The Simplest Security

A Guide to better Password A Guide to better Password PracticesPractices

Provided By: Utah Education Network – DSO

Terms of Use Use of this presentation is granted to education and non-

profit entities for education in security topics as described herein. The following limitations and restrictions apply:• The content of this presentation remain unchanged from its

original published format, except for updates to the content for accuracy or current tactics/trends

• Any changes made to the presentation are understood to not be the original work of the author, and noted in the presentation as such.

• Credit to the author is retained as-is in the original presentation format.

• Use by “for profit” or “commercial” entities must be granted permission by the author, and are subject to further restrictions.

A Refresher – Password Usage

Passwords are Annoying• Need passwords for everything

• Difficult to come up with one we can remember

• Procrastinate changing them

• Oh the PAIN !

A Refresher – Password Usage

Passwords are often the First and ONLY defense against intrusion• They protect Personal and Company

information

Passwords are simple and cheap Define “Password”

Password Cracking

Cracking is the process of figuring out or breaking passwords in order to gain unauthorized access.

Most Passwords can be cracked easily• Its Much easier than you think

Dictionary Cracking Brute Force Cracking

Password Cracking

Literally Hundreds of tools to crack passwords

Social Engineering of Passwords• The “Post-it™” Note

• “Under the Keyboard”

• Over the Phone

• What ABOUT You?

Passwords Cracking

Other technological ways of getting passwords• Cleartext vs. Encrypted Passwords

• Network Sniffers

It is Possible and even Likely that someone knows at least one of your passwords right now.

Choosing Good PasswordsWhat NOT to use

The Don'ts• No Dictionary words

• nimda (Backwards ‘admin’)• Difficult to figure out but NO Match for Crackers or

Brute Force Guessers.

• No Proper Nouns

• No Foreign Words• Foreign Dictionaries Exist too. Even Japanese

Choosing Good PasswordsNo Personal Information

It is easy for hackers to social engineer personal information about you.• The Dumpster Dive for personal info.

Don’t include personal information in your passwords.• Birthdates, Anniversary, Phone Numbers

• Pet Names, Nicknames, Name of Family Members

Choosing Good PasswordsLength, Width and Depth

Length• Probability dictates that the longer the

password is, the more difficult it will be to crack. Simply put, Longer is Better.

• Recommendations:• Between 6 to 8 Characters in Length

• Greater length is better if the OS can support it.

• Shorter passwords should be avoided

Choosing Good PasswordsLength, Width and Depth

Width• Width is the variation of characters used in a

password. • Don’t just consider the Alphabet. There are also

Numbers and Special Characters.

• Case Sensitive Passwords, ALT Characters, Spaces should also be considered.

Choosing Good PasswordsLength, Width and Depth

Width• As a General Rule the following character

sets should all included in every password• Uppercase letters such as A, B, C

• Lowercase letters such as a, b, c

• Numerals such as 1, 2, 3

• Special Characters such as %, $, #, !, *

• ALT Characters such as Є, ψ, Ω, β

• May not be supported by some OS’s

Choosing Good PasswordsLength, Width and Depth

Depth• Depth refers to choosing a password with a

challenging meaning.• A Good Password is easy to remember but Hard to

guess

• Stop thinking in terms of PassWORDS, and start thinking in terms of Phrases.

• Mnemonic Phrases allow the creation of complex passwords without the need to write them down.

Choosing Good PasswordsLength, Width and Depth

Depth• Examples of Mnemonic phrases include a

phrase spelled phonetically:• Such as: ‘ImuKat!’ (instead of ‘I’m a cat!’)

• Or: ‘qbfjold*’ (quick brown fox jumped over the lazy dog)

• You may want to choose a phrase of personal meaning (Not Personal Info)

• Substitution of Characters are useful like using “3” for the letter “E”• Such as: M@gaZyn3 (Magazine)

Extra Protection

All of the good Password Crackers include Foreign words, backwards words, etc.

But the easiest way to get a Password is to steal it!• Its easier to never give it away

Extra Protection

In some cases, a Good password is enough to keep intruders out.

In other cases, its just a start. The use of further protection is necessary.• Encryption

• Means Garbling the password to protect from sniffers or other onlookers.

