Presentation is loading. Please wait.

Presentation is loading. Please wait.

PASSWORD MANAGEMENT: Creating and managing passwords to be as secure as possible.

Similar presentations


Presentation on theme: "PASSWORD MANAGEMENT: Creating and managing passwords to be as secure as possible."— Presentation transcript:

1 PASSWORD MANAGEMENT: Creating and managing passwords to be as secure as possible

2 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords  Characteristic of strong and weak passwords  Tips and techniques  Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS

3

4

5 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords  Characteristic of strong and weak passwords  Tips and techniques  Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS

6  A password is a string of characters that gives you access to a computer or an online account. WHAT’S A PASSWORD?

7 Password cracking is the process of breaking passwords in order to gain unauthorized access to a computer or account. Guessing: Method of gaining access to an account by attempting to authenticate using computers, dictionaries, or large word lists.  Brute force – uses every possible combination of characters to retrieve a password  Dictionary attack – uses every word in a dictionary of common words to identify the password Social Engineering/Phishing: Deceiving users into revealing their username and password. (easier than technical hacking)  Usually by pretending to be an IT help desk agent or a legitimate organization such as a bank.  DO NOT EVER SHARE YOUR PASSWORDS, sensitive data, or confidential banking details on sites accessed through links in s. COMMON THREATS AGAINST YOUR PASSWORD

8 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords  Characteristic of strong and weak passwords  Tips and techniques  Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS

9 Banking and Business services HOW MANY PASSWORDS DO YOU HAVE? Personal s Social media & news Work related accounts

10 DON’T FORGET YOUR COMPUTER AND PHONE LOGINS!

11 Tiered password systems involve having different levels of passwords for different types of websites, where the complexity of the password depends on what the consequences would be if that password is compromised/obtained.  Low security: for signing up for a forum, newsletter, or downloading a trial version for a certain program.  Medium security: for social networking sites, webmail and instant messaging services.  High security: for anything where your personal finance is involved such as banking and credit card accounts. If these are compromised it could drastically and adversely affect your life. This may also include your computer login credentials. Keep in mind that this categorization should be based on how critical each type of website is to you. What goes in which category will vary from person to person. TIERED PASSWORD SYSTEMS

12 1.Categorize your passwords into 3 categories: high, medium, or low. Categorization should be based on how critical each type of website is to you. Take 5 minutes to categorize some of your online accounts. 2.Your high security passwords are the most important. Keep in mind:  You should change any password that is weak.  If you have used any of your passwords for more than 1 site, you should change. HANDS-ON PART 1: REVIEW AND CATEGORIZE YOUR PASSWORDS

13 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords  Characteristic of strong and weak passwords  Tips and techniques  Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS

14 COMMON MISTAKES IN CREATING PASSWORDS

15 RISK EVALUATION OF COMMON MISTAKES MistakeExampleRisk Evaluation Using a Common Password password qwerty Too risky. These are most criminal’s first guesses, so don’t use them. Using a Password that is based on personal data Gladiator “Bobby” “Jenny” “Scruffy” Too risky: anyone who knows you can easily guess this information. Basing a password on your social security number, nicknames, family members’ names, the names of your favorite books or movies or football team are all bad ideas. Using a Short Password John12 Jim2345 The shorter a password, the more opportunities for observing, guessing, and cracking it. Using the same password everywhere. Using one password on every site or online service. Too risky: it’s a single point of failure. If this password is compromised, or someone finds it, the rest of your accounts – including your sensitive information – are at risk. Writing your passwords down. Writing your password down on a postit note stuck to your monitor. Very high risk, especially in corporate environments. Anyone who physically gets the piece of paper or sticky note that contains your password can log into your account.

16

17  Strong passwords:  are a minimum of 8 characters in length, it’s highly recommended that it’s 12 characters or more  contain special characters such and/or numbers.  use a variation of upper and lower case letters. WHAT MAKES A PASSWORD SAFE?

18  It must not contain easily guessed information such your birth date, phone number, spouse’s name, pet’s name, kid’s name, login name, etc.  It shouldn’t contain words found in the dictionary. WHAT MAKES A PASSWORD SAFE? (CONT.)

