1 / 23

User Management: Passwords

User Management: Passwords. cs3353. Passwords. Policy: “Choose a password you can’t remember and don’t write it down”. Passwords. Of the 200 most common passwords, at least one was used at every site tested [Grampp & Morris]. Passwords.

Download Presentation

User Management: Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. User Management: Passwords cs3353

  2. Passwords Policy: “Choose a password you can’t remember and don’t write it down”

  3. Passwords • Of the 200 most common passwords, at least one was used at every site tested [Grampp & Morris].

  4. Passwords • Users will spare no creativity when it comes to working against the password policy

  5. Making a Secure Password • User practice (in general): • Users don’t like long passwords • Users don’t like to type complex character strings • Users don’t like to change their passwords often

  6. Making Secure Passwords • User behavior requires the SA to create a set of enforceable guidelines for password creation.

  7. Making a Secure Password • Use a combination of characters that includes: • Digits • Punctuation marks • Alphabet letters • Possibly other special characters?

  8. Making a Secure Password • Passwords to exclude: • Proper nouns • Dictionary words from any language • Consecutive letters or digits

  9. Making a Secure Password • Require passwords to be changed occasionally: • Example: Once per year • Set the rules on minimum and maximum password lengths: • minimum is 6-10 characters (is 6 is too short?) • maximum is 16-32 characters • Some password applications have limits on password length

  10. Making a Secure Password • The longer and more complex the password, the harder it is to crack. • Long complex passwords are difficult to remember and difficult to type.

  11. Password Experiment • A: Control group – choose any password you like. • B: Passphrase group – use a passphrase • C: Random P-word group – random characters are used.

  12. Password Experiment • The successful cracking rate was: • A = 30% • B = 10% • C = 10%

  13. Password Experiment • Forgetting your password • Groups A and B had the same rate • Group C had a significantly higher rate, and were more likely to record their password somewhere.

  14. Making a Secure Password • There are websites that rate password strength, but be careful how you use such a site.

  15. Making a Secure Password • Methods • Formula: • Prefix • Infix • Postfix • Catch-phrase • Use the first letter of each word in an easy to remember catch-phrase.

  16. Making a Secure Password • Formula Example • Prefix: • Infix: • Postfix: Bank password example: per$wgh29_BoO per=personal $ and_ are the field separators wgh = Warren G. Harding, 29th president of US BoO = Bank of Oklahoma

  17. Making a Secure Password • Catch phrase: • Admiral Nelson defeats French at Trafalgar. • Becomes the password: Ad.NlsnD3fF@T

  18. Multi-Factor Authentication • What you know • What you have • What you are

  19. What The User Knows • Passwords • PIN • Avatar

  20. What the User Has • Payment Card (Debit, Credit, Charge, ATM, Gift) • Smart card • Proximity badge • RFID • Mobile phone • Apple pay

  21. What the User Is • Biometric characteristics • Fingerprint • Retinal scan • Facial ID

  22. Kerberos • Uses an Authentication server • Kerberos is configured to use two authentication levels: what you have and what you know • Issues a time sensitive token that eventually expires, requiring re-authentication.

  23. Kerberos: token • The token is used to access all systems within the Kerberos domain until a timeout condition occurs or the token expires.

More Related