Technical Measures, Delineation of Access Rights...

Technical measures

By technical measures (technological or software-hardware) understand the methods of protection, which are implemented directly using the protected objects: one or a group of computers, as well as telecommunications. Specificity of measures is that the user has to deal with them not only daily (as with physical measures), but also hourly, every second. Errors of users (users) associated with violation of technical protection measures or with neglecting them are very frequent - but it is estimated that 75-90% of all incidents in local networks. These errors lead to serious consequences, since in most cases "open", make the network defenseless at once to tens and hundreds of network users. They are their illiterate actions can quickly replicate over the network (copy) the error or its consequences.

What specific methods of technical protection of information are the users facing daily?

Delimiting access rights

The user should be presented to the computer (more precisely, the operating system), in the process of identification enter Username (for example, Ivanov). However, the computer system is not enough, she asks to clarify Ivanov - a student or Ivanov - a teacher? User Ivanov must enter his password. This is the process of authenticating the user by the computer. In modern systems it is possible to use other identifiers/authenticators - electronic keys, plastic cards, biometric user parameters. If the user presented an identifier/authenticator pair previously registered in the system to the computer, the computer conducts the process of authorization - logging in with certain access rights to this or that information without the user's participation.

Any attempt to violate the rules for executing these three processes or to bypass (exclude) any of them should be considered as an attempt to make unauthorized access to the system. An authorized user can only work with certain structured information (partitions, disks, network resources, media, folders, files). It does not have access or has limited access to the structured information of other users, except for public resources. At the slightest interruptions in work it is recommended to leave the system or to include a screen saver with password protection, so that another individual does not replace an authorized user.

You can control access to objects using the Security tab of the Folder Options tab (Figure 11.3). At the top of the tab, specify the username or group of users -

Folder properties, Security tab

Fig. 11.3. Folder properties, Security tab

Users, at the bottom, set permissions to perform certain actions with the selected object. To manage the security of the selected object, you must have either administrator rights or be its owner.

If more than one user works with one computer, each of which has its own login (login and password), you can restrict access to a specific folder in a different way. In the Folder Properties window, click the Advanced button, invoke Additional attributes, enable encrypting the contents of the specified folder object (Figure 11.4). For the user who turned on the encryption mode, work with the nankoo is without any restrictions, you do not need to enter a password. Other users will see the encrypted folder, but will not be able to perform actions with it and its contents (which it is not available).

If several users work with the same computer under the same name (which is highly undesirable from a security perspective), you can use one of the paid applications for encrypting folders, for example: HideFolder, Secure Folder, Magic Folder, Lock Folder, Folder Lock.

Password protection. It is not accepted in society to discuss important or restricted information with an unfamiliar or unfamiliar interlocutor. This useful

Folder Options, Security Tab, Additional Attributes

Fig. 11.4. Folder properties, Security tab, Additional attributes

habit has mastered the new fellow on communication - a computer. The procedure for presenting a user to a suspicious computer is similar to communicating on the street with a policeman: Your surname? Present, please, the document! Only academically educated the computer asks the user to perform authentication and authentication.

The user's identification is that he tells the operating system usually open (unclassified) information about himself and so represents, identifies himself. As the identifying information (user name or login), the user's surname, profession, accounting or personnel number, etc. can be used. But how does the operating system of the computer distinguish who is addressing it - Ivanov Peter or Ivanov Nestor, a student of Kuznetsov or a teacher Kuznetsov, a student Sidorenko or a student Sidorenko?

In addition to identifying information, the user must provide the operating system with an additional secret (unknown to other users) authentication information, confirming that he is indeed the one for whom he is trying to extradite himself. In information theory, this process is called authentication. Authentication can be used not only to authenticate users, but also to verify the authenticity of the source of messages - the server or the program, which is especially important when working in a multi-user environment (local, corporate or other networks).

The user can confirm his authenticity if he presents one of three objects to the operating system:

• Something that knows (password, cryptographic key, etc.);

• Something that owns (mechanical or electronic key, plastic card, flash card, Touch Memory tablet, etc.);

• something that is part of it (a biometric password - a fingerprint or a fingerprint, a face image, a pupil of the eyes, a retina, etc.).

