string TN. This random function is a well tested function and has two of the properties of a good random number generator: Unpredictability Even value distribution. The process for deriving random numbers (in CryptGen Random) and associating them with each character of the string is outlined in shape 1.6: Shape 1.6: CryptGenRandom The CryptGen Random function gets its randomness from many sources in Windows XP. Some of them are: the current process ID; the current thread ID; the current time; an MD4 hash of users username or password; high precision internal CPU counters; cache manager Data Pages; and context Switches. Step5: The program associates each character of the string with a specific leet language 1337 letter substitution. The whole process is based on the following mathematical formula: Where random number is the number generated by CryptGenRandom function and n is the number of different representations for each English alphabetic character. The result of this function specifies which leet language 1337 character ,is going to replace the initial alphabetic character. Shape 1.7 illustrates how the whole process is working: Shape 1.7: Generating the final password Step6: The procedure shown in Shape 1.7 is repeated for all characters of the string. After the generation of the users final password, the program distributes a document which illustrates how the final password was constructed 5.1.1 Implementation The program PA.ME.SYS described in previous section was implemented using Visual Basic programming language. The source code together with comments explaining the operation of each function is in Appendix [2] Source Code (Visual Basic). The source code is divided into six parts. Each part is responsible for a different operation in the whole procedure used to produce the final users password. Part1:Ãâà This part is the start of the program which has the two functions first is installing and second is cancel the installation the program Part2: In this part of the program is a first instruction on where to see License Agreements and to continue must first choose I agree this agreements and push the button next Part3: Load the program of Pa.Me.Sys Part4: Is ready to write the favorite proverb or translation Part5: Is finished the job Part6: And the finally part is to thanks how use my program Exportdata: This process performs a checking operation each time a passphrase is entered. More specifically it performs the following three checks: converts string to lowercase letters removes leading and ending spaces from sentence (passphrase) taking precautions for double, triple etc spaces The importance of the above checks is that the program avoids errors that may occur while a user is typing his favorite passphrase. After this, the process counts the number of words and extracts the first letter of each word in the passphrase. All the extracted letters are moved into an array. The program places a zero at the end of the array to indicate the end point of the string. This array represents the initial password. Generatepassword: This process a) opens a connection visual basic Database and b) calls the (ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load) which generates a random number or for each character of the initial password, for each random number and produces the final password. Part3: This part simply opens a connection to access the visual basic Database. This database contains all letter substitutions for English alphabet according to l33t language. 5.1.2 Testing 1) First test for the passphrase ti giannis ti giannakis the passwords generated using the PA.ME.SYS are: Some Possible Combinations 1. +6][6 1. ][9-|-[[6 2. ]à ¢Ã¢â ¬Ã 6 3. ~|~6] 4. 7`à ¢Ã¢â ¬Ã 9 5. -[[à ¢Ã¢â ¬Ã 9 2) Second test For the passphrase einai duskoli wra the passwords generated using the PA.ME.SYS are: Some Possible Combinations 1. 3[}[/] 2. à ¢Ã¢â¬Å¡Ã ¬ ii(/) 3. [/1/ 4. à ¢Ã¢â¬Å¡Ã ¬)^/ 5. [|// 6. à ¢Ã¢â¬Å¡Ã ¬|)/1/ 3) Third and last test For the passphrase Tolmon Nika the passwords generated using the PA.ME.SYS are: Some Possible Combinations Ãâà Ãâà 1. T[] Ãâà Ãâà 2. ~|~// Ãâà Ãâà 3. -[[|| Ãâà Ãâà 4. 7`[] Ãâà Ãâà 5. à ¢Ã¢â ¬Ã /|/ Ãâà Ãâà 6. ~|~{} 5.2 Advantages 1. Resistant to brute-force attacks: The first advantage of the generator system developed in this chapter is that it produces passwords that are resistant to brute-force attacks. That happens because passwords are composed with all 95 printable ASCII characters and the length of each password is dependent on the number of words in the users passphrase. If an organizations password policy compels users to use passphrases of 10 words then all passwords generated will have 10 characters length which results in a very large number of possible password combinations (9510 possibilities). 2. Impossible to conduct dictionary attacks: All the passwords produced using the PA.ME.SYS generator are not related to words which can be found in dictionaries. All the passwords it generates contain special symbols ([emailprotected]#$%^) and digit numbers (0-9) which cannot be found in dictionaries. These passwords are not related to a specific user and they are not based on users well-known personal information (childrens name, username, cities, driving license numbers, telephone numbers and so on). 3. Same passphrase results in different passwords: In the case where two users enter the same passphrase the possibility to have two identical generated passwords is too small. The number of different password combinations for an 8 character password, where each character could be represented by n=8 different letter substitutions, is: Password Combinations = Password Length n=number of letter substitutions = 88 = 224 Therefore the possibility of having one passphrase which gives the same password twice is 1 / 224 which is a very small number. If an organizations password policy wishes to prevent such a possibility then all produced passwords may be stored in the computer systems database. Each time a new password is generated, it should be filtered using this database in order to prohibit same passwords to be issued to two different users. Besides the computer system which generates and stores organizations passwords should: Not be connected to the Internet or companys network, Be locked, Only authorized people having access to it.