290 likes | 361 Views
Computer Password Safety. Secure Computing Series. Course Information. Course Author: Lynne Presley Course Data: George Floyd, Information Technology Lynne Presley, Training & Staff Development (Other data sources cited in text) Course Issued: May 30, 2007 Course Credit: 30 minutes
E N D
Computer Password Safety Secure Computing Series
Course Information Course Author: Lynne Presley Course Data: George Floyd, Information Technology Lynne Presley, Training & Staff Development (Other data sources cited in text) Course Issued: May 30, 2007 Course Credit: 30 minutes Oracle course code: COMPI06048
After completing this course, students will: understand the function of passwords know what password-cracking software is understand the difference between weak and strong passwords know how to use a phrase to remember a password identify steps to protect passwords Course Objectives
Just what is a password? It's a secret authentication that controls access to a resource. Passwords are not new technology – they have been used throughout history. Introduction Hail Caesar! You may not enter the coliseum without the correct password . . .
Historical Password Use Did you know that the U.S. Marine Corps used a special code for some passwords in WWII? They recruited native Navajo speakers, who enlisted and were trained to use unrelated and truncated Navajo verbs and nouns to communicate and authenticate information among Marine units. The coded messages and passwords baffled the enemy and helped to win the war. These courageous and patriotic Marines were called "Code Talkers." PFC Carl Gorman, Navajo Code Talker from Arizona, in action on Saipan during WWII.
Why does our agency care about passwords? It's simple – they protect the integrity of our computers and network. Any network is only as strong as the weakest link – and passwords are our agency's first defense against unauthorized access. Network Protection
Dangers of Intrusion The integrity of our network depends on strong passwords. If someone gains unauthorized access, we risk losing our entire network to contamination of data, vandalism, theft, and other negative acts. Intrusion can also affect users on a personal level - see the chart on the next slide for examples of what can happen to you if your password is stolen.
Intruder tries to log onto computer No passwordset Finds writtenpassword Guesses password Uses passwordcracking software Tricks user intodivulging password Password discovered Snoops Blackmails Steals data, identity, and ideas Vandalizes & destroys Anatomy of an Intrusion
Our agency is working to strengthen passwords throughout the network. Users are expected to create strong, secure passwords. As network systems and servers are upgraded, strong password creation will be enforced and access to the network may be denied if a password is weak. However, if you'll follow the suggestions in this course, you'll be ready to create strong passwords. Access to Network
It helps to "think like a thief" to foil intrusion attempts. Thieves use software programs that attempt to "crack" passwords. These programs usually include multi-language alphabets and dictionaries. Step I: Create a Strong Password The programs methodically try all words in the dictionaries and combinations of words, as well as commonly-used abbreviations and acronyms. The programs also will check dates (days, years, and months). You'll have to take precautions to make your password strong enough to withstand "cracking."
Additionally, thieves may try to use personal knowledge of you to guess your password. Do not choose easy and obvious passwords, such as your name, address, nickname, car model, license plate number, the name of your pet, or any other words, numbers or dates easily identifiable with you. Step I: Create a Strong Password TIP: Reversing common words in a password will not make the password stronger. The password "mary" is weak and easily guessed. Reversing the password to "yram" (mary spelled backwards) does not make the password stronger – cracking software will try reversed spelling of all common words.
Use a minimum of 8 random characters Step I: Create a Strong Password Keeping all this in mind, when it's time to create a password, remember to include the following: Example J'OIz#1@cor These characters are random, and can not be looked up in any dictionary.
Step I: Create a Strong Password Why is it preferable to create passwords with at least 8 random characters? The more characters there are = the longer it takes to crack Examine the chart on the next slide to see how fast an average personal computer can crack passwords that are created using mixed upper and lower case letters, numbers and symbols. (Chart data provided by lockdown.com.uk). As you can see, if your password contains at least 8 characters including letters, numbers, mixed cases, and symbols, the average thief will most likely go away and try to steal another, weaker password!
The chart below assumes that the password was created using mixed upper and lower case alphabet, numbers and symbols.
Use at least one case change Step I: Create a Strong Password Example J'OIz#1@cor The letters J, O and I are in uppercase, as opposed to the other lowercase letters.
Include at least one number Step I: Create a Strong Password J'OIz#1@cor Example The number 1 is used, in combination with the other letters, punctuation and symbols.
Include punctuation and special characters Step I: Create a Strong Password J'OIz#1@cor Example The apostrophe punctuation mark is used, as well as two different characters (# and @).
Do not choose a password that's the same or similar to your user name Step I: Create a Strong Password Password: User Name: fred.brown J'OIz#1@cor Example If the thief does not know your user name, certain systems require that the user name be cracked, too. Making sure your password is different from your user name makes the theft more difficult. The example shown above meets this criteria, since it does not contain the user's name.
Step I: Create a Strong Password TIP: You can create a strong password that's easy to remember but hard to crack by using the first letters of words in a phrase, song, or book that's familiar to you, mixed with symbols. For instance, "J'me Overstreet is number one at corrections" produced the password we've been using as an example below. (There is a detailed breakdown of how the password was produced on the next slide.) Example J'OIz#1@cor
Step I: Create a Strong Password Phrase: "J'me Overstreet is number one at corrections" Password breakdown: J'O (stands for J'me Overstreet) Iz (capital I and Z stands for is) #1 (stands for number one) @cor (stands for at corrections) J'OIz#1@cor
Step I: Test Your Knowledge Is this password strong or weak? Example aaaBBB111!!! The password is weak. It contains only two letters in alphabetical sequence, and only one (repeated) number and punctuation mark. It wouldn't take long to crack this password, because it's not random. A truly random password means each letter, number, and symbol has an equal probability of appearing. Creating truly random sequences is difficult, but is something we should strive for. Think of it as exercise for your brain!
Step I: Test Your Knowledge Can you guess the number one mistake many people make when creating a password? Answer: They choose the word "password" for a password. This mistake is so prevalent that it's the first word thieves will try when trying to crack a password. Other commonly used and cracked passwords are "admin", "123", "temp", and "letmein".
Step I: Practice Creating Passwords The PC Tools Password Generator allows you to create random passwords that are strong and difficult to crack. If your computer has Internet access, click on the link below to try this free tool. (If you receive a pop-up "Security Alert" window, click "OK" to continue.) https://www.pctools.com/guides/password/
Don't put it on a yellow sticky note on your monitor or anywhere around your computer, keyboard or desk. Don't write it on your desk blotter or calendar, either. Memorize it! Step II: Protect Your Password Creating a strong password is only the first step. Now you must protect it.
Don't tell anyone else your password. When you do this, you are giving your identity and network authorization away. Step II: Protect Your Password From the "Believe it or Not" department: During a poll at Waterloo Station in London conducted during the Info Security 2003 Europe conference, 90% of polled office workers divulged their passwords to the poll-taker in exchange for a cheap pen.
Be wary of people standing around your computer. Do not allow them to shoulder surf (to look over your shoulder and watch while you type in your password). Step II: Protect Your Password
Change your password every 90 days. Without fail.Do it! Step II: Protect Your Password
Never e-mail your password to anyone, and never store your password or list of passwords in a file on your computer. To do so increases the risk of having them intercepted and stolen. Step II: Protect Your Password
Conclusion Remember that cyber thieves don't follow the rules. They will go to great lengths to break into our computers, because they only have to find one opening to exploit our entire network. Therefore, everyone in our agency who uses a computer has an obligation to create strong, secure passwords.