Everything You Need to Know About Windows Autopilot Imaging
Autopilot from your Intune portal endpoint.microsoft.com, follow this path:
Devices > Windows > Windows enrollment
Under this Windows Enrollment path, you will find the General and Windows Autopilot Deployment Program sections where you could perform Automatic Enrollment , CNAME Validation, Windows Hello, Enrollment Status Page, Deployment Profiles, Devices, and Intune Connector for Active Directory.
What is Windows Autopilot?
Lets you image machines after an Azure user account has been logged into the machine. Once the user has successfully logged-in, Windows versions and types will be configured. This way, you don’t need to be on-site to image and manage machines. Autopilot also automatically joins your machines to the Azure AD or to on-premise AD If you have Hybrid Azure AD configured.
Note that you will need an MDM functionality, or MDM/MAM enabled in your Intune subscription in order to use Windows Autopilot.
Why use Windows Autopilot?
Because it eliminates or reduces user interaction needing the user to only type their Azure credentials via the internet, and possibly select their language and keyboard preference. With the Self-Deploy type of Autopilot selected though, the user only needs to connect the machine to the ethernet and everything else will be automated. So, before ordering and sending your targeted users a brand new and unimaged machine, ensure that the user has ethernet connection for self-deploy, and at least a wireless internet connection for a User-Driven Autopilot imaging which will need only a few user interactions which is to only select the locale and log in using their Azure account credentials, and everything else will automate from there.
Where to find Autopilot in Intune?
To open Autopilot from your Intune portal endpoint.microsoft.com, follow this path:
Devices > Windows > Windows Enrollment
Under this Windows Enrollment path, you will find the General and Windows Autopilot Deployment Program sections where you could perform Automatic Enrollment , CNAME Validation, Windows Hello, Enrollment Status Page, Deployment Profiles, Devices, and Intune Connector for Active Directory.
How to register unopened machines to Autopilot?
Yes, you read it right, unopened! The beauty of Autopilot is that, you can pre pregister them to your Autopilot blade while they’re still at the vendor or warehouse locations. Just contact your vendor for the Hardware hash IDs needed for Autopilot. You must tell them its for Autopilot so they can give you the correct file format.
You will need to upload the Hardware hash ID of these machines you’re processing to your Autopilot blade. You can also ask your machine vendors to harvest a list of the Hardware hash ID’s by following their own protocols. The corporate machine vendors are familiar of this already. I have also heard that you can have them drop the Hardware hashes directly to your Autopilot by giving them your Azure tenant ID.
Your vendor should already be familiar of the services they offer to help with your Intune Autopilot including the process on how to upload Hardware hashes to your tenant. If you don’t want them directly dropping the hardware hash ID’s to your tenant, just ask them for a list of Hardware hashes exported in a default Autopilot file import format .csv file. You can use this file import to directly import to your “Windows Autopilot devices” (Not Azure AD Devices). Once the machines have been added to the Windows Autopilot devices. They are ready to go and be connected to the internet for Autopilot Imaging.
Do I need to import a captured image to Autopilot?
No. Since machines already come with OS installed in them, you just need to configure Autopilot settings such as which operating system edition you wanna use, whether you want a Windows 10 Enterprise, Pro, Education. etc.. Note that Autopilot only installs Windows 10 editions. The policies and apps set to users in your Intune will then install after the Autopilot has completed the OS initialization equipping your users with a corporate standard machines! In short, instead of imaging machines in your IT space, you can directly send an unopened and still boxed machines from your stock or directly from your vendor saving you time and man-power. Amazing right!?
And of course Autopilot can be deployed to already imaged machines to hand them down to another user and reuse them.
Types of Autopilot Remote Machine Resets
The Autopilot features different types of resets to reuse, reassign, clean, or retire your machines, and you must understand the following Autopilot resets to be efficient.
Autopilot features different types of resets to reuse, reassign, clean, or retire your machines, and you must understand the following Autopilot resets to be efficient.