Ãâà Ãâà 4. Built-in random function (Password Source): FIPS PUB 112 indicates that if passwords are generated by the system, the method of generation should not be predictable. The PA.ME.SYS generator uses the function CryptGenRandom to produce random numbers. The CryptGenRandom function gets its randomness from many sources in Windows. Each time PA.ME.SYS system is activated to produce passwords a different random seed is used as input. This method gives strength to PA.ME.SYS system and makes the attackers task to predict or guess the seed much more difficult. 5. PA.ME.SYSproduces passwords that are easily memorized by users: All passwords produced using the PA.ME.SYS generators are depended on input users passphrases. Each time user requests access entry to computer or network resources he just recalls the correct passphrase and extracts the first letter of each word. That means that users passwords are easily remembered without being written down. 6. Easy to learn l33t language: All passwords generated are based on L33t language. L33t is an Internet based language reliant on the keyboard and it is characterized by the use of non-alphabetic characters (special symbols and digits) to stand for letters. Assuming that all people have access to Internet and are registered to email accounts or sites or other online communities and they are familiar with such symbols then they can use them easily without getting confused. 7. Password composition: All passwords generated using the PA.ME.SYS systems are composed using the subset of 95 graphics characters specified in FIPS PUB 1-2. PA.ME.SYS password generator system verifies that all passwords produced consist of valid characters specified in this subset. 8. Password length: The PA.ME.SYS password system gives the possibility to the Security Officer and System Manager within an organization to specify the minimum length of all passwords to be generated. This is achieved by obligating users to use passphrases with a specific number of words. The passwords produced will have the required length of characters. 9. Password lifetime: FIPS PUB 112 states that password systems should have the capability of replacing the password quickly, initiated either by the user or the Security Officer. The PA.ME.SYS password system gives the ability to the user to replace his/her password quickly and easy after companys request. This is achieved by entering a new passphrase into the system to generate a new password. 10. Error checks: The PA.ME.SYS password system enforces a function (export data) to check errors during input. In other words the system avoids errors that may occur while a user is typing his favorite passphrase. It should be mentioned at this point that the added value of this mnemonic system is not the implemented program itself, but the idea behind a scheme of generating hard to break and easy to remember passwords. This password system is a proof of concept of the initial idea and it can be enhanced using the future recommendations discussed in the next section.Ãâà Ãâà 5.3 Future Recommendations 1. Documentation: An effective password management policy should require the active cooperation of all users involved in the process of generating good passwords. It is important to provide all necessary documentation and tutorials to explain how their passwords are created. Each time a new password is generated the program could issue a document of how the users passphrase was used to create the final password. By applying this method, users will clearly understand the basic idea behind PA.ME.SYS password system and will help them to remember their strong passwords easily. It really is worth the effort to make users feel personally involved in implementing the password policy. 2. Website creation of www.Pa.Me.Sys.gr: In the future could be created some additional features such as a website pa.me.sys.gr that would create passwords and codes. The website would be easy in use and would serve on advertising and familiarize the users with Pa.Me.Sys program. 3. Selection of specific letters: The PA.ME.SYS password system can be enhanced by having an option to allow users to select the letters they wish from their passphrases. The program implemented in this chapter extracts by default the first letter of each word in the users passphrase. It could be a good idea to allow users to select the characters they want which may be easier for them to remember.Ãâà 4. Password Length: The number of words that the user will enter as input to form his passphrase, indicates the length of the final password. If the organizations password policy specifies that users should use passwords of 12 characters in length, then it is clear that they are obligated to find and use long passphrases (consist of 12 words) which is considered to be difficult. It would be a good idea to implement an algorithm which produces passwords with the desired length indicated in an organizations password policy and it is independent of the size of the passphrases entered. This method does not compel users to search and be confused with long passphrases which may be required to generate long passwords. 5.4 Password Policies and PA.ME.SYS Assuming all the above issues, it is obvious that PA.ME.SYS system enforces password management policies and handles problems related to passwords. More specifically it is responsible for the production of hard to break and easy to remember passwords that comply with the desired length, composition, lifetime and source of passwords specified in Password Usage (FIPS PUB 112). Other issues related to passwords management should also be considered when designing and implementingPA.ME.SYS password generator system. For example, if the organizations password policy specifies that all passwords should be generated using the PA.ME.SYS system, then these passwords must be distributed in some way to the users. A tough password policy may state the following: Each user must enter companys private room in which he applies a passphrase (which contains an exact number of words that is stated in the organizations password policy) to generate his secret password. Then using the document which describes how his/her password was created, he/she should memorize it. After memorizing the password, he should close or reset the program (e.g. destroying the passphrase and password) and never write down the generated password after leaving the room.Ãâà Ãâà Other security issues include the secure transmission, storage, ownership, entry and authentication period of all passwords generated using PA.ME.SYS system. These issues are dependent on an organizations global security policy and should be seriously analyzed in order to have an effective password policy. 