Download presentation
Presentation is loading. Please wait.
1
Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst mitch@uidaho.edu
Passphrases and YOU Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst
2
What is a Passphrase? ITS defines a passphrase as an easy to remember string of words, numbers and symbols A UI passphrase must be 15 characters or more SEE: APM UI Password/Passphrase Policy ( SEE: APM
3
Passphrase examples Passphrases should be long, yet memorable:
“EveryGOODboydoesfine#” “Listen,Children!” “Mymom#isbetter.” Passphrases should not be common phrases or repeats like: “My voice is my password.” “Strawberry fields forever.” “Passwordpassword.”
4
Don’t Passphrases have a space?
Passphrases are commonly used with a space Security vs. Usability requires balance UI passphrases or passwords mayno longer have a space! * Banner users have additional restrictions on spaces and numerous special characters Note: While this is accurate starting 10/15/2009, this is subject to change as the myUIdaho project develops.
5
What other characters can’t be used?
Disallowed characters as of October 14* include: <space> { } \ : = Note: this may only be a temporary change, pending the finalization of the myUIdaho project.
6
How many users have a passphrase?
3,049 users have switched to passphrase 14,751 password changes since August
7
Why a Passphrase? 400 instead of 90 day expiration (only when set on the ITS Support website) Easier to remember Whole words can be used More difficult to crack or guess (easily available tools can crack short passwords)
8
Cracking vs. Guessing Cracking involves reversing the password hash captured off the wire or from the local disk Guessing, or brute force methods simply try many or common passwords against accounts
9
What is a “brute-force” attack?
Hackers write programs to automatically attempt login to systems using common passwords A common ssh brute force attack will use a team of computers to perform the attack
10
But I don’t use ssh… UI accounts are exposed to the Internet on a number of fronts for the convenience of all users: SSH/SFTP (unix.uidaho.edu) https forms (mail.uidaho.edu / OWA) Both of these can be attacked from around the world
11
Do people really attack us?
It is hard to tell the difference between user failed logins and break-in attempts 10,407 failures in last 7 days
12
Length vs. Complexity There are limited numbers of combinations to make up a short password
13
Password Examples 4-digit PIN is obvious:
0000 to 9999 : 10,000 choices 10 * 10 * 10 * 10 = 10,000
14
Password complexity helps
Basic alphabet (abcdefg…) aaaa to zzzz ?? 26 * 26 * 26 * 26 = 456,976 UPPER, lower, numbers and symbols AAAA to ++++ ??? If only the 76 most common characters.. 76 * 76 * 76 * 76 = 33,362,176
15
Password Length Helps More
76 ^ 4 = 33,362,176 76 ^ 8 = 1,113,034,787,454,976 76 ^ 15 = 163,006,110,274,334,700,000,000,000,000
16
Functional Account Passphrases
Accounts shared and used by applications and processes “Behind the Scenes” Must have 30+ character passphrase or longer up to the maximum allowed by system
17
Password Safety Still Applies!
Passphrase shall not be written down or stored in your office Passphrase shall not be stored within an application’s “Remember Password” function UI password or passphrase shall not be the same as any non-UI accounts
18
Password Safety Passphrase shall not be shared with anyone – must be kept confidential ITS will never ask for your password! Any time you can “see” your password, sound the alarm!
19
How DO I store a Passphrase?
Passwords can only be stored with adequate encryption, for example, programs like: Keepass ( eWallet ( Apple Keychain (Applications / Utilities / Keychain)
20
How do I generate a Passphrase?
Many password tools like Keepass also have generators for long passwords Apple Keychain also has a passphrase generator
21
How do I generate a Passphrase?
Poems and song lyrics are popular Make sure and alter them to be unique “IdahoIdahoGoGoG0” is too simple
22
Thank You Questions?
Similar presentations