REMOTE RESET (AUTOPILOT) – deletes user folder, files, and apps. When you deploy this from Intune > Autopilot, MDM and Azure AD won’t be disconnected or deleted. In short, it deletes the users profile apps and data but keeps the Azure AR and MDM connection, as well as internet connection information for the same reasons that the machine is still uninterruptedly connected to the Intune & Azure cloud.
It can be deployed by going to:
Intune > Devices > All Devices > Pick the computer
LOCAL RESET (AUTOPILOT) this word is used interchangeably with REMOTE RESET. Except that this is more commonly and more accurately referred to as local reset (autopilot) if you hit the Win + Ctrl + R on the physical machine to perform an Autopilot reset.
Note: In order to perform Autopilot resets, “Automatic Redeployment” must be enabled on Device Restrictions > General in Autopilot profiles; and the machine name must be added to a group that is stored in this profile with the “Automatic Redeployment” enabled.
WIPE: Wipe has many options for selection. Giving you an option to retain apps, OEM apps, or user data. This option will remove user profile on the machine, files, and apps and brings the computer to initiate the OOBE upon successful reset. You maintain the MDM/Intune enrollment after performing a wipe.
FRESH START: This uninstalls all the previously installed software and apps only but keep the user data such as files, profiles, and folders, bookmarks etc...This feature removes the MDM/Intune enrollment if you select to erase the user data.
RETIRE: Disconnects the computer registration from Intune/MDM and removes all the policies and configurations coming from Intune/MDM. Software, apps, and user data are not deleted.
In conclusion:
If you want to clean apps and software:
Use “Fresh Start” without selecting delete profile.
If you want to reuse the machine and start from a clean slate to hand down a machine for re-assignment to another user:
Use “Remote Reset” or “Wipe”.
If you want to remove the PC from the MDM/Intune database and free up a license:
Perform a “Remote Reset” or “Wipe”*** first to remove user specific data and apps and then select “Retire”.
Microsoft Tools You Need to Build, Set-up, and Deploy System Images
When planning for imaging using the Microsoft platforms, you must be familiar with MDT, WDS, Wim and Package files, Capture, Windows PE, and Sysprep. To learn about these tools, read on.
When planning for imaging using the Microsoft platforms, you will need to be familiar of MDT, WDS, Wim and Package files, Capture, Windows PE, and Sysprep. To learn about these tools, read on.
If you are using a third-party imaging platform such as KACE Deployment, or Ghost Imaging, etc... You are most likely not going to need this as those vendors develop their own similar tools. This is best used if you would like to build your own distribution for imaging and want to use a Microsoft imaging platform such as SCCM, etc.. Please check out our KACE Imaging blog for that.
In this blog, Imaging, OS Imaging, Disk Imaging and Image(s) are used interchangeably but means the same thing—your reference Image that you will capture of have captured for mass redeployment.
Microsoft Deployment Toolkit (MDT)
You can download the installation from the Microsoft site. MDT automates your desktop & server deployment, and it offers admin tools through deployment workbench console that can be accessed after you have installed MDT on your server or machine.
In order to successfully install, you must first have:
Windows Assessment & Deployment Toolkit (ADK)- to fully access MDT features
System Center 2012 R2 Configuration Manager (SCCM2012 R2)
MDT is best used on a Windows Server, but installing and using it to your local machine is also fine.
Using MDT, you can set up and configure a distribution share for Windows 10 deployment. In other terms; using MD, you can create a distribution share where you can store all of your OS imaging. During the imaging process, the files are deployed and pulled from here.
To create a Distribution Share using MDT:
1) Create a Shared drive/ folder in your network and assign a full control permission to everyone.
2) On the MDT Console, create a new deployment share and assign the shared drive/ folder you just created.
3) Set it as the default Distribution
4) Select the option you want enabled
5) Once the setup is complete, your deployment distribution share has been created.
To set-up a Distribution Share, you'll need:
1) Windows OS image
2) Answer file xml (Unattended or Auto unattended xml)
Windows Deployment Service WDS Server
On the other hand, you can also make a WDS Server which stands for Windows Deployment Service. WDS is more effectively used especially if you want to do a network deployment of images. You will need a DHCP and Active Directory Domain Service set up for this. This enables PXE imaging. Once again, PXE means machines can boot to the network and select the image distribution share.
