Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and - PowerPoint PPT Presentation


PPT – Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and PowerPoint presentation | free to view - id: 22a0f-NTZjN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and


K-State Single-Sign-On environment. Access to licensed software, databases. SGA elections ... Such as hotmail,, bank ... – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 27
Provided by: Harv183


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Choosing the Right Wand or for those who like boring titles Managing Account Passwords: Policies and

Choosing the Right Wand(or for those who like
boring titles Managing Account Passwords
Policies and Best Practices)
Harvard Townsend IT Security Officer
October 31, 2007 Revised January 11, 2008
Whose responsibility is it?
  • Security is not just the CIOs problem it is
    everyones problem. And everyone is responsible
    for the solution.
  • Diane Oblinger
  • Brian Hawkins

TJX Inc. now understands
  • Authentication and authorization
  • eID password
  • Whats the big deal?
  • Threats to passwords
  • Policies
  • Why do we have to change it twice a year?
  • Writing it down
  • Tips for choosing a strong password
  • Managing multiple accounts/passwords
  • Cautions about Windows storing passwords

Authentication Authorization
  • Authentication (AuthN) verify who you are
  • Authorization (AuthZ) determine what you are
    allowed to do
  • Your eID (or other username) and password provide
  • After authN, the system or application determines
    what you can access (authZ)

Forms of Authentication
  • 4-digit PIN
  • Username/Password
  • Challenge-Response
  • Two-factor Authentication
  • Two different methods required to authN
  • Something you know plus something you have (e.g.,
    bank card PIN)
  • Biometrics (e.g., thumbprint reader)
  • Passphrase
  • One-time passwords
  • Digital signature

eID Password
  • Whats the big deal?
  • HRIS self-service
  • E-mail
  • K-State Online
  • Oracle Calendar
  • K-State Single-Sign-On environment
  • Access to licensed software, databases
  • SGA elections
  • University Computing Labs
  • Student access to network in residence halls

Threats to Passwords
  • Keyloggers a program that records every
    keystroke and sends it to the hacker can be
    configured to watch for passwords
  • Sniffing the network someone intercepting
    network traffic wireless networks particularly
  • Malware that gives the hacker full control of a
    computer and access to anything on it
  • Internet cafés a favorite target for hackers to
    use keyloggers or other forms of malware
  • Hackers stealing passwords from a compromised
  • Password cracking - a hacker being able to
    guess your password
  • Programs to do this are readily available on the
  • Faster computers make this easier

Threats to Passwords
  • Phishing tricking you into providing account
    informationShoulder surfing someone looking
    over your shoulder as you type
  • Web browsers storing your password is easy for
    someone else using your computer to see your
  • Typing your password into the wrong place on the
  • Sharing your password with a friend
  • Giving your password to someone who is helping
    you with a computer problem

eID Password Policies
  • Why do you have to change it?
  • Is standard best practice
  • It could be worse! (most standards specify a
    change every 30-90 days)
  • The longer you have the same password the more
    likely someone will discover it (because of the
    threats just discussed)
  • Changing it limits the amount of time a hacker
    can wreak havoc in your life

eID Password Policies
  • Do not share it with anyone!
  • Do not use it for non-university accounts
  • Such as hotmail,, bank
  • Is okay for departmental servers (not ideal, but
    acceptable risk)
  • Can I write it down?Passwords that are written
    down or stored electronically must not be
    accessible to anyone other than the owner and/or
    issuing authority.

eID Password Policies
  • These apply to ALL K-State passwords, not just
    the eID
  • Enable the password on your screen saver
  • Lock your computer screen when you leave it

Hints for Choosing a Strong (eID) Password
  • 7-8 characters in length
  • Limits your choices
  • Maximum length will increase in the future to
    give you more choices and allow passphrases
  • General rule hard to guess, easy to remember
    (strong, memorable)
  • Let eProfile ( choose one for you
    (not ideal since is random, so you will likely
    write it down)

Hints for Choosing a Strong (eID) Password
  • Use character/word substitutions
  • 2 instead of to/too
  • 4 for for
  • 4t for Fort
  • L8 for late (r8, g8, b8, d8, etc.)
  • r for are
  • u for you
  • for S
  • 1 (one) for l (el) or i (eye)
  • ! for 1, l, or i

Hints for Choosing a Strong (eID) Password
  • Capitalize letters where it makes sense to get
    upper/lower case mix
  • Take a phrase and abbreviate it
  • 2Bor2b! To be, or not to be
  • Watch custom license plates for ideas
  • im4KSU2 (and add punctuation, like !)

Hints for Choosing a Strong (eID) Password
  • Use a password strength meterhttp//
  • Gotchas
  • Avoid space character
  • Beware of special characters that are not on
    foreign keyboards ()
  • What are your tips and tricks?

Steps to create a strong, memorable password
  • http//
  • Think of a sentence that you can remember as the
    basis of your strong password or pass phrase. Use
    a memorable sentence, such as My son Aiden is
    three years old
  • Check if the computer or online system supports
    the pass phrase directly. If you can use a pass
    phrase (with spaces between characters), do so.

Steps to create a strong, memorable password
  • If the computer or online system does not support
    pass phrases, convert it to a password. Take the
    first letter of each to create a new, nonsensical
    word. Using the example above, you'd get
  • Add complexity
  • Mix uppercase and lowercase letters and numbers.
  • Swap some letters or intentionally misspell.
  • My SoN Ayd3N is 3 yeeRs old

Steps to create a strong, memorable password
  • Substitute some special characters
  • Add punctuation (!, , (), etc.)
  • Use symbols that look like letters
  • for S, 3 for E, 1 for i, _at_ for
  • Combine words (remove spaces).
  • MySoN 8N i 3yeeR old or M8ni3y0
  • Test your new password with Password Strength
    Checker and/or eProfile (

Acct/Password Categories
  • Ideal different password for each acct
  • Acceptable different password for each type of
  • eID and some other K-State accounts
  • Financial accounts
  • Online shopping (if stores credit card info)
  • All others

Managing Your Passwords
  • Try to remember them all? ?
  • Have someone younger than you help you remember
    them all? ?
  • Write them all down? ?
  • OK if keep in private place, like purse/wallet
  • Write down a hint, not actual password
  • Web browser? ?
  • Use a tool like Password Safe? ?http//passwordsa

Dont Let Windows Store Your eID or Banking
Windows Passwords
  • Windows stores encrypted passwords in several
  • LAN Manager (LANMAN)
  • NTLMv1
  • NTLMv2
  • LANMAN is particularly insecure
  • Stored in two 7-character pieces that can be
    cracked independently
  • Converts all characters to upper case
  • No salt used so the hash is the same for a
    given string of characters easy to build a
    table of hash values for a list of possible
    passwords for comparison
  • Thus prone to brute force password attacks
  • Once hacker cracks LANMAN, cracks NTLM by trying
    all upper/lower case combinations

Windows Passwords
  • Windows 2000 and newer do not use LANMAN, but
    store it by default for backwards compatibility
  • Samba uses LANMAN its holding us back but not
    for long
  • Windows does NOT store the LANMAN form if the
    password 14 characters long
  • Best practice make Windows Administrator
    account passwords 14 characters
  • Or use Windows Vista since it doesnt store the
    LANMAN hash

Windows Passwords
  • Disable storing the LANMAN hash on Windows
    computers, if possible
  • This may break some applications (like Samba)
  • Is done with a group policy object called
    NoLMHash (note changing this switch does not
    remove LM hashes already stored)
  • Or edit the Registry
  • See
  • http//

Whats on your mind?