19

20  “Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” ~ Clifford StollClifford Stoll  The stronger your password, the more protected your account or computer is from being compromised or hacked. You should make sure you have a unique and strong password for each of your accounts. HOW TO MAKE A STRONG PASSWORD

21 1.Pick up a familiar phrase or quote, for example, “May the force be with you” and then abbreviate it by taking the first letter of each word, so it becomes “mtfbwy” 2.Add some special characters on either sides of the word to make it extra strong (like #mtfbwy!) 3.And then associate it with the website by adding a few characters from the website name into the original password as either a suffix or prefix. So the new password for Amazon could become #mtfbwy!AmZ, #mtfbwy!FbK for Facebook and so on. *While this technique lets us reuse the phrase-generated part of the password on a number of different websites, it would still be a bad idea to use it on a site like a bank account which contains high-value information. Sites like that deserve their own password selection phrase. MOZILLA’S SAFE PASSWORD METHODOLOGY

22 While generating a password you should follow two rules; Length and Complexity. Let’s start by using the following sentence: “May the force be with you”. Let’s turn this phrase into a password. 1.Take the first letter from each word: Mtfbwy. 2.Now increase its strength by adding symbols and numbers: !20Mtfbwy13!  The 20 and 13 refer to the year,  Secondly, I put a “!” symbol on each end of the password  Try using the name of your online account in the password  !20Mtfbwy13!Gmail (for gmail)  fb!20Mtfbwy13! (for Facebook)  That’s one password developing strategy. Let’s keep adding complexity, while also attempting to keep things possible to memorize. *you actually should not use a should not be a common phrase. USING A PASSPHRASE TO WRITE A SECURE PASSWORD

23  Password Haystack is a methodology of making your password extremely difficult to brute force by padding the password with a pattern like (//////) before or/and after your password. HAYSTACKING YOUR PASSWORD: A SIMPLE AND POWERFUL WAY OF SECURING YOUR PASSWORD Here’s how it works: 1.Come up with a password, but try to make it as a mix of uppercase and lowercase letters, numbers and symbols 2.Come up with a pattern/scheme you can remember, such as the first letter of each word from an excerpt of your favorite song or a set of symbols like (…../////) 3.Use this pattern and repeat using it several times (padding your password) Let’s have an example of this: Password: !20Mtfbwy13! By applying this approach, the password becomes a Haystacked Password: …../////!20Mtfbwy13!…../////

24 Use these tools to test the strength of a password. As a precaution, you probably shouldn’t use these services to test your actual password. Instead, simply use it to learn what works and what doesn’t work. Just play with the strength checkers by constructing fake passwords and testing them.   https://www.microsoft.com/security/pc-security/password- checker.aspx https://www.microsoft.com/security/pc-security/password- checker.aspx   HANDS-ON PART 2: TESTING YOUR PASSWORDS

25 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords  Characteristic of strong and weak passwords  Tips and techniques  Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS

26 PASSWORD OVERLOAD: HOW CAN ANYONE REMEMBER THEM ALL?  Many people use a few passwords for all of their major accounts.  The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them.

27 If one of your accounts is hacked, it’s likely that your other accounts that used the same password will quickly follow.  More than 60% of people use the same password across multiple sites PASSWORD SECURITY

28  Human memory is the safest database for storing all your passwords  Writing passwords down on a piece of paper  Storing passwords on a computer in a Word document or Excel file  Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web.  You should not rely totally on any type of password manager  Your single master password must be unique and complex PASSWORD MANAGEMENT TECHNIQUES (WAYS TO STORE YOU PASSWORDS)

29 HUMAN MEMORY  Strength: safest database for storing all your passwords  Weakness: Easy to forget

30  Strength: ease of access  Weaknesses:  You can lose the paper  Paper could be easily stolen or viewed by other people WRITING PASSWORDS DOWN ON A PIECE OF PAPER

31  Strength: ease of access  Weaknesses:  Data is not encrypted, anyone who has access to the computer that the file is saved on can easily read your passwords  If your computer breaks, you could possibly permanently lose the file STORING PASSWORDS ON A COMPUTER IN A WORD DOCUMENT OR EXCEL FILE

32  Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web.  You should not rely totally on any type of password manager  Your single master password must be unique and complex PASSWORD MANAGER IS SOFTWARE

