Effective Password Management Neil Kownacki
Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect against unauthorized access and privilege escalation (ex. Super user privilege on UNIX)
Password based attacks Social engineering – simple, can involve making a single phone call and minimal technological skill Continual s reminding that IT services will never ask for your password Brute forcing – guessing large numbers of password combinations, very slow
Password based attacks (continued) Dictionary attacks – uses a dictionary of words to guess People generally use words as passwords so they are easier to remember Learned to substitute 3 for E, 0 for O, etc. Rainbow tables – used to reverse cryptographic hashing functions
Strong vs. Weak Passwords Long, randomly generated passwords containing varying capitalization, numbers, and symbols if permitted Should be changed frequently Technique involves making a “pass- phrase”
Remembering Passwords Human brain is conditioned to work well with repetitive “chunks” – random sequences are difficult to remember 2000 study: most users with a randomly generated password kept it written down
Keeping Track of Passwords “Remember password” function on browsers is dangerous Keeping written records is also unsecure
Keeping Track of Passwords KeePass: free, open source, stores passwords in a database locked with a master key. Encrypted (AES). Robopass Lastpass SplashID 1Password
Alternatives to the current system PassFaces
Alternatives to the current system Pair based authentication
Alternatives to the current system These alternatives render dictionary attacks and brute force attacks useless Are vulnerable to shoulder surfing Must be implemented server side
Sources Anderson, R., Blackwell, A., Grant, A., Yan, J. (2000, September). The Memorability and Security of Passwords: Some Empirical Results. Retrieved from Capek, J., Hub, M. (2011). Security Evaluation of Passwords Used on Internet. Journal Of Algorithms & Computational Technology, 5(3), Komando, K. 5 Tips for Top-Notch Password Security. Retrieved from notch-password-security.aspx?fbid=8dPSEFEz49c Lemos, R. (2002). Passwords: the Weakest Link? Retrieved from Morris, R., Thompson, K. (1979). Password Security: A Case History. Retrieved from SREELATHA, M. M., SHASHI, M. M., ANIRUDH, M. M., SULTAN AHAMER, M. D., & KUMAR, V. (2011). Authentication Schemes for Session Passwords using Color and Images. International Journal Of Multimedia & Its Applications, 3(3), doi: /ijnsa