To image a machine using the distribution share and WDS, the machines must have access and connect to the distribution share (so set permissions to Everyone) and must have a network ethernet connection. In other words, PXE booting enabled so that your machines can go to the distribution share or WDS (whichever is preferred) when ethernet connected within your corporate network premises.
Here are more tools you will need to understand in the world of OS Disk Imaging:
.Wim file: When you use DISM which is done via cmd line, you convert your image into a .wim file so you can store it to your distribution share
.ppkg file: You can also convert your .ppkg packages to .wim file (via scipt). Note that .ppkg files are exported from and are created from the Windows Configuration Designer (WCD). WCD is commonly used to create an SCCM task sequence for imaging/deployment purposes, or if you want to have a simple or base Windows OS in a flash drive for users to use and click from especially for resetting the machine with the purposes of linking the users machine to a distribution server, or other company imaging and automation platforms such as Intune Autopilot.
Windows PE (Pre-installation Environment)
Windows PE is the first black screen, cmd- like dialog box you see upon starting an image installation. It runs a script of commands that tells your initial imaging steps on what to do
Windows Capture Tools and Sysprep
Of course, before you can store your Images, you will need to Sysprep and capture them first so you can have one. You may capture your images using:
· Image X
· Image Capture Wizard
System Preparation Tool
Known as Sysprep or Sysprep.exe
Sysprep prepares the host VM or physical machine for capturing and mass redeployment. I recommend to use a VM for a more productive sysprepping (I use Microsoft Hyper-V, its free and built-in on Windows 10 Pro and above)
During a sysprep, the host machine is stripped out of unnecessary system files and junk files for capture.
(Note: You capture your VM before your reference VM turns on. Once your VM turns on from a sysprep, everything is cleaned up including apps and files and will boot anew)
WARNING! PLEASE DON’T RUN SYSPREP ON YOUR MACHINE BECAUSE IT WILL ERASE YOUR DATA! Only run sysprep when you have already made a snapshot or checkpoint on your VM so you can come back to it. During my first introduction to Sysprep, I clicked on it and I have sysprepped my own machine. Bummer! LOL!
The sysprep executable is found on C:\Windows\System32\Sysprep.
To learn more about Sysprep, watch our Sysprep video or read our Sysprep Blog
How to create, capture, and deploy images over PXE aka ethernet connection
How to create, capture, and deploy images using a bootable flash
Windows Log-In Using Biometrics and Pictures
Windows Biometrics and Picture as a Log-in tool briefly explained
Logging in to your Windows machine using a biometric is called the Windows Hello.
TYPES OF BIOMETRICS FOR WINDOWS LOGIN:
Fingerprint-needs a fingerprint reader capability
Facial registration- needs infrared camera
Iris scan - needs infrared camera
In addition to these log-in methods, you will need to set up a pin as a secondary log-in capability in any case the Windows Hello log-in fails to be recognized. Although, PINs can only be used on the hardware computer. Unlike the Windows Hello which can be used to log-in to the domains in addition to the computer log-in authentication it is important to use a strong PIN so if anyone tries to access your physical machine so it would be difficult to break into.
Pictures on the other hand is a log-in feature that allows you to create shapes and gestures on a log-in screen same to authenticate.
Windows 10 Upgrade Checklist
Read this checklist before attempting to upgrade or install Windows 10 Operating System.
This article has a linked article and video to show you how to download the free and safe .iso ISO file from the Microsoft site.
Complete Windows 10 Upgrade Checklist
Read this checklist before attempting a machine upgrade to prevent, errors, crashes, and data loss
Windows 10 Tips and Tricks
· Backup your important files and documents
· List settings, policies, configurations, etc...
· You can also install a more recent BIOS version to prevent BIOS incompatibility. Verify if you meet the minimum hardware requirements
· Verify if your current apps & software are compatible with windows 10. Use Application Compatibility Toolkit (ACT) OR Compatibility Wizard if you’re not sure of the currently installed software is compatible with Windows 10.
· Know ahead if you need windows 10 drivers for your current machine
· Don't forget to disable antivirus software and anti-malware agents before the upgrade.
