Presentation is loading. Please wait.

Presentation is loading. Please wait.

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

Published byRafe Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant"— Presentation transcript:

1 13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant ian.c.hughes@bt.com

2 The world around us is changing The threats presented by “insecure” Wireless LAN (WLAN) systems change with time. How good are your WLAN passwords? As computers become more powerful and the tools they use become faster we must review the way in which we implement effective security The use of “simple” passwords is no longer acceptable, since these can be obtained or broken by brute force tools

3 Test your passwords Answer the following 13 questions. At the end of the test you can review your answers and see where you could make improvements to your organisations Wireless LAN security.

4 Test your passwords 1. How long is your password? Less than 8 characters Between 8 and 15 characters Between 15 and 30 characters More than 31 characters

5 Test your passwords 2. What characters do you use in your password? All letters, all upper or all lower case, or all numbers only A mix of mostly letters - mixed case - and some numbers A mix of mostly letters, some numbers and punctuation A mix of totally random characters (including !ӣ$%^&* etc.)

6 Test your passwords 3. Do you use a password reminder? No – I don’t need to Yes, it asks a question and the answer is my password Yes, it asks a question, to remind me of my password, but the answer is not my password Yes, the “question” is my password

7 Test your passwords 4. Does you password contain personal information? Yes Yes, but only known to my colleagues & friends Yes, but only known to my close family members No

8 Test your passwords 5. If you entered your password in a Web search engine, how many results would you get? Zero less than 10 less than 1000 1000 or more

9 Test your passwords 6. Can you remember your password without having to look it up? Yes, always Mostly, sometimes I forget it after a holiday or soon after changing it Sometimes, I need to remind myself a few times each week No, I’m always forgetting it

10 Test your passwords 7. Where do you keep a record of your password? Nowhere – I don’t need to In the company fire safe In a sealed envelope in my locked desk drawer In a sealed envelope in my managers locked desk drawer

11 Test your passwords 8. How many pieces of random information does your password contain? Just the one Two Three More than three

12 Test your passwords 9. When did you last change your password? More than six months ago Less than six months ago Less than three months ago Less than one month ago

13 Test your passwords 10. Can you type your password without making mistakes? Yes Mostly Occasionally No

14 Test your passwords 11. Who else knows your password? My manager A work colleague The system administrator No one

15 Test your passwords 12. Where else do you use your password? On other work related systems On other non-company systems (personal email etc.) On my eBanking account Nowhere else – all of my passwords are unique

16 Test your passwords 13. How long does it take you to produce a new password when asked? Less than 30 seconds Between 30 seconds and one minute Between one to five minutes More than five minutes

17 So how well did you do?

18 Test your passwords - Answers 1. How long is your password? Passwords that are less than 8 characters long, especially if they are a dictionary word are poor, as they can easily be determined using brute force tools and techniques. SCORE = 0 Passwords between 8 and 15 characters are better, but should still not be a single dictionary word. A pass-phrase should always be used where possible. SCORE = 1 Passwords between 15 and 30 characters tend to be pass-phrases due to their length and can offer a good level of security – but see the later questions to ensure this is the case. SCORE = 3 Passwords in excess of 30 characters can be very secure, but their complexity makes them harder to remember and this may compromise them in other ways. SCORE = 1

19 Test your passwords - Answers 2. What characters do you use in your password? Passwords containing only letters, or worse only numbers, are much more easily recovered using brute force techniques – especially if they are dictionary words and contain only upper or only lower case characters. SCORE = 0 Passwords containing a mixture of mixed case letters with some numbers are better, but avoid commonly known “number for letter” substitutions (e.g. I = 1, S = 5, O = 0, E = 3, A = 4 etc) or upper case letters only at the beginning of a word. SCORE = 2 Passwords containing a mixture of mixed case letters with some numbers and other characters (@£$%& etc.) are much stronger and are much more resistant to currently available brute force tools and techniques. SCORE = 3 Passwords containing totally random characters are very strong, but far more difficult to remember. SCORE = 1