33  Password management tools are really good solutions for reducing the likelihood that passwords will be compromised, but don’t rely on a single source. Why? Because any computer or system is vulnerable to attack. Relying on a password management tool creates a single point of potential failure.  But before you turn to a password-management service based in the cloud or on your PC, it's best to review the quality of the service, said Tim Armstrong, malware researcher at Kaspersky Lab. He pointed out that you've got to ensure against data leakage or insecure database practices. "Users must be extra careful in choosing a provider," Armstrong said. "Make sure they're a valid and reputable vendor.“review the quality of the service  Grant Brunner wrote a fascinating article at ExtremeTech about Staying safe online: Using a password manager just isn’t enough. In it, he wrote, “using a password manager for all of your accounts is a very sensible idea, but don’t be lulled into a false sense of security You’re not immune from cracking or downtime.” Broadly speaking, password managers such as LastPass are like any software: vulnerable to security breaches. For example, LastPass experienced a security breach in 2011, but users with strong master passwords were not affected.Staying safe online: Using a password manager just isn’t enoughsecurityLastPass experienced a security breach in 2011, but users with strong master passwords were not affected  Disadvantage: If you forget the master password, all your other passwords in the database are lost forever, and there is no way of recovering them. Don’t forget that password! SO WHICH ONE IS THE BEST?

34  KeePass is a popular open-source, cross-platform, desktop- based password manager. It is available for Windows, Linux and Mac OS X as well as mobile operating systems like iOS and Android. It stores all your passwords in a single database (or a single file) that is protected and locked with one master key. The KeePass database is mainly one single file which can be easily transferred to (or stored on) any computer. Go to the download page to get your copy. KeePass download page  KeePass is a local program, but you can make it cloud-based by syncing the database file using Dropbox, or another service like it. Check out Justin Pot’s article, Achieve Encrypted Cross- Platform Password Syncing With KeePass & Dropbox.Achieve Encrypted Cross- Platform Password Syncing With KeePass & Dropbox  Make sure you always hit save after making a new entry to the database! KEEPASS

35 MOZILLA FIREFOX’S PASSWORD MANAGER

36  You should never record or write your password down on a post-it note.  Never share your password with anyone, even your colleagues.  You have to be very careful when using your passwords on public PCs like schools, universities and libraries…etc. Why? Because there’s a chance these machines are infected with keyloggers (or keystroke logging methods) or password-stealing trojan horses.keystroke logging  Do not use any password-saving features such as Google Chrome’s Auto Fill feature or Microsoft’s Auto Complete feature, especially on public PCs.  Do not fill any form on the Web with your personal information unless you know you can trust it. Nowadays, the Internet is full of fraudulent websites, so you have to be aware of phishing attempts.  Use a trusted and secure browser such as Mozilla Firefox. Firefox patches hundreds of security updates and makes significant improvements just to protect you from malware, phishing attempts, other security threats, and to keep you safe as you browse the Web. DO NOT PUT ALL YOUR EGGS IN ONE BASKET.

37  This free tool helps users figure out if their account credentials have been hacked. If you go to the website of the service, you will see up-to-date statistics of the number of leaked credentials, passwords and addresses.  PwnedList keeps monitoring (or crawling) the Web in order to find stolen data posted by hackers on the public sites and then indexes all the login information it finds. PWNEDLIST

38  ALWAYS use a mix of uppercase and lowercase letters along with numbers and special characters.  Have a different strong password for each site, account, computer etc., and DO NOT have any personal information like your name or birth details in your password.  DO NOT share any of your passwords or your sensitive data with anyone – even your colleagues or the helpdesk agent in your company. In addition, use your passwords carefully, especially in public PCs. Don’t be a victim of shoulder surfing.shoulder surfing  Last recommendation that we strongly encourage is for you to start evaluating your passwords, building your tiered password system, alternating your ways of creating passwords and storing them using password managers. POINTS TO REMEMBER

39 1.Decide which methods you plan to store each password. 2.Download and practice using KeePass 3.Check your primary s on PwnedList.com/PwnedList.com/ HANDS-ON PART 3: MANAGING YOUR PASSWORDS

40 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords  Characteristic of strong and weak passwords  Tips and techniques  Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS

41  Open Wi-fi connection can be easily hacked using a free packet sniffer software  Always enable “HTTPS” (also called secure HTTP) settings in all online services that support it – this includes Twitter, Google, Facebook and more.  Spoofed Website ADDITIONAL TIPS TO SECURE YOUR IDENTITY

