1 / 33

So Many Passwords…

So Many Passwords…. IT Security Roundtable January 15, 2010 Harvard Townsend Chief Information Security Officer harv@ksu.edu. Agenda. So many passwords, so few brain cells… Threats to passwords Which ones are important? eID password (importance, rules, policy)

osborn
Download Presentation

So Many Passwords…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. So Many Passwords… IT Security Roundtable January 15, 2010 Harvard Townsend Chief Information Security Officer harv@ksu.edu

  2. Agenda • So many passwords, so few brain cells… • Threats to passwords • Which ones are important? • eID password (importance, rules, policy) • Definitions (password, passphrase, etc.) • Choosing a good password • Misc. cautions/tips/tricks • Q&A

  3. My accts/passwords: • K-State (eID, my office computer, my laptop, several servers, Bluecoat PacketShaper, PGP encryption, TrueCrypt encryption, Trend Micro OfficeScan servers, Trend Micro support portal, Zimbra customer care portal, Zimbra “security” shared account, LISTSERV, State of KS employee self-service, HealthQuest health screening, IT Tuesday news authoring, IT Security Threats blog, network usage graphs) • Shopping (PayPal, amazon.com, expedia.com, iTunes, REI) • Financial (checking acct, two savings accounts, ATM PIN, retirement accts, credit cards, health insurance, flexible health spending acct, auto loan, home mortgage) • Other personal (cell phone, cell phone provider, Internet provider, cable TV, Netflix, Pandora, Skype, Facebook, Gmail, Yahoo!, Flickr, K-Tag, mission work, charitable organizations, Manhattan Mercury, State Dept (travel advisories), several airline frequent flier accts, UFM, trails.com, job applications, etc.)

  4. What’s a feller to do? • Same password everywhere? • PLEASE, NO!!! • If one is compromised, all are compromised • Different systems have different pw rules • Violates K-State policy about eID passwords • Rely on your memory? • Value is inversely proportional to your age! • You’ll often click on “Forgot Your Password?” links! • Write ‘em down? • Risky, but not out of the question if you keep the note in a safe place (NOT your desk pencil drawer) • Bigger issue is quantity of passwords you have to remember • Generally considered a bad idea

  5. What’s a feller to do? • Let your browser store them all? • OK for some passwords, but not others • Too risky for accounts with access to sensitive information • Easy for someone to view the stored passwords, unless you… • Use Firefox and password-protect viewing stored passwords… and don’t forget THAT password! • DON’T do it with your eID password, financial accounts, anything with access to personal identity info (like SSN) • Never do this on a shared, lab, or public computer • IE stores browser (“AutoComplete”) passwords in Registry • Free tools readily available to recover them. • Delete in IE8 with Tools->Internet Options->General->Browsing history->Delete, check the “Passwords” box • Firefox had built-in tool to view them and delete them(Tools->Options->Security->Saved Passwords); be sure to use a “Master Password” to protect the stored passwords

  6. What’s a feller to do? Use the same password for similar categories of accounts • Reasonable solution • Have at least four categories: • Financial • eID and other important K-State accts • Shopping accts that store your credit card info • Innocuous accts w/ no sensitive information • #1 and #2 should be long, complex, and changed regularly • #3 not as long, less complex, changed less often • #4 can be short, simple, never changed • Differing password rules may pose a challenge

  7. What’s a feller to do? • Use a password management tool • Software that organizes and stores (encrypted) passwords • Effective way to manage many passwords • Relies on a single master password to protect all the other passwords • Can be a challenge if use multiple computers since password database usually stored locally; are tools available that work on multiple computers, but that means your passwords are stored on the company’s server(s). Do you trust them? Example is lastpass.com • Windows example: Password Safepasswordsafe.sourceforge.net • Mac example: Password Gorillawww.fpx.de/fp/Software/Gorilla/ • Also available for Windows and Linux • Can read Password Safe database

  8. Password Safe Demo • Windows only • Available for free at passwordsafe.sourceforge.net • Mature product, lots of nice features • Has a sophisticated password generator • Allows you to jump to a web site and auto-enter the username/pw used for that site. • Demo…