Ensure you meet the minimum hardware requirements before attempting the upgrade.
Many people are using Windows 10 nowadays on their computers. Majority of them have their own doubts and concerns about a broad range of aspects. If you have any questions or doubts, you can rely on Binaryxx Technology Workshop to meet your needs efficiently. We offer you highly useful Windows 10 Tips and Tricks that help you solve many issues you are experiencing.
When it comes to upgrading your computer, you need to be fully prepared to eliminate unwanted issues including data loss. How to stay protected against these errors? We offer you Complete Windows 10 Upgrade Checklist to perform the machine upgrade in a fast and efficient manner.
Since we provide authentic information, you can follow our guidelines to successfully complete the upgrade. Binaryxx Technology Workshop does not confuse our readers with unclear or complex information. Everything is offered with clarity and precision to meet the varying objectives of different people.
Minimum Requirements for Windows 10 Installation or Upgrade
Read on to learn the minimum Windows 10 installation or upgrade system requirements. This article explains what you need to know in the most simplistic and read briefly
· Minimum 16GB disk space for 32-bit
· Minimum 20GB disk space for 64-bit
· Minimum Direct x9 or above
· Minimum 1GB memory for 32-bit
· Minimum 2GB memory for 64-bit
· Minimum 1GHz or faster processor
Minimum Requirements for Windows 10 Installation
Do you need the iso Windows 10 file? Learn how to download a free and safe ISO file from the Microsoft site
Windows 10 System Requirements
As a trustworthy knowledge sharing online platform, Binaryxx Technology Workshop offers the most updated information for our readers. What are the minimum requirements for Windows 10 installation? If you want to get the best answer to this question, you can rely on us. We provide clear, concise, and accurate information on this topic.
Many people still do not know the Windows 10 system requirements. Are you one of them? You can read the information provided below to clarify all your doubts and get the best answers to all your questions. We also provide information on how to download iso Window 10 file.
Binaryxx Technology Workshop never confuses you when you depend on us to find a solution to a problem. We offer what exactly you need. You can subscribe to our newsletter to receive notifications on the latest articles immediately. We also offer YouTube tutorials to help you understand things faster.
What are Usernames and Domains? How to Join Machines to the Domain?
Learn the requirements and limitations of creating domain usernames. Understand the meaning of the domain, how it works in a nutshell, and how computers can join the domain remotely and locally.
This article will teach you how to circumvent joining an Active Directory Domain using a newly provisioned user account.
Usernames must consist of 10-20 characters. They cannot contain the following symbols / \ @ < > + [ ] = ? | no pipe, colons and commas ; : ,
When creating usernames, keep in mind of the naming convention and style so you can accommodate users in your network with the same names
Like computers, usernames also have SIDs. But instead of using numerical SIDs, username—a human readable names are used than numerical characters
It is important that users have very strong passwords
Passwords : How to create and what to keep in mind during the architecture of strong passwords. Read More
In the corporate network, user computers are joined to the domain.
What are domains? they are connected databases or connected networks of databases
By default, the domain set is WORKGROUP which means it isn't connected to any specific corporate or institutional domain yet. You’ll join your domain by specifying the address. Example binaryxx.com.
When entering the domain, ensure you have the correct computer name. Your computer must recognize a familiar network or a the domains corporate network. It is best to plug to the corporate wired ethernet connection when joining to the domain to avoid errors. If ethernet connection(aka wired) is not available, connect to the corporate wifi.
But, if you are working remotely, connect to the corporate VPN first. Once your computer recognizes a connection to the corporate network of that domain, you may successfully click OK to join to the domain. You will then be prompted for authorized credentials to be able to join—so ensure your user account has been assigned the proper permissions.
ℹ️ HACK : Depending on your Windows Server Domain controller and Active Directory settings, you can join a PC to the domain using the credentials of a newly created user of that domain within 10-14 days the username was created.
Check out the article Creating Usernames and Assigning Permissions
Device Guard
What is Device Guard? How does it work, and how can it block threats from both software and hardware layers?