20 Test your passwords - Answers 3. Do you use a password reminder? Not using a password reminder, where other secure methods are available, is acceptable but being unable to recover your password may be a greater problem. SCORE = 1 Take care – is the question and answer pairing obvious, either to a stranger or someone who knows something about you? Try to avoid personal information or anything relating to your job function or organisation. What does a Web search bring up in answer to your “question”? SCORE = 1 If the reminder works for you, but does not directly relate to the password itself, then well done! SCORE = 3 Not so much a reminder, more a major security flaw. SCORE = 0

21 Test your passwords - Answers 4. Does your password contain personal information? Personal information (favourite football team, pet names, children’s names, nick names etc) are a bad choice and can be easily predicted – not so much brute force as a good guess based on widely available knowledge. SCORE = 0 Your colleagues and friends may pass this information on to others - would you give them your bank card & PIN? SCORE = 0 You may think that only close family members know this information – how sure are you? SCORE = 1 A good password contains no clues or references to you as an individual, so is much harder to predict or guess. SCORE = 3

22 Test your passwords - Answers 5. If you entered your password in a Web search engine, how many results would you get? Zero results shows that this information is probably a good password, with a good degree of randomness SCORE = 3 (or maybe you need a better Web search engine?) A result of less than 10 shows a fair degree of randomness and/or unpredictability, but be careful that it is not something related to you, or your companies interests that may be guessed. SCORE = 2 A result of less than 1000 shows that randomness and unpredictability are reducing. Try making some simple changes to reduce the number of results found. SCORE = 1 More than 1000? Not a good choice. SCORE = 0

23 Test your passwords - Answers 6. Can you remember your password without having to look it up? If you can always remember your password you may have an excellent memory, so challenge it a little more and make your password slightly more complicated. SCORE = 2 Your ability to remember your password most of the time shows that it is reasonably complex – or at least offers the best mix of security and memorability for you the user. SCORE = 3 If you need to remind yourself several times a week, the password recovery process (paper or online) may become a potential weakness. SCORE = 1 Always forgetting? Try to generate strong but more memorable passwords. SCORE = 0

24 Test your passwords - Answers 7. Where do you keep a record of your password? Not keeping a password record, if suitable secure methods are available, risks you being unable to recover your password if forgotten. Whilst secure this method has other risks. SCORE = 1 Keeping a record in the company fire safe leaves all credentials in a common location - and security will depend on the physical access controls to the fire safe. SCORE = 0 Keeping a sealed envelope in your own locked desk drawer distributes the risk, provided access to your drawer is restricted, and allows you to periodically check on the integrity of the envelope – any problems or evidence of tampering should require an immediate password change. SCORE = 3 A sealed envelope in your managers drawer may be an issue if they have many staff – will they notice if yours is opened/goes missing? Also a problem as many credentials can be compromised at once – as with the fire safe. SCORE = 1

25 Test your passwords - Answers 8. How many pieces of random information does your password contain? Just one, or a common theme, can make the password much easier to break. SCORE = 1 Using two or more separate elements greatly improves security – so long as they are unrelated. SCORE = 2 Using three unrelated elements adds a high level of security, and should not be too overly complex for the password owner to remember. SCORE = 3 Using more than three unrelated random elements continues to increase the security of your password, but memorability may become an issue – both for normal use and for any password recovery process. SCORE = 1

26 Test your passwords - Answers 9. When did you last change your password? Time is the enemy – if you have not changed your password for at least six months the probability of it being broken by brute force methods is much greater. SCORE = 0 A password that has been in use for between 3 – 6 months must be considered weaker. Even for low risk systems, such as personal email or chat rooms, six months would be the absolute maximum period for any password before renewal. SCORE = 1 Three months is a sensible limit for any “user” level passwords. Admin or “superuser” passwords should be changed more often to maintain adequate security. SCORE = 2 Monthly changes to your passwords add considerably to the security of your systems and should be considered mandatory for Admin and “superuser” accounts. SCORE = 3