  9. Other Strategies? • How do you manage your passwords?

  10. Threats to Passwords • Keyloggers– a program that records every keystroke and sends it to the hacker; can be configured to watch for passwords or other account information • “Sniffing” the network – someone intercepting network traffic; wireless networks particularly vulnerable • Malware that gives the hacker full control of a computer and access to anything on it • “Torpig” malware infected 27 K-State computers in the last year – watches Internet traffic and intercepts bank acct info, username/pw • Hackers stealing passwords from a compromised server • Password “cracking” - a hacker being able to guess your password, usually with the help of a computer program • Programs to do this are readily available on the Internet • Faster computers make this easier

  11. Threats to Passwords • Internet cafés – a favorite target for hackers to use keyloggers or other forms of malware to interecept acct info and passwords • Phishing – tricking you into providing account information • 431 K-Stater’s replied to phishing scams with their eID passwords in 2009 • 377 were used by criminals to login to Webmail and send spam • Consider what can be accessed with your eID… • “Spear phishing” – phishing that targets a specific population, like sending an email to K-Staters to steal eID passwords • “Shoulder surfing” – someone looking over your shoulder as you type • Web browsers storing your password – is easy for someone else using your computer to see or use your password(s) • Typing your password into the wrong place on the screen

  12. Threats to Passwords • Sharing your password with a friend or family member • Giving your password to someone who is helping you with a computer problem • Disgruntled system administrator or others with privileged access to servers Bottom line – the threats are real and happening at K-State. Take password security seriously!

  13. Which passwords matter? Pay particular attention to these passwords; make them complex, long, and change them regularly • Anything that provides access to sensitive information: • Bank account • Credit/debit card account • Personal Identity Information (name + SSN, for example) • Shopping account that stores credit card data; normally credit card # is masked, but person could change shipping address and spend lots of money • Administrator or root accounts on servers • K-State eID

  14. eID Password • What’s the big deal with eIDs? Gains access to: • HRIS self-service • Email • iSIS • K-State Online • eProfile (eid.ksu.edu) w/ emergency contact info • Oracle Calendar • K-State Single-Sign-On environment • Access to licensed software, databases • SGA elections • University Computing Labs • Student access to network in residence halls

  15. eID Password • What’s the big deal? • 431 people at K-State replied to phishing scams in 2009, giving away their eID password • 377 of them were used by criminals to login to K-State Webmail (often from Nigeria) and send hundreds of thousands of spam messages • Compromised accounts are locked so hacker can’t use it, which means the legitimate owner can’t use it either • K-State seen as a source of spam and put on spam blocklists, resulting in all email from K-State being blocked by the likes of Hotmail, Gmail, Yahoo!, Comcast, Road Runner, Cox, AT&T, etc. Thus one person’s mistake can affect the entire campus • Contributes to spam, the scourge of the Internet • Recently, hackers haven’t used stolen passwords right away, sometimes waiting 3-4 months before using it. Thus if in the mean time the password is changed by the legitimate owner, the hacker can’t use the account. Is a good case for regular password changes.

  16. eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require Why do you have to change it? • The longer you have the same password the more likely someone will discover it (because of the threats just discussed) • eID passwords stolen in spear phishing scams not used until 3-4 months later! • Changing it limits the amount of time a hacker can wreak havoc in your life • Changing your password regularly is standard best practice • It could be worse! (most standards specify a change every 30-90 days) • Pending state security policy requires change every 30/60/90 days depending on sensitivity of account

  17. eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require • Do not share it… with anyone! • NEVER give your password in an email!!!! • Do not use it for non-university accounts • Such as hotmail, amazon.com, bank • Is okay for departmental servers (is an acceptable risk) • Can I write it down?“Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.”

  18. eID password rules • 7-30 characters in length (longer is better) • Must contain at least 5 different chars • Must contain 3 of the 4 following: • Uppercase letters • Lowercase letters • Numbers • Special characters (!, @, #, &, etc.) • Can’t be based on eID or real name • Cannot contain recognizable word, phrase, acronym, or K-State related name • Can’t be on of 4 million+ words in hacker dictionary

  19. eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require • These policies apply to ALL K-State passwords, not just the eID • Enable the password on your screen saver • Lock your computer screen when you leave it unattended

  20. Authentication & Authorization • Authentication (AuthN) – verify who you are • Authorization (AuthZ)– determine what you are allowed to do • Your eID (or other username) and password provide authentication • After authN, the system or application determines what you can access (authZ)