Device Guard- a feature to lock Windows 10. Controlled by set policies to control & prohibit under fined applications. This can be applied and will work on a HyperV and Sandbox because HyperV is configured to run on virtualized layers.
Examples of Threats Devices Guard can Detect and Block:
Malicious Codes: Devices Guard compares codes to set policies. If the detected code is not recognized, Device Guard will block these unallowed codes. In the same note, allowed software can be initiated set unknown software that tries to run are blocked.
Boot Threats & Attacks: If your system has a UEFI feature or as known as secure Boot, Device Guard will block any changes to the boot settings. So, if Device Guard and secure Boot are enabled and you change the boot settings (Boot entries, legacy setting, Boot order, etc...) You will not be able to load your operating System upon turning on your machine and you will be notified on a block screen.
Kernel Attacks: Device Guard works in a virtualized based security in a way that it secures HyperV and in turn secures the kernel as well as the OS. There is a Virtualized Based Security (VBS) setting that can be enabled to secure the kernel mode. When this is enabled, system files are secured and so loading bad drivers and suspicious files will not be deployed.
Devices Guard works on Kernel mode called KMCI and User Mode called UMCT, meaning, Device Guard secures Windows on hardware and software layers.
ABBREVIATION MEANINGS:
KMCT- Kernel Model Code Integrity
UMCT- User Mode Code Integrity
Note: Device Guard use could be a challenge if your environment setting is using line-of-business apps. Read More
What is a Windows Update?
Briefly explains the types of Windows updates. This article tells how to grab, delay updates, and configure devices with different update channels: Long Term Servicing Channel LTSC, Annual Channel(Targeted), and Windows Insider.
You may download Windows Updates from the Microsoft website or the WSUS server( Windows Server Update Services Server). Microsoft releases new updates every Tuesday. a.k.a. The "Patch Tuesday."
What is a Microsoft Windows Update
What is a Microsoft Windows Update? You can read below to get clear idea about a Windows update.
Windows Updates may be downloaded from the Microsoft website or the WSUS server known as the Windows Server update services server. Microsoft releases new updates every Tuesday. Yes! Patch Tuesday.
Types of Windows Updates:
Security Updates:
Critical updates:
Driver updates:
SP or Service Packs:
Updates can also add brand new and never before seen functionalities and features. For example, the addition of Sandbox for the meet recent Windows 10 2004 version.
Since Microsoft updates can break some functionalities, it is best to test the updates first on virtual or test machines or defer the weekly updates. You also have other “Servicing Options” such as the LTSB long term servicing Branch or annual channel which is the last group to receive Windows Updates. There is also a Semi-Annual channel, and Semi- Annual Channel (targeted). If you want to be the first in line to receive these Windows updates (especially if you work on patches) set your machine to the Windows Insider Servicing option.
Other Types of User Profiles: Mandatory Profiles vs. Super Mandatory Profiles
Explains how other types of Windows user profiles, such as "mandatory" and "super mandatory," can benefit your organization and users more than implementing the standard user profiles. This article explains how to recognize such profiles, how to create them, and their best use cases.
MANDATORY PROFILES: Need administrator permissions to be managed and modified.
: Recommended for users who could use the same uses profiles as a log-in to the shared but consistently used machines.
For example:
Scientists who log-in to the computer(s) with a connected controlled temperature device. Instead of logging-in using their log-in credentials or guest account. They can log-in using the mandatory profile. That way, all scientists have the same profiles mandatory profiles are stored in NTUSER.MAN
To create this type of profile, you may change the roaming uses profile extension from .dat to .man
This tweak doesn't work on local user profiles, only on roaming profiles.
Also, any new desktop settings set by users under this mandatory profile will be deleted after logging off.
SUPER MANDATORY PROFILES: temporary profile when there is no mandatory profile. The super mandatory profiles path has a .man extension. So if you see a path with this extension, it can be said that the profile is super mandatory. Not to be confused with mandatory profiles where a .man is the extension of the profile itself.
SUPER MANDATORY vs MANDATORY
Profile path ends in .man Profile has .man extension
New Windows 10 Security Features: Credential Guard and Device Guard
The Device Guard works on both user and kernel levels protecting from both hardware and software threats.
