230 likes | 363 Views
User Management: Passwords. cs3353. Passwords. Policy: “Choose a password you can’t remember and don’t write it down”. Passwords. Of the 200 most common passwords, at least one was used at every site tested [Grampp & Morris]. Passwords.
E N D
User Management: Passwords cs3353
Passwords Policy: “Choose a password you can’t remember and don’t write it down”
Passwords • Of the 200 most common passwords, at least one was used at every site tested [Grampp & Morris].
Passwords • Users will spare no creativity when it comes to working against the password policy
Making a Secure Password • User practice (in general): • Users don’t like long passwords • Users don’t like to type complex character strings • Users don’t like to change their passwords often
Making Secure Passwords • User behavior requires the SA to create a set of enforceable guidelines for password creation.
Making a Secure Password • Use a combination of characters that includes: • Digits • Punctuation marks • Alphabet letters • Possibly other special characters?
Making a Secure Password • Passwords to exclude: • Proper nouns • Dictionary words from any language • Consecutive letters or digits
Making a Secure Password • Require passwords to be changed occasionally: • Example: Once per year • Set the rules on minimum and maximum password lengths: • minimum is 6-10 characters (is 6 is too short?) • maximum is 16-32 characters • Some password applications have limits on password length
Making a Secure Password • The longer and more complex the password, the harder it is to crack. • Long complex passwords are difficult to remember and difficult to type.
Password Experiment • A: Control group – choose any password you like. • B: Passphrase group – use a passphrase • C: Random P-word group – random characters are used.
Password Experiment • The successful cracking rate was: • A = 30% • B = 10% • C = 10%
Password Experiment • Forgetting your password • Groups A and B had the same rate • Group C had a significantly higher rate, and were more likely to record their password somewhere.
Making a Secure Password • There are websites that rate password strength, but be careful how you use such a site.
Making a Secure Password • Methods • Formula: • Prefix • Infix • Postfix • Catch-phrase • Use the first letter of each word in an easy to remember catch-phrase.
Making a Secure Password • Formula Example • Prefix: • Infix: • Postfix: Bank password example: per$wgh29_BoO per=personal $ and_ are the field separators wgh = Warren G. Harding, 29th president of US BoO = Bank of Oklahoma
Making a Secure Password • Catch phrase: • Admiral Nelson defeats French at Trafalgar. • Becomes the password: Ad.NlsnD3fF@T
Multi-Factor Authentication • What you know • What you have • What you are
What The User Knows • Passwords • PIN • Avatar
What the User Has • Payment Card (Debit, Credit, Charge, ATM, Gift) • Smart card • Proximity badge • RFID • Mobile phone • Apple pay
What the User Is • Biometric characteristics • Fingerprint • Retinal scan • Facial ID
Kerberos • Uses an Authentication server • Kerberos is configured to use two authentication levels: what you have and what you know • Issues a time sensitive token that eventually expires, requiring re-authentication.
Kerberos: token • The token is used to access all systems within the Kerberos domain until a timeout condition occurs or the token expires.