Password (password) is a unique string of characters entered by the user to authenticate him by the computer and unknown to other users and which the operating system or application program compares to the samples stored inside them in a special list. >

Assigning passwords - restrict users' access to resources and services of the network or computer, to programs or documents, to databases or databases of search engines.

Only users who submit correct a combination of username and password. When accessing programs or documents, databases or databases of search engines, it is enough to present only the password, since this access is organized by the operating system, when the user first accessed (when logged in) the user's ID-the user's name.

The most important passwords the operating system stores in special files (* .pwl, etc.) or in protected system databases (registry, registry). The disadvantages of this conservation are obvious - the possibilities of destroying or removing these repositories and replacing them with others.

Passwords for working with individual files are stored inside these files. When you copy or move a file to another medium or to another computer, the password moves along with the file, still providing its protection.

Sometimes users get tired repeatedly type the same passwords and force the program to remember the password (save it in a specially allocated area of ​​the external memory - in the cache). This procedure is called password caching. However, this is a dangerous procedure. Once the password somewhere lies separately, you can delete it or change it. Avoid caching passwords.

The forms of storing passwords are also different:

symbolic - in the text of the program the password is saved as a set of character codes that make up the password; this

The most unsuccessful form of storage, because the password is "read" directly in a text editor;

digital - the codes of the characters making up the password are converted according to some law, are recoded and in the dialog windows are replaced with asterisks; this form of storage is more stable, there are programs for opening and displaying those characters that are hidden under the asterisks (the Open Pass program);

Encrypted - as a rule, the password is extended by adding so-called "salt" to it. or "garbage", which can be a username, logon time, file open time, or just generated random number; an extended password is encrypted and opened, without knowing the algorithms for lengthening and encryption, is almost impossible;

compressed - the password is first extended ( salted or littered ), and then compressed using a special hash function to obtain a hash image of the password that is stored in external memory ; this process is called hashing passwords (do not confuse with caching) and uncover the password without knowing the algorithms of lengthening and hashing, is almost impossible.

Users write passwords in unprotected places. Engineers and administrators of information security find passwords written down (this, by the way, is one of their main responsibilities):

• on scraps of paper and in draft service documents;

• in notebooks and on business cards (which is trifling, giving, so giving);

• inside of pens and/on souvenirs on the desktop;

• on the back of the mouse, rug, keyboard;

• on the shelf under the keyboard, on the walls of the desktop drawers;

• Rear, side and on the monitor stand;

• write off ready passwords from calendars or from a billboard opposite (what happens when you change the calendar or advertising and so it is understandable);

• masterpiece of the record - the password recorded on the sole of the shoe, which because of the strong seasonal cooling left at home and greatly failed the owner.

Password can not be written (the entry is read by someone who is not required, and you forget where you recorded it), the password must be remembered !!!

Recall The forgotten password can be one way - to conduct an attack (cracking) of the password by a specialized program that is on the Internet.

Types of attacks on passwords:

sociotechnics, or socioengineering, - getting the password fraudulently from those who know it;

digging in the trash - getting the password from the information waste of your activity; if the passwords are not written and not cached in the computer, then this danger will not be;

peeping - if employees are attentive to your (and not your own) professional activity, i.e. The danger that someone will remember your password;

dictionary attack - knowing which program wants to retrieve the password, you can send to it sequentially words from a conventional or specialized frequency dictionary (words are arranged not in alphabetical order but in descending frequency of use in colloquial speech); you can select a password relatively quickly if it contains a dictionary word in one language;

full bust of all possible variants (power attack or brute force method) - no matter how many symbols are entered, they all form, as mathematicians say, a finite set whose elements can be counted; the question is - for what period of time.

In Table. 11.2 shows the time of full search of passwords.

