Title: Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and
1Choosing the Right Wand(or for those who like
boring titles Managing Account Passwords
Policies and Best Practices)
Harvard Townsend IT Security Officer harv_at_ksu.edu
October 31, 2007 Revised January 11, 2008
2Whose responsibility is it?
- Security is not just the CIOs problem it is
everyones problem. And everyone is responsible
for the solution. - Diane Oblinger
- Brian Hawkins
- EDUCAUSE
3TJX Inc. now understands
4Agenda
- Authentication and authorization
- eID password
- Whats the big deal?
- Threats to passwords
- Policies
- Why do we have to change it twice a year?
- Writing it down
- Tips for choosing a strong password
- Managing multiple accounts/passwords
- Cautions about Windows storing passwords
5Authentication Authorization
- Authentication (AuthN) verify who you are
- Authorization (AuthZ) determine what you are
allowed to do - Your eID (or other username) and password provide
authentication - After authN, the system or application determines
what you can access (authZ)
6Forms of Authentication
- 4-digit PIN
- Username/Password
- Challenge-Response
- Two-factor Authentication
- Two different methods required to authN
- Something you know plus something you have (e.g.,
bank card PIN) - Biometrics (e.g., thumbprint reader)
- Passphrase
- One-time passwords
- Digital signature
7eID Password
- Whats the big deal?
- HRIS self-service
- E-mail
- KATS/iSIS
- K-State Online
- Oracle Calendar
- K-State Single-Sign-On environment
- Access to licensed software, databases
- SGA elections
- University Computing Labs
- Student access to network in residence halls
8Threats to Passwords
- Keyloggers a program that records every
keystroke and sends it to the hacker can be
configured to watch for passwords - Sniffing the network someone intercepting
network traffic wireless networks particularly
vulnerable - Malware that gives the hacker full control of a
computer and access to anything on it - Internet cafés a favorite target for hackers to
use keyloggers or other forms of malware - Hackers stealing passwords from a compromised
server - Password cracking - a hacker being able to
guess your password - Programs to do this are readily available on the
Internet - Faster computers make this easier
9Threats to Passwords
- Phishing tricking you into providing account
informationShoulder surfing someone looking
over your shoulder as you type - Web browsers storing your password is easy for
someone else using your computer to see your
password(s) - Typing your password into the wrong place on the
screen - Sharing your password with a friend
- Giving your password to someone who is helping
you with a computer problem
10eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire
- Why do you have to change it?
- Is standard best practice
- It could be worse! (most standards specify a
change every 30-90 days) - The longer you have the same password the more
likely someone will discover it (because of the
threats just discussed) - Changing it limits the amount of time a hacker
can wreak havoc in your life
11eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire
- Do not share it with anyone!
- Do not use it for non-university accounts
- Such as hotmail, amazon.com, bank
- Is okay for departmental servers (not ideal, but
acceptable risk) - Can I write it down?Passwords that are written
down or stored electronically must not be
accessible to anyone other than the owner and/or
issuing authority.
12eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire
- These apply to ALL K-State passwords, not just
the eID - Enable the password on your screen saver
- Lock your computer screen when you leave it
unattended
13Hints for Choosing a Strong (eID) Password
- 7-8 characters in length
- Limits your choices
- Maximum length will increase in the future to
give you more choices and allow passphrases - General rule hard to guess, easy to remember
(strong, memorable) - Let eProfile (eid.ksu.edu) choose one for you
(not ideal since is random, so you will likely
write it down)
14Hints for Choosing a Strong (eID) Password
- Use character/word substitutions
- 2 instead of to/too
- 4 for for
- 4t for Fort
- L8 for late (r8, g8, b8, d8, etc.)
- r for are
- u for you
- for S
- 1 (one) for l (el) or i (eye)
- ! for 1, l, or i
15Hints for Choosing a Strong (eID) Password
- Capitalize letters where it makes sense to get
upper/lower case mix - Take a phrase and abbreviate it
- 2Bor2b! To be, or not to be
- Watch custom license plates for ideas
- im4KSU2 (and add punctuation, like !)
16Hints for Choosing a Strong (eID) Password
- Use a password strength meterhttp//www.security
stats.com/tools/password.phphttp//www.microsoft.
com/protect/yourself/password/checker.mspx - Gotchas
- Avoid space character
- Beware of special characters that are not on
foreign keyboards () - What are your tips and tricks?
17Steps to create a strong, memorable password
- http//www.microsoft.com/protect/yourself/password
/create.mspx - Think of a sentence that you can remember as the
basis of your strong password or pass phrase. Use
a memorable sentence, such as My son Aiden is
three years old - Check if the computer or online system supports
the pass phrase directly. If you can use a pass
phrase (with spaces between characters), do so.
18Steps to create a strong, memorable password
- If the computer or online system does not support
pass phrases, convert it to a password. Take the
first letter of each to create a new, nonsensical
word. Using the example above, you'd get
msaityo - Add complexity
- Mix uppercase and lowercase letters and numbers.
- Swap some letters or intentionally misspell.
- My SoN Ayd3N is 3 yeeRs old
19Steps to create a strong, memorable password
- Substitute some special characters
- Add punctuation (!, , (), etc.)
- Use symbols that look like letters
- for S, 3 for E, 1 for i, _at_ for
a - Combine words (remove spaces).
- MySoN 8N i 3yeeR old or M8ni3y0
- Test your new password with Password Strength
Checker and/or eProfile (eid.ksu.edu)
20Acct/Password Categories
- Ideal different password for each acct
- Acceptable different password for each type of
account - eID and some other K-State accounts
- Financial accounts
- Online shopping (if stores credit card info)
- All others
21Managing Your Passwords
- Try to remember them all? ?
- Have someone younger than you help you remember
them all? ? - Write them all down? ?
- OK if keep in private place, like purse/wallet
- Write down a hint, not actual password
- Web browser? ?
- Use a tool like Password Safe? ?http//passwordsa
fe.sourceforge.net/
22Dont Let Windows Store Your eID or Banking
Passwords
23Windows Passwords
- Windows stores encrypted passwords in several
formats - LAN Manager (LANMAN)
- NTLMv1
- NTLMv2
- LANMAN is particularly insecure
- Stored in two 7-character pieces that can be
cracked independently - Converts all characters to upper case
- No salt used so the hash is the same for a
given string of characters easy to build a
table of hash values for a list of possible
passwords for comparison - Thus prone to brute force password attacks
- Once hacker cracks LANMAN, cracks NTLM by trying
all upper/lower case combinations
24Windows Passwords
- Windows 2000 and newer do not use LANMAN, but
store it by default for backwards compatibility - Samba uses LANMAN its holding us back but not
for long - Windows does NOT store the LANMAN form if the
password 14 characters long - Best practice make Windows Administrator
account passwords 14 characters - Or use Windows Vista since it doesnt store the
LANMAN hash
25Windows Passwords
- Disable storing the LANMAN hash on Windows
computers, if possible - This may break some applications (like Samba)
- Is done with a group policy object called
NoLMHash (note changing this switch does not
remove LM hashes already stored) - Or edit the Registry
- See
- http//support.microsoft.com/default.aspx?scidKB
EN-USq299656
26Whats on your mind?