42

43

44  Internet crime schemes that steal millions of dollars each year from victims continue to plague the Internet through various methods. Following are preventative measures that will assist you in being informed prior to entering into transactions over the Internet:  Auction Fraud Auction Fraud  Counterfeit Cashier's Check Counterfeit Cashier's Check  Credit Card Fraud Credit Card Fraud  Debt Elimination Debt Elimination  DHL/UPS DHL/UPS  Employment/Business Opportunities Employment/Business Opportunities  Escrow Services Fraud Escrow Services Fraud  Identity Theft Identity Theft  Internet Extortion Internet Extortion  Investment Fraud Investment Fraud  Lotteries Lotteries  Nigerian Letter or "419" Nigerian Letter or "419"  Phishing/Spoofing Phishing/Spoofing  Ponzi/Pyramid Ponzi/Pyramid  Reshipping Reshipping  Spam Spam  Third Party Receiver of Funds Third Party Receiver of Funds INTERNET CRIME PREVENTION TIPS FROM THE INTERNET CRIME COMPLAINT CENTER (IC3). IC3 IS A PARTNERSHIP BETWEEN THE FEDERAL BUREAU OF INVESTIGATION AND THE NATIONAL WHITE COLLAR CRIME CENTER.FEDERAL BUREAU OF INVESTIGATIONNATIONAL WHITE COLLAR CRIME CENTER

45 Auction Fraud  Before you bid, contact the seller with any questions you have.  Review the seller's feedback.  Be cautious when dealing with individuals outside of your own country.  Ensure you understand refund, return, and warranty policies.  Determine the shipping charges before you buy.  Be wary if the seller only accepts wire transfers or cash.  If an escrow service is used, ensure it is legitimate.  Consider insuring your item.  Be cautious of unsolicited offers. Counterfeit Cashier's Check  Inspect the cashier's check.  Ensure the amount of the check matches in figures and words.  Check to see that the account number is not shiny in appearance.  Be watchful that the drawer's signature is not traced.  Official checks are generally perforated on at least one side.  Inspect the check for additions, deletions, or other alterations.  Contact the financial institution on which the check was drawn to ensure legitimacy.  Obtain the bank's telephone number from a reliable source, not from the check itself.  Be cautious when dealing with individuals outside of your own country. ONLINE CRIME PREVENTION IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

46 Credit Card Fraud  Ensure a site is secure and reputable before providing your credit card number online.  Don't trust a site just because it claims to be secure.  If purchasing merchandise, ensure it is from a reputable source.  Promptly reconcile credit card statements to avoid unauthorized charges.  Do your research to ensure legitimacy of the individual or company.  Beware of providing credit card information when requested through unsolicited s. Debt Elimination  Know who you are doing business with — do your research.  Obtain the name, address, and telephone number of the individual or company.  Research the individual or company to ensure they are authentic.  Contact the Better Business Bureau to determine the legitimacy of the company.  Be cautious when dealing with individuals outside of your own country.  Ensure you understand all terms and conditions of any agreement.  Be wary of businesses that operate from P.O. boxes or maildrops.  Ask for names of other customers of the individual or company and contact them.  If it sounds too good to be true, it probably is. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

47 DHL/UPS  Beware of individuals using the DHL or UPS logo in any communication.  Be suspicious when payment is requested by money transfer before the goods will be delivered.  Remember that DHL and UPS do not generally get involved in directly collecting payment from customers.  Fees associated with DHL or UPS transactions are only for shipping costs and never for other costs associated with online transactions.  Contact DHL or UPS to confirm the authenticity of communications received. Employment/Business Opportunities  Be wary of inflated claims of product effectiveness.  Be cautious of exaggerated claims of possible earnings or profits.  Beware when money is required up front for instructions or products.  Be leery when the job posting claims "no experience necessary".  Do not give your social security number when first interacting with your prospective employer.  Be cautious when dealing with individuals outside of your own country.  Be wary when replying to unsolicited s for work-at-home employment.  Research the company to ensure they are authentic.  Contact the Better Business Bureau to determine the legitimacy of the company. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