Table 11.2

The complexity of the attack with a speed of 200 thousand passwords per second

Password length

26/32 characters (one language)

96 characters (one language and punctuation marks, markups)

224 characters (all symbols of the ASCII or ANSI code table)


0.1 s

3 s

1.5 min


3 s

7.5 min

4.8 hours


1 min


55 days


26 min

36.5 days

49.5 years



11.8 years

114 centuries


12.5 days

11.4 centuries

29227 centuries


310 days

1097 centuries

7482200 centuries


22.5 years

105337 centuries

1915443061 centuries

The rules for the formation of a secure password. The password is replaced every 45 days (the interval between password changes should be less than the time required to break them).

• The default password lifetime (the passwords of the installed programs and those not yet changed) are no longer than 3 days.

• After 3-5 (at administrator's discretion) unsuccessful attempts to dial, the password is blocked for several hours.

• Introduction of a time delay when checking the password and issuing a message about the receipt or rejection of the entered password.

• The new password should not be the same as the last 3-5 used before.

• The password length must be between 6-10 characters for users and at least 12 characters for administrators.

• Characters used in the password should not form a dictionary word.

• The password must contain both letters, numbers, and special characters.

• When typing a password, you must use both lowercase and uppercase letters.

• When typing a password, you must use the alphabet characters of the two languages.

To analyze the suitability of character sets as passwords, they are divided into categories of reliability, assigning to each category a numeric code, in accordance with the following requirements.

None (conditional numeric code - 0) - the same letters of the same alphabet or only single digits. In a power attack, one character of the password is selected for 10 attempts for a numeric password, for 32 for a United States letter.

Weak (code - 1 or 12) - symbols form a dictionary word in one of the languages ​​(code - 1) and/or both lowercase and uppercase letters of the same alphabet are used (code - 2). To crack the password, a dictionary attack is used using hacker frequency dictionaries.

Strong (code - 23) - both lowercase and uppercase letters of the same alphabet (code - 2) and symbols do not form a dictionary word in one of the languages ​​(code - 3). In a power attack, one character of the password is selected in 66 attempts for the letters of the United States language.

Strong (code - 234) - both lowercase and uppercase letters of the same alphabet (code - 2) are used, the symbols do not form a dictionary word in one of the languages ​​(code - 3) and digits in conjunction with characters (code - 4). In a power attack, one character of the password is selected for 76 attempts for the letters of the United States language.

Difficult (code - 2345) - both lowercase and uppercase letters of the same alphabet (code - 2) are used, the symbols do not form a dictionary word in one of the languages ​​(code - 3), digits in conjunction with symbols (code - 4) and symbols of two languages ​​(two alphabets) (code - 5). In case of a power attack, one password symbol is selected for 128 attempts (10 digits + 33 • 2 United States letters + 26 • 2 English letters).

Reliable (code - 23456) - both lowercase and uppercase letters of the same alphabet (code - 2) are used, the symbols do not form a dictionary word in one of the languages ​​(code - 3), the numbers together with symbols (code - 4), symbols of two languages ​​(two alphabets) (code - 5) and special symbols (not letters of the alphabet and numbers) (code - 6). In a power attack, one character of the password is selected for 224 attempts (all symbols from the ANSI code table).

How to create and remember a password?

The main principle is associative memorization. Many in childhood tried to remember the sequence of alternating colors in the spectrum: red, orange, yellow, green, blue, blue, violet. Writing a saying but the first letters of the names of colors makes it easy to memorize - "Every hunter wants to know where the pheasant sits". In fact, some words are replaced by others, forming an easily memorized phrase.

There are different approaches to solving a difficult task - creating and remembering the password. In addition to associative memorization, the ability of most people to assimilate logical sequences of actions - algorithms is used.

The first approach is applied to short-lived passwords to files and archives that need to be moved from one computer to another, and then they (and files, and their names, and passwords) can be changed.

In this case, the password is formed from the name of the file or archive according to certain rules. Let the file name - Annual report.dos.

We skip the vowels - the password Gdvtch,

skip consonants - the password Oooee,

replace vowels with numbers - the password is Г1д2и345тч6т,

we replace United States letters with similar English letters - the password is btw.

write letters from right to left, etc.

The drawback of this approach is obvious - it is dangerous to change the name of a file or archive, which is why it is applicable only for short-lived passwords.

The second approach is more universal - remember a proverb, proverb, strophe of a poem or a line of a song, and from them to make several passwords that only you will know and easily restore yourself.

