Presentation on theme: "Password Security How secure are your passwords ? Why do we need passwords or do we need them ? Should they be simple or complex ? When should we assign."— Presentation transcript:
Password Security How secure are your passwords ? Why do we need passwords or do we need them ? Should they be simple or complex ? When should we assign passwords ? How can we create effective passwords ? Should we use password generators ? Do we need to change passwords, how often ?
What is a weak password? A weak password: Contains fewer than six characters Is a word found in a dictionary (English or foreign) Is a common usage word such as: Passwords containing the user ID in any form Names of family, pets, friends, or co-workers Birthdays and personal information, such as addresses and phone numbers Any of the above spelled backward Any of the above preceded or followed by a digit (secret1, 1secret) or the same letter (ssecret, secrett)
What is a strong password? A strong password: Contains digits, symbols, and uppercase and lowercase characters. For example: a-z, A-Z, 0-9, Is at least eight characters long Isn’t a word in any language, slang, or dialect Isn’t based on personal information, names of family, etc.
Examples Note: Do not use these as your password; they’re just examples! Good one-time use password (> 16 char) Example: a file-level protected Excel 2003 workbook “ ThisIsMy1timePasswordx2791” A concatenated sentence plus extension [Shift]1 [Shift]2 [Shift]3 Good normal use password (> 8 char) Example: application login password #win8hir05 [Shift]3 Use a pattern that you can remember without writing it down
Loss of Information The time to crack/hack passwords with respect to the password length and its complexity. The search speed supposedly equals 100,000 passwords per second (a very decent speed). Password length /charset 26 (no case, letters only) 36 (no case, letters & digits) 52 (case sensitive) 96 (all printable) 4001 min13 min 5010 min1 hr22 hr 650 minutes6 hrs2.2 days3 months 722 hrs9 days4 months23 yrs 824 days10.5 months17 yrs2,287 yrs 921 months32.6 yrs881 yrs219,000 yrs 1045 yrs1,159 yrs45,838 yrs21 million yrs
Password do’s and don’ts Keep your user ID and password to yourself Use antivirus software (both at home and at work) Screen-lock or log off your computer desktop when you are away from the computer Report security incidents immediately DO: DON’T: Reveal your password to anyone over the phone, , or IM Share your password with your boss, family members, or a co- worker while you’re on vacation Reveal a password on questionnaires or security forms Use the “Remember Password" feature of applications in any public computer (conference room, airport, Internet café, etc).
The password policy Policy locationHighlights Minimum password length is 8 characters Complexity is strongly recommended All user passwords ( , login, etc.) must be changed at least every 90 days– no exceptions! A password can’t be reused for at least two years After 10 consecutive login failures, the account must be locked for a minimum of 30 minutes and the Account Administrator for the system must be notified Support staff must be able to verify the identity of the requestor before resetting the password Temporary passwords must be changed at the next login
How Passwords Stolen Keylogger or Keystroke Logger A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard. As a hardware device, a keylogger is a small battery-sized plug that serves as a connector between the user's keyboard and computer. information the device has gathered.
How Passwords Stolen Keylogger or Keystroke Logger (cont’d) Because the device resembles an ordinary keyboard plug, it is relatively easy for someone who wants to monitor a user's behavior to physically hide such a device "in plain sight." (It also helps that most workstation keyboards plug into the back of the computer.) As the user types, the device collects each keystroke and saves it as text in its own miniature hard drive. At a later point in time, the person who installed the keylogger must return and physically remove the device in order to access the information the device has gathered.hard drive
How Passwords Stolen Keylogger or Keystroke Logger (cont’d) A keylogger program does not require physical access to the user's computer. It can be downloaded on purpose by someone who wants to monitor activity on a particular computer or it can be downloaded unwittingly as spyware and executed as part of a rootkit or remote administration (RAT)Trojan horse. A keylogger program typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file (which does all the recording) and an executable file (.EXE) that installs the DLL file and triggers it to work.spywarerootkitTrojan horseDLLexecutable
How Passwords Stolen Keylogger or Keystroke Logger (cont’d) The keylogger program records each keystroke the user types and uploads the information over the Internet periodically to whoever installed the program. Although keylogger programs are promoted for benign purposes like allowing parents to monitor their children's whereabouts on the Internet, most privacy advocates agree that the potential for abuse is so great that legislation should be enacted to clearly make the unauthorized use of keyloggers a criminal offense.
How Passwords Stolen Keylogger or Keystroke Logger (continued) Prevention Make sure anytime you are using a public computer make sure there are new devices between the computer and the keyboard. There are detection programs for software keyloggers that are often installed as a part of some Malware or Rootkit. These are dangerous and the hardest to detect.
How Passwords Stolen Browser Stored Passwords All of the Internet Browsers currently being used on most computers today have the facilities to store USER NAMES and PASSWORDS. This is one way that passwords are often stolen from Public Computers if we are careless about answering the typical question, “Do You Want to Save your password?” Make sure anytime you are using a public computer that there are known plugs or attachments between the computer and the keyboard.
How Passwords Stolen Browser Stored Passwords (con’t) Because we frequently save them on our Home Computers this is a very easy mistake to make. If you do depending on which browser you are using they can be removed. Running your browser from a flash drive is a good idea when traveling or using a public computer. detect.
Password Resources The Internet has many resources to help create good protective passwords and tools to check your existing ones for their strength or weakness. Microsoft Microsoft On-line Safety is a very useful site with many recommendations on passwords and tools. Symantec Symantec The Simplest Security: A Guide To Better Password Practices TechRepublicTechRepublic is a good place for additional information.
Password Generators There are both programs you can install locally or on-line Internet Tools that can be used to generate or check passwords. IObit Password GeneratorIObit Password Generator and Infinite Password Generator are two locally installed program that can be used to generate and maintain passwords.Infinite Password Generator Links below are two online Password Generator websites Online Password Aranis