Device Guard can be configured through SCCM, by Group Policy, and by executing from PowerShell.
Credential Guard is a Secure Boot option that PowerShell, cmd, or GPO can push to your device fleet. It secures hardware by verifying the firmware.
Check New Windows 10 Security Features
We offer you New Windows 10 Security Features to help you stay updated
Device Guard is a Windows 10 feature consisting of policies the administrators set to restrict prohibited apps based on those configured policies.
The Device Guard works on both user and kernel level protecting from both hardware and software threats.
Device Guard can be configured from SCCM, by Group Policy and by executing from PowerShell.
Credential Guard is a Secure Boot configuration that also needs to be enabled in the BIOS first before policies can be defined by the administrators .Once the Secure Boot is enabled in the BIOS, the administrators can then implement Device Guard and define policies using PowerShell, command prompt, and Group Policy or GPO.
Device Guard secures the hardware by verifying the firmware codes and signatures.
Read more about Device Guard and Credential Guard
What is Windows 2004?
Windows 2004 is the name derived from the Year 2020 and the Month of April (04). Windows 2004 is Microsoft's most recent Windows 10 version release, adopting the nomenclature from its release date. It briefly explains the minimum requirements to upgrade and the new features in this release
What is New in Windows 10 Version 2004
Do you want to know what is new with Windows 10 Version 2004 and 20H2? Keep on reading:
Windows 2004 version or aka Windows 2020 version was released on the Spring of 2020. Following the 1909 version.
Major update releases that include anticipated features and functionalities are also referred as the anniversary update.
Minimum requirements for Windows 2004 installation
Tips on understanding Windows versions nomenclature:
The first two digits are the release year and the last two digits are the Windows insider release month.
Example:
1607 is released on the year of 2016 and released the initial update (also known as Windows Insider updates) on the month of 07 July.
1709 is released on the year of 2017 and released the initial update (also known as Windows Insider updates) on the month of 09 September
1803 is released on the year of 2018 and released the initial update (also known as Windows Insider updates) on the month of 03 March
1809 is released on the year of 2018 and released the initial update (also known as Windows Insider updates) on the month of 09 September
1903 is released on the year of 2019 and released the initial update (also known as Windows Insider updates) on the month of 03 March
1909 is released on the year of 2019 and released the initial update (also known as Windows Insider updates) on the month of 09 September.
2004 is released on the year of 2020 and released the initial update (also known as Windows Insider updates) on the month of 04 April.
Microsoft releases two major Windows 10 updates that includes major features and functionalities including the version number. Weekly Tuesday updates are called the Windows Updates.
Windows Terms You Should Know as a Computer Administrator
Explained in abridged and simplistic terms:
What not to do when naming domain usernames.
What is a "Domain Join"?
How to join a device to the domain locally or remotely.
Are you a computer administrator? Here are the most important Windows Terms You Should Know as a Computer Administrator.
Compatibility Wizard : another platform that tests application compatibility on different OS versions
Disk Partitioning: The letter drives in your computer; logical volumes
System Partition: contains files needed to boot the OS and contains MBR and boot sector of the active partition. Often the first physical drive
Boot Partition: contains win 10 OS files. Located in C:\Windows folder
Active Partition: usually the C: drive; partition used to start your computer
Locale Settings: used to configure format for time, date, and currencies.
Distribution Server: if installing windows 10 from the network
Microsoft Reserved Partition (MSR): boot loader files sit here. (Don't delete this partition) You'll see this in UEFI systems.
Workgroup: connecting non-domain networks. Also known as peer-to-peer connection. More commonly used in small companies or homes.
Domains: Also Domain-controller; A windows server where machine names are stored in Active Directory. Medium to large companies
Media Errors: caused by faulty DVDs or CDs. Your installation disk may be scratched
Hardware Compatibility List (HCL): List of recognized windows 10 compatible hardware
Plug and Play (PNP): Connected accessories and peripherals that work automatically when connected to the computer.