Example password: c c6 cp - received from the phrase "Every student wishes to pass the sixth grade in computer science"; ( bold letters are United States, the rest are English).

The third approach is simpler - to repeat the favorite word or phrase several times, dividing the repetition by some special symbol or special characters.

Example password: Porridge + Porridge-Porridge = Porridge

The fourth approach is the simplest, if you have a good memory - remember the whole phrase as a password.

Examples of passwords: Get out of Moscow! Here I'm no longer a rider!

or To the village, to your aunt, to the wilderness, to Saratov!

During one session of work, the computer will have to enter (and, correspondingly, firmly remember) up to six or seven different passwords. Consider these situations.

1. Password for access to the operating system. If the computer running a few people or in a room where the computer is located, have access to other people, the presence of a password necessary.

2. Password for opening files with documents. If documents can not be transferred from the computer to another, you can use one password for a large group of the same type of files, for example, Microsoft Word documents.

3. Password for changing the mode of access to the document (read only, permission to write fixes, data protection in form fields). Most often put a password that protects only one of the modes of access to the document. Therefore, you can use the same password to protect different access modes in the same document or in different documents.

4. Password for accessing the archive file. If you transfer documents from one computer to another, you should use a separate password, which is placed on the opening of a compressed, archived document (archive file). Since this password will be typed on different computers, it must differ from the password for opening a file of a specific document (s).

5. Password for canceling the sleep mode or turning off the monitor screen saver mode, activated when you are temporarily absent from the workplace.

6. Password (passwords) for access to local network resources (network drives, network printer).

7. Password (passwords) for access to global network resources or services of the global network (for access to the Internet, for opening an electronic mailbox, for using an encryption system, for using the computing resources of a remote computer, for access to a blog or personal magazine).

In multi-user systems, passwords are set for changing the settings of individual programs, changing settings and administering the operating system (controlling access to the computer for various users), limiting the access of children to individual programs, etc.

Read carefully the types of passwords, the rules for remembering passwords and be sure to follow the recommendations in practice.

Users understand that entering special characters in the password, which are not numbers and letters of any alphabet, increase the reliability of the password. But the conclusion is often wrong - to type the password only from special characters.

There are several drawbacks to this approach.

1. The password is very difficult to remember, and several such passwords are almost impossible.

2. Passwords, composed only of special characters, are difficult to enter repeatedly from the keyboard. Therefore, the computer finds "secret", but not for hackers and crackers, a place to store them.

3. The password itself is made up, typed in one of the editors using the Insert, Symbol command and non-standard, exotic fonts. Then it is copied through the clipboard to the password input line. In this case, the user overlooks that the password is typed and copied in the OEM-encoding. And when you insert, the computer uses the standard, most likely, ANSI encoding. As an example, in the first column of Table. 11.3 shows passwords, for -

Table 11.3

View one password in different code tables



Password processed by the computer in ANSI

The password processed by the computer in KOI-8R





Letter *


& amp; Vk

? iM



scolded by users in a Microsoft Word text editor with Wingdings font. In the second column, the view these passwords with the eyes computer.

Passwords composed of special characters, of course, have the right to exist. But among them there are both weak (the second and third rows of the table), and reliable (4-6 rows of the table). To check how the computer perceives the password you typed, copy it to the Notepad or into the address bar of Internet Explorer.

It is more difficult when transferring a password from ANSI to a program with a different code table, for example KOI-8R. Compare the second and third columns of Table. 11.3.

Which character set is the user's password?

It is more reasonable to not use exotic fonts when creating and entering a password and to check in advance what code table your computer uses. The password for opening a document entered on another computer will perform its functions, but its internal (for the application program) view will be different. Only programs that are well integrated into the operating system (application programs) are able to ensure correct operation with such passwords. But moving a document created in a Windows application to another platform in which the code representation of some characters is different will lead to problems when opening.

Remember that not all characters, even from the standard ANSI code table, are correctly transferred to other platforms, for example, in the Mac OS, which can cause problems (as in Figure 11.5).

Warning about the problem of password encoding

Fig. 11.5. Warning about password encryption problem

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)