6. Conclusions Passwords are an important aspect of computer security. Passwords are the only user-friendly method used to identify a user and grant access to an organizations system resources. They are the front line of protection for the user terminals, the confidentiality of information and the integrity of systems by keeping out all unauthorized users. The first chapter of this Project discusses the importance of passwords in todays businesses and states clearly the reasons that passwords are widely used within an organizations security framework. It also emphasizes the fact that they need to be managed properly in order to provide the same level of security as a more modern security mechanism. This is achieved by enforcing specific rules for the complexity, generation, storage and distribution of passwords throughout a strong security policy. From the analysis of the first chapter it was clear that the usage of passwords as an authentication technique increases the possibility for an information system to be compromised. That happens because these passwords are directly connected to the way that users are managing them. As a consequence passwords are the weakest element inside the security chain of an organizations network system and are susceptible to different types of attacks. The second chapter of this project describes the multiple techniques used by intruders to launch attacks against password based authentication systems and proposes different defense mechanisms to eliminate such attacks. From this analysis it was made clear that the effective implementation of the proposed countermeasures cannot be achieved without being well planned and systematically applied within organizations security framework. In order to achieve this, the need for a well defined password policy is crucial. The third chapter of this project makes a critical analysis of a password policy which may be used within an organization to enforce rules for the secure generation, storage and distribution of passwords. In more detail this policy specifies rules for defining strong passwords and proposes techniques for the secure storage of these passwords. It also considers the risks due to inappropriate security polices and proves that users play an important role to the establishment and maintenance of a well-defined password policy. The results derived from this chapter were that the password policies are undoubtedly an important aspect which ensures that passwords are properly selected and managed within an organizations security framework. Besides, it was shown that there is a need for password policies to use password generators. These generators compel users and administrators to use passwords that are only selected by them and they meet certain security criteria. The fourth chapter of this report a search was conducted for different techniques that are used to improve users memory and to facilitate them to remember strong passwords. The operation of each technique was examined together with their limitations. A mnemonic system was also proposed to help users to easily remember passwords based on their favorite passphrases. This mnemonic system was designed using data flow diagrams which clearly show the processes and data that make up the system, and implemented using visual basic programming language which clearly shows in a graphical environment how the system works.Ãâà The added value of this mnemonic system was not the implemented program itself, but the idea behind a scheme of generating hard to break and easy to remember (using full printable character set) passwords. This password system was a proof of concept of the initial idea and it could be enhanced using the future recommendations In the last chapter of discusses the main features of a password mnemonic system (Pa.Me.Sys) which is activated to handle password management problems and enforce password management policies within an organization. This password generator system, which is proposed by the National Institute of Standards and Technology (NIST), is analyzed for the processes it applies in order to produce of pronounceable passwords. These pronounceable passwords are easy spelled and have no association with a specific user. The results derived from the development of this system were that it enforces password management policies and handles problems related to the selection of secure passwords. In more specific this system is responsible for the production of hard to break and easy to remember passwords that comply with the desired length, composition, lifetime and source of passwords specified in most password guidelines. Other issues related to passwords management should also be considered when designing and implementingthis password generator system. Such security issues include the secure transmission, storage, ownership, and entry and authentication period of all generated passwords using this system. These issues are depended on organizations global security policy and should be seriously analyzed in order to have an effective password policy. As a conclusion, passwords are an important aspect of computer security, they are the only user-friendly method used to identify a user and they are necessary to protect the confidentiality of information and the integrity of systems. Usually these passwords are created using password generators. These passwords are not easily remembered, they are complex, they need to be changed frequently, and the users have to read long instructions and guidelines on how to keep them secret. As a consequence users tend to write them down and violate organizations security policy. It is obvious that other techniques, such the mnemonic system described in the last chapter of this project, should be enforced and implemented in order to help people with remembering strong passwords easily. These techniques should aim to make people feel personally involved in the generation of their passwords and understand the consequences due to poorly chosen passwords. Moreover an organization could employ multi-fa ctor authentication mechanisms to provide stronger security. The passwords (anything you know) generated using the developed mnemonic system (in chapter 7) could be used in combination with smart tokens (anything you have) or biometric identifiers (anything you are). In this way the users are providing knowledge of two different things in order to gain authorized access to system resources. Finally all people related to password policies such as administrators, security officers, security managers and users should corporate and take all the appropriate steps needed for a successful company strategy on security processes.Ãâà Ãâ
Subscribe to:
Posts (Atom)