Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and

1
Choosing the Right Wand(or for those who like
boring titles Managing Account Passwords
Policies and Best Practices)
Harvard Townsend IT Security Officer harv_at_ksu.edu
October 31, 2007 Revised January 11, 2008
2
Whose responsibility is it?

• Security is not just the CIOs problem it is
  everyones problem. And everyone is responsible
  for the solution.
• Diane Oblinger
• Brian Hawkins
• EDUCAUSE

3
TJX Inc. now understands
4
Agenda

• Authentication and authorization
• eID password
• Whats the big deal?
• Threats to passwords
• Policies
• Why do we have to change it twice a year?
• Writing it down
• Tips for choosing a strong password
• Managing multiple accounts/passwords
• Cautions about Windows storing passwords

5
Authentication Authorization

• Authentication (AuthN) verify who you are
• Authorization (AuthZ) determine what you are
  allowed to do
• Your eID (or other username) and password provide
  authentication
• After authN, the system or application determines
  what you can access (authZ)

6
Forms of Authentication

• 4-digit PIN
• Username/Password
• Challenge-Response
• Two-factor Authentication
• Two different methods required to authN
• Something you know plus something you have (e.g.,
  bank card PIN)
• Biometrics (e.g., thumbprint reader)
• Passphrase
• One-time passwords
• Digital signature

7
eID Password

• Whats the big deal?
• HRIS self-service
• E-mail
• KATS/iSIS
• K-State Online
• Oracle Calendar
• K-State Single-Sign-On environment
• Access to licensed software, databases
• SGA elections
• University Computing Labs
• Student access to network in residence halls

8
Threats to Passwords

• Keyloggers a program that records every
  keystroke and sends it to the hacker can be
  configured to watch for passwords
• Sniffing the network someone intercepting
  network traffic wireless networks particularly
  vulnerable
• Malware that gives the hacker full control of a
  computer and access to anything on it
• Internet cafés a favorite target for hackers to
  use keyloggers or other forms of malware
• Hackers stealing passwords from a compromised
  server
• Password cracking - a hacker being able to
  guess your password
• Programs to do this are readily available on the
  Internet
• Faster computers make this easier

9
Threats to Passwords

• Phishing tricking you into providing account
  informationShoulder surfing someone looking
  over your shoulder as you type
• Web browsers storing your password is easy for
  someone else using your computer to see your
  password(s)
• Typing your password into the wrong place on the
  screen
• Sharing your password with a friend
• Giving your password to someone who is helping
  you with a computer problem

10
eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire

• Why do you have to change it?
• Is standard best practice
• It could be worse! (most standards specify a
  change every 30-90 days)
• The longer you have the same password the more
  likely someone will discover it (because of the
  threats just discussed)
• Changing it limits the amount of time a hacker
  can wreak havoc in your life

11
eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire

• Do not share it with anyone!
• Do not use it for non-university accounts
• Such as hotmail, amazon.com, bank
• Is okay for departmental servers (not ideal, but
  acceptable risk)
• Can I write it down?Passwords that are written
  down or stored electronically must not be
  accessible to anyone other than the owner and/or
  issuing authority.

12
eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire

• These apply to ALL K-State passwords, not just
  the eID
• Enable the password on your screen saver
• Lock your computer screen when you leave it
  unattended

13
Hints for Choosing a Strong (eID) Password

• 7-8 characters in length
• Limits your choices
• Maximum length will increase in the future to
  give you more choices and allow passphrases
• General rule hard to guess, easy to remember
  (strong, memorable)
• Let eProfile (eid.ksu.edu) choose one for you
  (not ideal since is random, so you will likely
  write it down)

14
Hints for Choosing a Strong (eID) Password

• Use character/word substitutions
• 2 instead of to/too
• 4 for for
• 4t for Fort
• L8 for late (r8, g8, b8, d8, etc.)
• r for are
• u for you
• for S
• 1 (one) for l (el) or i (eye)
• ! for 1, l, or i

15
Hints for Choosing a Strong (eID) Password

• Capitalize letters where it makes sense to get
  upper/lower case mix
• Take a phrase and abbreviate it
• 2Bor2b! To be, or not to be
• Watch custom license plates for ideas
• im4KSU2 (and add punctuation, like !)

16
Hints for Choosing a Strong (eID) Password

• Use a password strength meterhttp//www.security
  stats.com/tools/password.phphttp//www.microsoft.
  com/protect/yourself/password/checker.mspx
• Gotchas
• Avoid space character
• Beware of special characters that are not on
  foreign keyboards ()
• What are your tips and tricks?

17
Steps to create a strong, memorable password

• http//www.microsoft.com/protect/yourself/password
  /create.mspx
• Think of a sentence that you can remember as the
  basis of your strong password or pass phrase. Use
  a memorable sentence, such as My son Aiden is
  three years old
• Check if the computer or online system supports
  the pass phrase directly. If you can use a pass
  phrase (with spaces between characters), do so.

18
Steps to create a strong, memorable password

• If the computer or online system does not support
  pass phrases, convert it to a password. Take the
  first letter of each to create a new, nonsensical
  word. Using the example above, you'd get
  msaityo
• Add complexity
• Mix uppercase and lowercase letters and numbers.
• Swap some letters or intentionally misspell.
• My SoN Ayd3N is 3 yeeRs old

19
Steps to create a strong, memorable password

• Substitute some special characters
• Add punctuation (!, , (), etc.)
• Use symbols that look like letters
• for S, 3 for E, 1 for i, _at_ for
  a
• Combine words (remove spaces).
• MySoN 8N i 3yeeR old or M8ni3y0
• Test your new password with Password Strength
  Checker and/or eProfile (eid.ksu.edu)

20
Acct/Password Categories

• Ideal different password for each acct
• Acceptable different password for each type of
  account
• eID and some other K-State accounts
• Financial accounts
• Online shopping (if stores credit card info)
• All others

21
Managing Your Passwords

• Try to remember them all? ?
• Have someone younger than you help you remember
  them all? ?
• Write them all down? ?
• OK if keep in private place, like purse/wallet
• Write down a hint, not actual password
• Web browser? ?
• Use a tool like Password Safe? ?http//passwordsa
  fe.sourceforge.net/

22
Dont Let Windows Store Your eID or Banking
Passwords
23
Windows Passwords

• Windows stores encrypted passwords in several
  formats
• LAN Manager (LANMAN)
• NTLMv1
• NTLMv2
• LANMAN is particularly insecure
• Stored in two 7-character pieces that can be
  cracked independently
• Converts all characters to upper case
• No salt used so the hash is the same for a
  given string of characters easy to build a
  table of hash values for a list of possible
  passwords for comparison
• Thus prone to brute force password attacks
• Once hacker cracks LANMAN, cracks NTLM by trying
  all upper/lower case combinations

24
Windows Passwords

• Windows 2000 and newer do not use LANMAN, but
  store it by default for backwards compatibility
• Samba uses LANMAN its holding us back but not
  for long
• Windows does NOT store the LANMAN form if the
  password 14 characters long
• Best practice make Windows Administrator
  account passwords 14 characters
• Or use Windows Vista since it doesnt store the
  LANMAN hash

25
Windows Passwords

• Disable storing the LANMAN hash on Windows
  computers, if possible
• This may break some applications (like Samba)
• Is done with a group policy object called
  NoLMHash (note changing this switch does not
  remove LM hashes already stored)
• Or edit the Registry
• See
• http//support.microsoft.com/default.aspx?scidKB
  EN-USq299656

26
Whats on your mind?