• One Time Passwords

• Means just what it says. Using a password that is only good once.

Extra Protection

Users should avoid the use of the same password on multiple systems.• Doing this creates a single point of failure.

Users should not share passwords with Anyone. • If someone else needs access, they should get their

own account to the system.

• System Admins should Never ask you for your password.

• NEVER Share a password to anyone over the phone. Not even with a “System Administrator”

Extra Protection

Exercise extreme caution when writing down or storing passwords.• Dumpster Diving, Shoulder Surfing.

Choose passwords that are easy to remember so that they don’t need to be written down.

Changing and Storing Passwords

To ensure effectiveness, passwords should be changed on a regular basis.• Changing Passwords is Generally Simple. Ask your

systems admin if you need help.

• Change Passwords as CLOSE to the Account as possible

• Don’t let anyone watch while you type in your password

• If possible, the password should be changed over a secure connection like a Secure Shell (SSH)

Changing and Storing Passwords

How often do you change passwords (General Rule)• Financial or SIS Accounts – 1-2 Months

• Network Passwords – 2-3 Months

• Just use Good Judgment “Don’t Be Lazy”• All Passwords should Never be over 4 Months old.

Changing a password is relatively quick and painless compared to the irritating and expensive process of Hacked Systems Recovery, or Identity Theft.

Tips for OrganizationsAnd Network Admins

Strong Password Policies• Require the Best Practices in Password Management

• Educate users on how easy it is for someone to get their password.

• Social Engineering

• Online Attacks, etc.

• New Users should be taught Good password practices

• The Password Policy should be integrated into the overall Security policy of the organization.

Tips for OrganizationsAnd Network Admins Implement safeguards to ensure systems are

using Strong Passwords. (PAM) Set Password Expiration Dates according to

account type and access to services. Keep Password history to prevent reuse, Lock

accounts with 3-5 Bad attempts Fewer people with access is better Remove accounts for people who have left. ALWAYS Change the default passwords to

systems you install.

References The Simplest Security: A Guide To Better Password Practices

by Sarah Granger http://www.securityfocus.com/infocus/1537

Compiled and Updated by Troy JessupUtah Education Network – Departmental Security Officehttp://www.uen.org/security

Armstrong, Del and Simonson, John: “Password Guessing” and “Password Sniffing,” An Intro to Computer Security, School of Engineering & Applied Sciences, University of Rochester, Oct. 25, 1996.http://www.seas.rochester.edu:8080/CNG/docs/Security/security.html

Belgers, Walter: “UNIX Password Security,” JANET-CERT, Dec. 6, 1993.http://www.ja.net/CERT/Belgers/UNIX-password-security.html

Cliff, A.: “Password Crackers - Ensuring the Security of Your Password”, Security Focus, Feb. 19, 2001.http://www.securityfocus.com/infocus/1192

Cons, Lionel: CERN Security Handbook (Practical computer security for CERN users), Version 1.2, 12 December 1996.http://consult.cern.ch/writeups/security/security_3.html#SEC7

Donovan, Craig: “Strong Passwords,” SANS Institute, June 2, 2000. http://www.sans.org/infosecFAQ/policy/password.htm Garfinkel, Simson and Spafford, Gene: Practical UNIX Security, O’Reilly & Associates, Inc. Sebastopol, CA, 1991 & 1996. MacGregor, Tina: “Password Auditing and Password Filtering to Improve Network Security”, SANS Institute, May 13, 2001.

http://rr.sans.org/authentic/improve.php “Password Security: A Guide for Students, Faculty, and Staff of the University of Michigan,” University of Michigan, Information

Technology Division, Reference R1192, Revised April 1997.http://www.umich.edu/~policies/pw-security.html

Russell, Deborah and Gangemi Sr., G.T.: Computer Security Basics, O’Reilly & Associates, Inc. Sebastopol, CA, 1991. Thomas, Stephen: “Popular Myths on Password Authentication,” 2600, Summer 2001

http://www.2600.com Visser, Joe: “On NT Password Security,” Open Solution Providers, 1997.

http://www.osp.nl/infobase/ntpass.html

PLEASE DO NOT REMOVE THESE REFERENCES FROM THE PRESENTATION