Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and - PowerPoint PPT Presentation

Loading...

PPT – Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and PowerPoint presentation | free to view - id: 22a0f-NTZjN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and

Description:

K-State Single-Sign-On environment. Access to licensed software, databases. SGA elections ... Such as hotmail, amazon.com, bank ... – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 27
Provided by: Harv183
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and


1
Choosing the Right Wand(or for those who like
boring titles Managing Account Passwords
Policies and Best Practices)
Harvard Townsend IT Security Officer harv_at_ksu.edu
October 31, 2007 Revised January 11, 2008
2
Whose responsibility is it?
  • Security is not just the CIOs problem it is
    everyones problem. And everyone is responsible
    for the solution.
  • Diane Oblinger
  • Brian Hawkins
  • EDUCAUSE

3
TJX Inc. now understands
4
Agenda
  • Authentication and authorization
  • eID password
  • Whats the big deal?
  • Threats to passwords
  • Policies
  • Why do we have to change it twice a year?
  • Writing it down
  • Tips for choosing a strong password
  • Managing multiple accounts/passwords
  • Cautions about Windows storing passwords

5
Authentication Authorization
  • Authentication (AuthN) verify who you are
  • Authorization (AuthZ) determine what you are
    allowed to do
  • Your eID (or other username) and password provide
    authentication
  • After authN, the system or application determines
    what you can access (authZ)

6
Forms of Authentication
  • 4-digit PIN
  • Username/Password
  • Challenge-Response
  • Two-factor Authentication
  • Two different methods required to authN
  • Something you know plus something you have (e.g.,
    bank card PIN)
  • Biometrics (e.g., thumbprint reader)
  • Passphrase
  • One-time passwords
  • Digital signature

7
eID Password
  • Whats the big deal?
  • HRIS self-service
  • E-mail
  • KATS/iSIS
  • K-State Online
  • Oracle Calendar
  • K-State Single-Sign-On environment
  • Access to licensed software, databases
  • SGA elections
  • University Computing Labs
  • Student access to network in residence halls

8
Threats to Passwords
  • Keyloggers a program that records every
    keystroke and sends it to the hacker can be
    configured to watch for passwords
  • Sniffing the network someone intercepting
    network traffic wireless networks particularly
    vulnerable
  • Malware that gives the hacker full control of a
    computer and access to anything on it
  • Internet cafés a favorite target for hackers to
    use keyloggers or other forms of malware
  • Hackers stealing passwords from a compromised
    server
  • Password cracking - a hacker being able to
    guess your password
  • Programs to do this are readily available on the
    Internet
  • Faster computers make this easier

9
Threats to Passwords
  • Phishing tricking you into providing account
    informationShoulder surfing someone looking
    over your shoulder as you type
  • Web browsers storing your password is easy for
    someone else using your computer to see your
    password(s)
  • Typing your password into the wrong place on the
    screen
  • Sharing your password with a friend
  • Giving your password to someone who is helping
    you with a computer problem

10
eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire
  • Why do you have to change it?
  • Is standard best practice
  • It could be worse! (most standards specify a
    change every 30-90 days)
  • The longer you have the same password the more
    likely someone will discover it (because of the
    threats just discussed)
  • Changing it limits the amount of time a hacker
    can wreak havoc in your life

11
eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire
  • Do not share it with anyone!
  • Do not use it for non-university accounts
  • Such as hotmail, amazon.com, bank
  • Is okay for departmental servers (not ideal, but
    acceptable risk)
  • Can I write it down?Passwords that are written
    down or stored electronically must not be
    accessible to anyone other than the owner and/or
    issuing authority.

