1 / 26

Harvard Townsend IT Security Officer harv@ksu October 31, 2007 Revised January 11, 2008

Choosing the Right Wand (or for those who like boring titles – Managing Account Passwords: Policies and Best Practices). Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007 Revised January 11, 2008. Whose responsibility is it?.

zaynah
Download Presentation

Harvard Townsend IT Security Officer harv@ksu October 31, 2007 Revised January 11, 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Choosing the Right Wand(or for those who like boring titles – Managing Account Passwords: Policies and Best Practices) Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007 Revised January 11, 2008

  2. Whose responsibility is it? “Security is not just the CIO’s problem; it is everyone’s problem. And everyone is responsible for the solution.” Diane Oblinger Brian Hawkins EDUCAUSE

  3. TJX Inc. now understands…

  4. Agenda • Authentication and authorization • eID password • What’s the big deal? • Threats to passwords • Policies • Why do we have to change it twice a year? • Writing it down • Tips for choosing a strong password • Managing multiple accounts/passwords • Cautions about Windows storing passwords

  5. Authentication & Authorization • Authentication (AuthN) – verify who you are • Authorization (AuthZ)– determine what you are allowed to do • Your eID (or other username) and password provide authentication • After authN, the system or application determines what you can access (authZ)

  6. Forms of Authentication Weak • 4-digit PIN • Username/Password • Challenge-Response • Two-factor Authentication • Two different methods required to authN • Something you know plus something you have (e.g., bank card + PIN) • Biometrics (e.g., thumbprint reader) • Passphrase • One-time passwords • Digital signature Strong

  7. eID Password • What’s the big deal? • HRIS self-service • E-mail • KATS/iSIS • K-State Online • Oracle Calendar • K-State Single-Sign-On environment • Access to licensed software, databases • SGA elections • University Computing Labs • Student access to network in residence halls

  8. Threats to Passwords • Keyloggers – a program that records every keystroke and sends it to the hacker; can be configured to watch for passwords • “Sniffing” the network – someone intercepting network traffic; wireless networks particularly vulnerable • Malware that gives the hacker full control of a computer and access to anything on it • Internet cafés – a favorite target for hackers to use keyloggers or other forms of malware • Hackers stealing passwords from a compromised server • Password “cracking” - a hacker being able to guess your password • Programs to do this are readily available on the Internet • Faster computers make this easier

  9. Threats to Passwords • Phishing – tricking you into providing account information“Shoulder surfing” – someone looking over your shoulder as you type • Web browsers storing your password – is easy for someone else using your computer to see your password(s) • Typing your password into the wrong place on the screen • Sharing your password with a “friend” • Giving your password to someone who is helping you with a computer problem

  10. eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require • Why do you have to change it? • Is standard best practice • It could be worse! (most standards specify a change every 30-90 days) • The longer you have the same password the more likely someone will discover it (because of the threats just discussed) • Changing it limits the amount of time a hacker can wreak havoc in your life

  11. eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require • Do not share it… with anyone! • Do not use it for non-university accounts • Such as hotmail, amazon.com, bank • Is okay for departmental servers (not ideal, but acceptable risk) • Can I write it down?“Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.”

  12. eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require • These apply to ALL K-State passwords, not just the eID • Enable the password on your screen saver • Lock your computer screen when you leave it unattended

  13. Hints for Choosing a Strong (eID) Password • 7-8 characters in length • Limits your choices • Maximum length will increase in the future to give you more choices and allow passphrases • General rule – hard to guess, easy to remember (strong, memorable) • Let eProfile (eid.ksu.edu) choose one for you (not ideal since is random, so you will likely write it down)

  14. Hints for Choosing a Strong (eID) Password • Use character/word substitutions • “2” instead of “to/too” • “4” for “for” • “4t” for “Fort” • “L8” for “late” (r8, g8, b8, d8, etc.) • “r” for “are” • “u” for “you” • “$” for “S” • “1” (one) for “l” (el) or “i” (eye) • “!” for “1”, “l”, or “i”

  15. Hints for Choosing a Strong (eID) Password • Capitalize letters where it makes sense to get upper/lower case mix • Take a phrase and abbreviate it: • 2Bor~2b! = “To be, or not to be” • Watch custom license plates for ideas • im4KSU2 (and add punctuation, like “!”)

  16. Hints for Choosing a Strong (eID) Password • Use a password strength meter:http://www.securitystats.com/tools/password.phphttp://www.microsoft.com/protect/yourself/password/checker.mspx • Gotchas: • Avoid space character • Beware of special characters that are not on foreign keyboards ($) • What are your tips and tricks?

  17. Steps to create a strong, memorable password http://www.microsoft.com/protect/yourself/password/create.mspx • Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old” • Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters), do so.

  18. Steps to create a strong, memorable password • If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo” • Add complexity • Mix uppercase and lowercase letters and numbers. • Swap some letters or intentionally misspell. “My SoN Ayd3N is 3 yeeRs old”

  19. Steps to create a strong, memorable password • Substitute some special characters • Add punctuation (“!”, “;”, “()”, etc.) • Use symbols that look like letters • “$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” • Combine words (remove spaces). “MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;” • Test your new password with Password Strength Checker and/or eProfile(eid.ksu.edu)

  20. Acct/Password Categories • Ideal = different password for each acct • Acceptable = different password for each type of account • eID and some other K-State accounts • Financial accounts • Online shopping (if stores credit card info) • All others

  21. Managing Your Passwords • Try to remember them all?  • Have someone younger than you help you remember them all?  • Write them all down?  • OK if keep in private place, like purse/wallet • Write down a hint, not actual password • Web browser?  • Use a tool like Password Safe? http://passwordsafe.sourceforge.net/

  22. Don’t Let Windows Store Your eID or Banking Passwords

  23. Windows Passwords • Windows stores encrypted passwords in several formats: • LAN Manager (“LANMAN”) • NTLMv1 • NTLMv2 • LANMAN is particularly insecure • Stored in two 7-character pieces that can be cracked independently • Converts all characters to upper case • No “salt” used so the “hash” is the same for a given string of characters – easy to build a table of hash values for a list of possible passwords for comparison • Thus prone to brute force password attacks • Once hacker cracks LANMAN, cracks NTLM by trying all upper/lower case combinations

  24. Windows Passwords • Windows 2000 and newer do not use LANMAN, but store it by default for backwards compatibility • Samba uses LANMAN – it’s holding us back… but not for long • Windows does NOT store the LANMAN form if the password > 14 characters long • Best practice – make Windows Administrator account passwords > 14 characters • Or use Windows Vista since it doesn’t store the LANMAN hash

  25. Windows Passwords • Disable storing the “LANMAN hash” on Windows computers, if possible • This may break some applications (like Samba) • Is done with a “group policy” object called “NoLMHash” (note – changing this switch does not remove LM hashes already stored) • Or edit the Registry See: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&

  26. What’s on your mind?

More Related