48 Escrow Services Fraud  Always type in the website address yourself rather than clicking on a link provided.  A legitimate website will be unique and will not duplicate the work of other companies.  Be cautious when a site requests payment to an "agent", instead of a corporate entity.  Be leery of escrow sites that only accept wire transfers or e-currency.  Be watchful of spelling errors, grammar problems, or inconsistent information.  Beware of sites that have escrow fees that are unreasonably low. Identity Theft  Ensure websites are secure prior to submitting your credit card number.  Do your homework to ensure the business or website is legitimate.  Attempt to obtain a physical address, rather than a P.O. box or maildrop.  Never throw away credit card or bank statements in usable form.  Be aware of missed bills which could indicate your account has been taken over.  Be cautious of scams requiring you to provide your personal information.  Never give your credit card number over the phone unless you make the call.  Monitor your credit statements monthly for any fraudulent activity.  Report unauthorized transactions to your bank or credit card company as soon as possible.  Review a copy of your credit report at least once a year. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

49 Internet Extortion  Security needs to be multi-layered so that numerous obstacles will be in the way of the intruder.  Ensure security is installed at every possible entry point.  Identify all machines connected to the Internet and assess the defense that's engaged.  Identify whether your servers are utilizing any ports that have been known to represent insecurities.  Ensure you are utilizing the most up-to- date patches for your software. Investment Fraud  If the "opportunity" appears too good to be true, it probably is.  Beware of promises to make fast profits.  Do not invest in anything unless you understand the deal.  Don't assume a company is legitimate based on "appearance" of the website.  Be leery when responding to invesment offers received through unsolicited .  Be wary of investments that offer high returns at little or no risk.  Independently verify the terms of any investment that you intend to make.  Research the parties involved and the nature of the investment.  Be cautious when dealing with individuals outside of your own country.  Contact the Better Business Bureau to determine the legitimacy of the company. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

50 Lotteries  If the lottery winnings appear too good to be true, they probably are.  Be cautious when dealing with individuals outside of your own country.  Be leery if you do not remember entering a lottery or contest.  Be cautious if you receive a telephone call stating you are the winner in a lottery.  Beware of lotteries that charge a fee prior to delivery of your prize.  Be wary of demands to send additional money to be eligible for future winnings.  It is a violation of federal law to play a foreign lottery via mail or phone. Nigerian Letter or "419“  If the "opportunity" appears too good to be true, it probably is.  Do not reply to s asking for personal banking information.  Be wary of individuals representing themselves as foreign government officials.  Be cautious when dealing with individuals outside of your own country.  Beware when asked to assist in placing large sums of money in overseas bank accounts.  Do not believe the promise of large sums of money for your cooperation.  Guard your account information carefully.  Be cautious when additional fees are requested to further the transaction. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

51 Phishing/Spoofing  Be suspicious of any unsolicited requesting personal information.  Avoid filling out forms in messages that ask for personal information.  Always compare the link in the to the link that you are actually directed to.  Log on to the official website, instead of "linking" to it from an unsolicited .  Contact the actual business that supposedly sent the to verify if the is genuine. Ponzi/Pyramid  If the "opportunity" appears too good to be true, it probably is.  Beware of promises to make fast profits.  Exercise diligence in selecting investments.  Be vigilant in researching with whom you choose to invest.  Make sure you fully understand the investment prior to investing.  Be wary when you are required to bring in subsequent investors.  Independently verify the legitimacy of any investment.  Beware of references given by the promoter. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

52 Reshipping  Be cautious if you are asked to ship packages to an "overseas home office."  Be cautious when dealing with individuals outside of your own country.  Be leery if the individual states that his country will not allow direct business shipments from the United States.  Be wary if the "ship to" address is yours but the name on the package is not.  Never provide your personal information to strangers in a chatroom.  Don't accept packages that you didn't order.  If you receive packages that you didn't order, either refuse them upon delivery or contact the company where the package is from. Spam  Don't open spam. Delete it unread.  Never respond to spam as this will confirm to the sender that it is a "live" address.  Have a primary and secondary address - one for people you know and one for all other purposes.  Avoid giving out your address unless you know how it will be used.  Never purchase anything advertised through an unsolicited . Third Party Receiver of Funds  Do not agree to accept and wire payments for auctions that you did not post.  Be leery if the individual states that his country makes receiving these type of funds difficult.  Be cautious when the job posting claims "no experience necessary".  Be cautious when dealing with individuals outside of your own country. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS.

53  Al-Marhoon, M. (n.d.). Password Management Guide. MakeUseOf. Retrieved April 10, 2013, from management-guide-fulltext management-guide-fulltext  cybercrime-report cybercrime-report  REFERENCES


Download ppt "PASSWORD MANAGEMENT: Creating and managing passwords to be as secure as possible."

Similar presentations


Ads by Google