12
eID Password Policies
http//www.k-state.edu/policies/ppm/3430.htmlrequ
ire
  • These apply to ALL K-State passwords, not just
    the eID
  • Enable the password on your screen saver
  • Lock your computer screen when you leave it
    unattended

13
Hints for Choosing a Strong (eID) Password
  • 7-8 characters in length
  • Limits your choices
  • Maximum length will increase in the future to
    give you more choices and allow passphrases
  • General rule hard to guess, easy to remember
    (strong, memorable)
  • Let eProfile (eid.ksu.edu) choose one for you
    (not ideal since is random, so you will likely
    write it down)

14
Hints for Choosing a Strong (eID) Password
  • Use character/word substitutions
  • 2 instead of to/too
  • 4 for for
  • 4t for Fort
  • L8 for late (r8, g8, b8, d8, etc.)
  • r for are
  • u for you
  • for S
  • 1 (one) for l (el) or i (eye)
  • ! for 1, l, or i

15
Hints for Choosing a Strong (eID) Password
  • Capitalize letters where it makes sense to get
    upper/lower case mix
  • Take a phrase and abbreviate it
  • 2Bor2b! To be, or not to be
  • Watch custom license plates for ideas
  • im4KSU2 (and add punctuation, like !)

16
Hints for Choosing a Strong (eID) Password
  • Use a password strength meterhttp//www.security
    stats.com/tools/password.phphttp//www.microsoft.
    com/protect/yourself/password/checker.mspx
  • Gotchas
  • Avoid space character
  • Beware of special characters that are not on
    foreign keyboards ()
  • What are your tips and tricks?

17
Steps to create a strong, memorable password
  • http//www.microsoft.com/protect/yourself/password
    /create.mspx
  • Think of a sentence that you can remember as the
    basis of your strong password or pass phrase. Use
    a memorable sentence, such as My son Aiden is
    three years old
  • Check if the computer or online system supports
    the pass phrase directly. If you can use a pass
    phrase (with spaces between characters), do so.

18
Steps to create a strong, memorable password
  • If the computer or online system does not support
    pass phrases, convert it to a password. Take the
    first letter of each to create a new, nonsensical
    word. Using the example above, you'd get
    msaityo
  • Add complexity
  • Mix uppercase and lowercase letters and numbers.
  • Swap some letters or intentionally misspell.
  • My SoN Ayd3N is 3 yeeRs old

19
Steps to create a strong, memorable password
  • Substitute some special characters
  • Add punctuation (!, , (), etc.)
  • Use symbols that look like letters
  • for S, 3 for E, 1 for i, _at_ for
    a
  • Combine words (remove spaces).
  • MySoN 8N i 3yeeR old or M8ni3y0
  • Test your new password with Password Strength
    Checker and/or eProfile (eid.ksu.edu)

20
Acct/Password Categories
  • Ideal different password for each acct
  • Acceptable different password for each type of
    account
  • eID and some other K-State accounts
  • Financial accounts
  • Online shopping (if stores credit card info)
  • All others

21
Managing Your Passwords
  • Try to remember them all? ?
  • Have someone younger than you help you remember
    them all? ?
  • Write them all down? ?
  • OK if keep in private place, like purse/wallet
  • Write down a hint, not actual password
  • Web browser? ?
  • Use a tool like Password Safe? ?http//passwordsa
    fe.sourceforge.net/

22
Dont Let Windows Store Your eID or Banking
Passwords
23
Windows Passwords
  • Windows stores encrypted passwords in several
    formats
  • LAN Manager (LANMAN)
  • NTLMv1
  • NTLMv2
  • LANMAN is particularly insecure
  • Stored in two 7-character pieces that can be
    cracked independently
  • Converts all characters to upper case
  • No salt used so the hash is the same for a
    given string of characters easy to build a
    table of hash values for a list of possible
    passwords for comparison
  • Thus prone to brute force password attacks
  • Once hacker cracks LANMAN, cracks NTLM by trying
    all upper/lower case combinations

24
Windows Passwords
  • Windows 2000 and newer do not use LANMAN, but
    store it by default for backwards compatibility
  • Samba uses LANMAN its holding us back but not
    for long
  • Windows does NOT store the LANMAN form if the
    password 14 characters long
  • Best practice make Windows Administrator
    account passwords 14 characters
  • Or use Windows Vista since it doesnt store the
    LANMAN hash

25
Windows Passwords
  • Disable storing the LANMAN hash on Windows
    computers, if possible
  • This may break some applications (like Samba)
  • Is done with a group policy object called
    NoLMHash (note changing this switch does not
    remove LM hashes already stored)
  • Or edit the Registry
  • See
  • http//support.microsoft.com/default.aspx?scidKB
    EN-USq299656

26
Whats on your mind?
About PowerShow.com