27 Test your passwords - Answers 10. Can you type your password without making mistakes? Your ability to quickly type your password makes it less likely that someone will be able to observe, or “shoulder surf”, your password as you type it. SCORE = 3 Your poor typing skills may cause you to occasionally mistype you password – take care not to slow too much or people may observe you when typing your password. SCORE = 2 Your password may be overly complex, and for all but the most sensitive systems a balance needs to be made between usability and security. Repeated typing makes it easier for someone observing you to see your password. SCORE = 1 Maybe you need to learn to type, or get a better password? It may be too complex, too long, or just not practical. SCORE = 0

28 Test your passwords - Answers 11. Who else knows your password? Your manager may need to access any systems you use, but should have their own log-on credentials to do so. SCORE = 0 Never share your passwords with colleagues – they should have their own unique account and password if they need access to a system. Even if you have a job share, you should never share passwords. SCORE = 0 The system administrator should be able to reset your password, but you should change this to something only you know if possible. Avoid common “system” passwords if possible and administer systems at an individual user level. SCORE = 1 If you are the only person who knows your password, and it is held in a secure and encrypted format on the system to which it provides access – well done! SCORE = 3

29 Test your passwords - Answers 12. Where else do you use your password? Using your password across multiple separate systems, where each systems requires authentication to access it, can lead to a risk of exposure if using a common password. SCORE = 1 Using a work related password on non-work related systems should be avoided at all costs – especially if you also supply a work email address as your identity! SCORE = 0 Sensitive accounts, such as eBanking, should always have their own unique and strong passwords. Never share passwords between systems with different security requirements. SCORE = 0 Well done. By using unique passwords you limit the exposure between the various systems you use. Should one be compromised only that system is at risk, and you only have to change the password on that one system. SCORE = 3

30 Test your passwords - Answers 13. How long does it take you to produce a new password when asked? Less than 30 seconds – you probably used the first thing that came into your head, or tried modifying your old password somehow. How easily could this be guessed, or brute force techniques be used to recover it? SCORE = 0 30 seconds to a minute. Maybe you are a slow thinker, or maybe you did spend a little more time and effort and did not use the first thing that came into your head? SCORE = 2 Between one to five minutes – probably an excellent idea if you are changing an Admin or “superuser” password. Spend a few minutes looking at some basic techniques to make your passwords stronger before choosing a new one. SCORE = 3 More than five minutes may be excessive – especially if you have multiple passwords to change regularly. SCORE = 1

31 Test your passwords - Scores What was your overall score? 30+ Well done. Review your answers to see if there are any further simple improvements that you can make. 24 - 29A good result, but some key elements may need to be reassessed. 18 - 23Some areas addressed, but others leave some exposure that leads to greater risk in the longer term. 10 - 17A poor result – needs immediate attention to mitigate considerable risk exposure. 9 or lessA formal review of security techniques and methods is required urgently.

Download ppt "13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant"

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Part I: Making Good Online Choices

Part I: Making Good Online Choices
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Substitute FAQs SubFinder Overview. FAQs Do I have to have touch-tone service to use SubFinder? No, but you do need a telephone that can be switched from.

Substitute FAQs SubFinder Overview. FAQs Do I have to have touch-tone service to use SubFinder? No, but you do need a telephone that can be switched from.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Internet Security Passwords.

Internet Security Passwords.
Managing Large Classes with Group Work

Managing Large Classes with Group Work
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Strong Passwords How to make your passwords work for you…. Linda A. LeBlanc IT Security Support IS&T.

Strong Passwords How to make your passwords work for you…. Linda A. LeBlanc IT Security Support IS&T.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Email Information guide.

Information guide.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Similar presentations

Ads by Google