I originally posted this at http://www.318.com/TechJournal
Logging onto most network resources requires the use of a password. Before passwords are sent over networks they are encrypted. Many different variables and algorithms are used to encrypt passwords. The most common method of encrypting passwords before they are sent over a network uses the seconds and minutes fields of file modification time stamps to build variables.
The system doesn’t use the time stamp as a variable directly, but uses them to generate hashes. A hash is a number generated from a string of text. The hash is smaller than the text itself and is generated by a formula in such a way that it is extremely unlikely that some other text would produce the same hash value. Hash values are typically 160 bits in length.
To increase security, hashes are broken up into segments, known as a message digest. These segments are sent over the network in a stream, or the actual data being transferred between two systems. A hash is a one-way function so it will not produce the same message digest from two different inputs. Kerberos uses the date and time stamps of two systems as inputs, which is one reason it is important for systems communicating using Kerberos to keep their clocks in sync. All of this helps ensure the infeasibility of reversing encryption.
Although it is infeasible it is not impossible to break encryption schemes. The NTHash standard of security used by Windows employs a password encryption scheme that simply combines hashes. The NTHash method of password encryption has been exploited. OS X, as with UNIX and Linux, uses a 12-bit string of random numbers to create a more secure hash. This 12-bit string of characters is known as a salt. The use of a 12-bit salt requires brute force attempts to crack encryption will take 4,096 times longer by taking more resources.
Using nonstandard ASCII characters such as !, #, @, *, etc. helps to increase password security as does keeping as up-to-date as possible with security patches. Using Kerberos helps to keep the encryption process as secure as possible due to salted hashes. Another security improvement with Kerberos is that Kerberos creates a ticket upon successful authentication. This ticket is used to access resources across all the servers sharing a common information database such as Open Directory and Active Directory.
In a Kerberos environment passwords don’t have to be sent over the network each time a resource is being accessed. Reducing the frequency of password usage and handling passwords more effectively makes Kerberos a strong weapon in the Network Administrators arsenal. The use of LDAP databases such as Open Directory makes network management easier and more secure.