  21. Forms of Authentication Weak • 4-digit PIN (aka Passcode) • Username/Password • Challenge-Response (aka “security question”) • Two-factor Authentication • Two different methods required to authN • Something you know plus something you have (e.g., PIN + bank card) • Biometrics (e.g., thumbprint reader) • Passphrase • One-time passwords • Digital signature Strong

  22. Passphrase • A passphrase is password consisting of a sequence of words or other text. It’s similar to a password in that it controls access to a computer or system, but it’s generally longer for added security (should be 20-30 chars). A good rule of thumb is to purposely misspell at least one or preferably a few words in the passphrase, mix words up from different languages, and/or add symbols to the words. • Advantage is in its length (more secure) and ease of remembering since you can use a familiar phrase or sentence • eID password can now be a passphrase, using words and spaces, but same complexity rules apply (must use digits, mixed case, special characters, etc.) • Can be frustrating since is harder to type a long passphrase error-free when you can’t see what you’re typing. Using a password manager like Password Safe or Gorilla allows you to submit a long password without typing it.

  23. Challenge-Response(aka “security questions”) • Present a challenge (i.e., a question) that only the authentic owner of the account should know, then require a correct response before continuing • Common example is asking your mother’s maiden name, or your first pet, or the city you were born in • Online banking often makes you establish a set of question/answers, then poses one (in addition to your password) when you login from a different location • Also used for resetting an account password • Treat these like a password – put effort into choosing effective questions and answers, ones not easily discovered via a Google search of your name • Sarah Palin’s Yahoo email was broken into during 2008 campaign by guessing her three security questions. • For more information:itnews.itac.k-state.edu/2008/12/palin-email-password-security/

  24. Beware of keeping yourself logged in via the browser Anyone using the computer has access to the account This is slightly different from having the browser/OS save your passwords, but the same end result – anyone using the computer has access to your account.

  25. Other password news • SIRT subcommittee developing recommendations for updating password policy • Implement account lock-out (lock account after X failed logins) • Add a password strength meter where eID passwords are changed • Prepare for higherminimum length • NEVER give outyour passwordin an email!!!!

  26. Hints for Choosing a Strong (eID) Password • General rule – hard to guess, easy to remember (strong, memorable) • You could let eProfile (eid.ksu.edu) choose one for you (not ideal since is random, so is hard to remember and you will likely write it down) • Better to come up with a system that makes sense to you and accommodates regular changes without a lot of effort

  27. Hints for Choosing a Strong (eID) Password • Use character/word substitutions • “2” instead of “to/too” • “4” for “for” • “4t” for “Fort” • “L8” for “late” (r8, g8, b8, d8, etc.) • “r” for “are” • “u” for “you” • “$” for “S” • “1” (one) for “l” (el) or “i” (eye) • “!” for “1”, “l”, or “i”

  28. Hints for Choosing a Strong (eID) Password • Capitalize letters where it makes sense to get upper/lower case mix • Take a phrase and abbreviate it: • 2Bor~2b! = “To be, or not to be” • Watch custom license plates for ideas • im4KSU2 (and add punctuation, like “!”)

  29. Hints for Choosing a Strong (eID) Password • Use a password strength meter:www.passwordmeter.comwww.microsoft.com/protect/yourself/password/checker.mspx • Gotchas: • Beware of special characters that are not on foreign keyboards (e.g., $) • What are your tips and tricks?

  30. The gospel according to Microsoft http://www.microsoft.com/protect/yourself/password/create.mspx • Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old” • Check if the computer or online system supports the passphrase directly. If you can use a pass phrase (with spaces between characters), do so.

  31. The gospel according to Microsoft • If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo” • Add complexity • Mix uppercase and lowercase letters and numbers. • Swap some letters or intentionally misspell. “My SoN Ayd3N is 3 yeeRs old”

  32. The gospel according to Microsoft • Substitute some special characters • Add punctuation (“!”, “;”, “()”, etc.) • Use symbols that look like letters • “$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” • Combine words (remove spaces). “MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;” • Test your new password with Password Strength Checker and/or eProfile(eid.ksu.edu)

  33. What’s on your mind?

More Related