Dynamic Link Libraries (DLL) Application DLL : contains functions and information that can be used by another module
: has migration DLLs used for OS upgrades
Application Compatibility Toolkit (ACT) : tells if your software applications are compatible with Windows 10
TCP/IP Network Resources: enables the internet and computer communications
DHCP : The configured client when windows 10 is installed with typical or default settings
: Provides IP configuration. If DHCP is unavailable, the machine still be assigned an auto configured IP address but will not be able to communicate to DHCP addressed machines and servers.
Click here to read more terms computer administrators must know
What is a Password? (Technical)
Analyzed in an in depth technical point of view. It talks about the encrypted, hashed, salted hashed passwords. Password security and password cracking.
An in depth explanation of passwords
Note: The below article was inspired and was taken collectively from my college cyber security classes, so I do not own or claim non-general ideas written below. I only intend to share crucial technical information that is not widely known and to raise awareness on the importance of having highly secure passwords and to inform what they are in technical terms and explain how they could be easily stolen through the internet and through social engineering.
Why Are They Important?
Passwords are cheap to deploy, but also act as the first
line of defense in a security arsenal.
They are also often the weakest link.
Examples of what they protect:
ATMs and bank accounts
Nuclear power and other critical infrastructure systems
Company proprietary information and systems
Email accounts (Gmail, Yahoo, Microsoft Outlook, etc.)
Student information (e.g. MyUni & Blackboard)"
Password Authentication
Passwords have been used for centuries, e.g. guards and
sentries
Passwords = secret authentication code used for access.
αυθεντικός = real or genuine, from 'authentes' = author
Answers the question: How do you prove to someone that
you are who you claim to be?
Authentication methods:
– What you know (Passwords, Secret keys)
– Where you are (IP Addresses)
– What you are (Biometrics)
– What you have (Secure tokens)
How Can Passwords Be Stored?
Filing System-Clear text
Dedicated Authentication Server-Clear text
Encrypted
Password + Encryption = bf4ee8HjaQkbw
Hashed
Password + Hash function =
aad3b435b51404eeaad3b435b51404ee
Salted Hash
(Username + Salt + Password) + Hash function =
e3ed2cb1f5e0162199be16b12419c012
How Are Passwords Stored? – Hashing
Usually stored as hashes (not plain text)
Plain-text is converted into a message
digest through use of a hashing algorithm
(i.e. MD5, SHA)
How Are Passwords Stored? – Hashing
• Hash function H must have some properties:
– One-way: given H(password), hard to find password
• No known algorithm better than trial and error
– Collision-resistant: given H(password1), hard to find
password2 such that: H(password1) = H(password2)
– It should even be hard to find any pair p1,p2 s.t.
H(p1)=H(p2)
How Are Passwords Stored? – Early UNIX Systems
In past UNIX systems, password used
modified DES (encryption algorithm) as if it
were a hash function
Encrypts NULL string using password as the key (truncates
passwords to 8 characters!)
Caused artificial slowdown: ran DES 25 times
Also stored password file in directory:
/etc/passwd/
World-readable (anyone who accessed the machine would
be able to copy the password file to crack at their leisure)
Contained userIDs/groupIDs used by many system
programs
– Can instruct modern UNIXes to use MD5 hash function
How Are Passwords Stored?
Newer UNIX Systems
Password hashes stored in /etc/shadow directory (or
similar)– only readable by system administrator (root)
Less sensitive information still in /etc/password
Added expiration dates for passwords
Early “shadow” implementations on Linux called the
login program which had a buffer overflow!
Passwords Impact on Security
Simple hacking tools are available to anyone who
looks for them on the Internet.
Tools such as LOphtCrack allow admittance into
almost anyone's account if a simple eight-digit
password is used.
People are frightened when they learn that using only an eight digit
password with standard numbers and letters will allow
anyone to figure out their passwords in less than two minutes
when one downloads a publicly available tool like LOphtCrack
Note: The above article was inspired and was taken collectively from my college cyber security classes, so I do not own or claim non-general ideas written below. I only intend to share crucial technical information that is not widely known and to raise awareness on the importance of having highly secure passwords and to inform what they are in technical terms and explain how they could be easily stolen through the internet and through social engineering.