Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Slides:



Advertisements
Similar presentations
Password Cracking Lesson 10. Why crack passwords?
Advertisements

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
OWASP Principles for GIS Data Security Keeping your GIS data secure.
7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.
Chapter 1 – Introduction
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
UNITS meeting September 30, 2004 Network Security Roger Safian
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
Information Security Technological Security Implementation and Privacy Protection.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
E XPLORING USABILITY EFFECTS OF INCREASING SECURITY IN CLICK - BASED GRAPHICAL PASSWORDS Elizabeth StobertElizabeth Stobert, Alain Forget, Sonia Chiasson,
Staying Safe Online Keep your Information Secure.
Designing Active Directory for Security
CIS 450 – Network Security Chapter 8 – Password Security.
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
SECURITY ENGINEERING 2 April 2013 William W. McMillan.
Figures – Chapter 14. Figure 14.1 System layers where security may be compromised.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Instructions & Documentation: Telling People How to Do Stuff Since the Dawn of Print and into the Digital Age.
Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Basic Security Concepts University of Sunderland CSEM02 Harry R Erwin, PhD.
Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.
CSCE 201 Identification and Authentication Fall 2015.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Computer Security Set of slides 8 Dr Alexei Vernitski.
Understanding Security Policies Lesson 3. Objectives.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Understanding Security Policies
Design for Security Pepper.
Chapter One: Mastering the Basics of Security
Simple Authentication for the Web
3.6 Fundamentals of cyber security
Password Management Limit login attempts Encrypt your passwords
Fun gym Cambridge Nationals R001.
Fun gym Cambridge Nationals R001.
Human-Computable Passwords
OPENWIS Customer Feature Requests
smartmail & smartportal: Introducing Two-Factor Authentication
Drew Hunt Network Security Analyst Valley Medical Center
Computer Security Protection in general purpose Operating Systems
Session 1 – Introduction to Information Security
Presentation transcript:

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security and Usability Considerations Mike Just DIMACS Workshop on Usable Privacy and Security Software 7 July 2004

2 Agenda Introduction Background – Password for One Account Passwords for Multiple Accounts Further Thoughts

3 Introduction Premise – Passwords are too secure already Several conditions lead to an unusable or intolerable environment for users Password conditions For a single password Password rules, length, … For multiple passwords across several accounts Distinctiveness requirement/recommendation How usability be improved while retaining an acceptable level of risk?

4 Password for One Account Usability Considerations Password length, e.g. 4-8 characters Password construction, e.g. 1 letter, 1 number, … Password entering, e.g. allowed attempts Password management, e.g. update Attack considerations Offline attacks Online attacks

5 Password for One Account Offline attack Encryption of password images Distribution of password images, cf. Ford/Kaliski Online attacks Password rules Account lockout Reverse Turing Tests (CAPTCHA) But, you also have to consider Social engineering (e.g. phishing) attacks or other attacks directed at the user (and not the account system)

6 Password for One Account Enhance with “something you have” One-time passwords Hard tokens, e.g. SecurID, SmartCard In most cases, this requires a different “something you have” for each account Typically issued and managed through the information provider Compounds password usability issues across each account

7 Passwords for Multiple Accounts Consider a user with multiple accounts, each requiring password authentication Traditional wisdom dictates a distinct password for each account Is this necessary? Why or why not?

8 Passwords for Multiple Accounts This is often a recommendation, as opposed to a mandatory requirement Different accounts managed by different authorities Distinct versus independent passwords Difficult to enforce independent passwords; see above Even with the same authority, password values not typically compared

9 Passwords for Multiple Accounts When might the same password be used at different accounts? A risk management decision Some considerations 1. Type of attack(s) 2. Typical behaviour of account user 3. Account security or risk 4. Additional authentication factors

10 Passwords for Multiple Accounts – Type of Attack(s) Consider online attacks Though social engineering attacks remain a concern Random versus targeted attacks Random: An attack to compromise any account Targeted: An attack to compromise a specific account Targeted attacks might be discouraged with a number of security measures Account lockout after some number of login attempts Login monitoring systems to detect persistent failed attempts against one account

11 Passwords for Multiple Accounts – Type of Attack(s) Assuming that random attacks occur most often…the likelihood of extending the attack to other account systems (for the same compromised user) may be low Is there much motivation to attack that same user at a different account system? The attacker would have to know of the location of other account systems where the same user is registered The attacker would have to know of the account names So, password re-use might be ok in some cases

12 Passwords for Multiple Accounts – User Behaviour A “separation” between multiple accounts based upon user behaviour 1.Consistently accessing accounts from different locations Often forced today, e.g. no personal account access from work 2.Distinct account identifiers Create account separation, but also confusion 3.Physical and digital separation of account information regarding multiple accounts Can reduce risk of multiple account compromise

13 Passwords for Multiple Accounts – Account Security or Risk Often cited reason for distinct passwords Work account versus magazine subscription Don’t create a “weak link” by using a password for a high risk account, at an account that may not have similar security protections Previous conditions may help reduce this risk

14 Passwords for Multiple Accounts – Addn’l Authentication Factors Multiple authentication factors should be independent Compromise of one should not increase likelihood of other Similarly, using the same password across multiple accounts, with different secondary authentication factors, introduces additional risk Compromising a password at account A, and token for account B, shouldn’t allow compromise of either account But, if the password for A and B are the same… However, such additional risk may be tolerable

15 Passwords for Multiple Accounts – Summary Some potential for password re-use Attack type Increase protection against targeted attacks User behaviour Separate behavioural patterns and records Account security or risk Ensure separation amongst different account risk groups But, based on factors above, this might be lessened somewhat Additional authentication factors Reduce potential burden in case of additional factor

16 Further Thoughts What about the necessity of password updates? Multiple passwords over time, as opposed to space Memorize new, forget old Are other protections sufficient, e.g. “Last login time:” What about the necessity of strict password rules? 1 uppercase, 1 special character, … Can risks of random or targeted online attacks be sufficiently mitigated? Do additional factors allow for leniency?

17 Contact Information Mike Just Public Works and Government Services Canada (PWGSC) +1–613–952–6031 Carleton University School of Computer Science

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.