SIRT Roundtable PasswordMgmtJan10

So Many PasswordsIT Security RoundtableJanuary 15, 2010

Harvard TownsendChief Information Security [email protected]

AgendaSo many passwords, so few brain cellsThreats to passwordsWhich ones are important?eID password (importance, rules, policy)Definitions (password, passphrase, etc.)Choosing a good passwordMisc. cautions/tips/tricksQ&A

*

My accts/passwords:K-State (eID, my office computer, my laptop, several servers, Bluecoat PacketShaper, PGP encryption, TrueCrypt encryption, Trend Micro OfficeScan servers, Trend Micro support portal, Zimbra customer care portal, Zimbra security shared account, LISTSERV, State of KS employee self-service, HealthQuest health screening, IT Tuesday news authoring, IT Security Threats blog, network usage graphs) Shopping (PayPal, amazon.com, expedia.com, iTunes, REI)Financial (checking acct, two savings accounts, ATM PIN, retirement accts, credit cards, health insurance, flexible health spending acct, auto loan, home mortgage)Other personal (cell phone, cell phone provider, Internet provider, cable TV, Netflix, Pandora, Skype, Facebook, Gmail, Yahoo!, Flickr, K-Tag, mission work, charitable organizations, Manhattan Mercury, State Dept (travel advisories), several airline frequent flier accts, UFM, trails.com, job applications, etc.)

*

Whats a feller to do?Same password everywhere?PLEASE, NO!!!If one is compromised, all are compromisedDifferent systems have different pw rulesViolates K-State policy about eID passwordsRely on your memory?Value is inversely proportional to your age!Youll often click on Forgot Your Password? links!Write em down?Risky, but not out of the question if you keep the note in a safe place (NOT your desk pencil drawer)Bigger issue is quantity of passwords you have to rememberGenerally considered a bad idea

*

*

Whats a feller to do?Let your browser store them all?OK for some passwords, but not othersToo risky for accounts with access to sensitive informationEasy for someone to view the stored passwords, unless youUse Firefox and password-protect viewing stored passwords and dont forget THAT password!DONT do it with your eID password, financial accounts, anything with access to personal identity info (like SSN)Never do this on a shared, lab, or public computerIE stores browser (AutoComplete) passwords in RegistryFree tools readily available to recover them. Delete in IE8 with Tools->Internet Options->General->Browsing history->Delete, check the Passwords boxFirefox had built-in tool to view them and delete them(Tools->Options->Security->Saved Passwords); be sure to use a Master Password to protect the stored passwords

*

*

Whats a feller to do?Use the same password for similar categories of accountsReasonable solutionHave at least four categories:

FinancialeID and other important K-State acctsShopping accts that store your credit card infoInnocuous accts w/ no sensitive information#1 and #2 should be long, complex, and changed regularly#3 not as long, less complex, changed less often#4 can be short, simple, never changedDiffering password rules may pose a challenge

*

*

Whats a feller to do?Use a password management toolSoftware that organizes and stores (encrypted) passwordsEffective way to manage many passwordsRelies on a single master password to protect all the other passwordsCan be a challenge if use multiple computers since password database usually stored locally; are tools available that work on multiple computers, but that means your passwords are stored on the companys server(s). Do you trust them? Example is lastpass.comWindows example: Password Safepasswordsafe.sourceforge.netMac example: Password Gorillawww.fpx.de/fp/Software/Gorilla/Also available for Windows and LinuxCan read Password Safe database

*

*

Password Safe DemoWindows onlyAvailable for free at passwordsafe.sourceforge.netMature product, lots of nice featuresHas a sophisticated password generatorAllows you to jump to a web site and auto-enter the username/pw used for that site.Demo

*

Other Strategies?How do you manage your passwords?

*

Threats to PasswordsKeyloggers a program that records every keystroke and sends it to the hacker; can be configured to watch for passwords or other account informationSniffing the network someone intercepting network traffic; wireless networks particularly vulnerableMalware that gives the hacker full control of a computer and access to anything on itTorpig malware infected 27 K-State computers in the last year watches Internet traffic and intercepts bank acct info, username/pwHackers stealing passwords from a compromised serverPassword cracking - a hacker being able to guess your password, usually with the help of a computer programPrograms to do this are readily available on the InternetFaster computers make this easier

*

Takes a computer 28 days to work through all combinations of 76 characters that can be used to form a 7-character password, based on a computer being able to test 3,000,000 passwords per second.*

Threats to PasswordsInternet cafs a favorite target for hackers to use keyloggers or other forms of malware to interecept acct info and passwordsPhishing tricking you into providing account information431 K-Staters replied to phishing scams with their eID passwords in 2009377 were used by criminals to login to Webmail and send spamConsider what can be accessed with your eIDSpear phishing phishing that targets a specific population, like sending an email to K-Staters to steal eID passwordsShoulder surfing someone looking over your shoulder as you typeWeb browsers storing your password is easy for someone else using your computer to see or use your password(s)Typing your password into the wrong place on the screen

*

Threats to PasswordsSharing your password with a friend or family memberGiving your password to someone who is helping you with a computer problemDisgruntled system administrator or others with privileged access to servers

Bottom line the threats are real and happening at K-State. Take password security seriously!*

Which passwords matter?Pay particular attention to these passwords; make them complex, long, and change them regularlyAnything that provides access to sensitive information:Bank accountCredit/debit card accountPersonal Identity Information (name + SSN, for example)Shopping account that stores credit card data; normally credit card # is masked, but person could change shipping address and spend lots of moneyAdministrator or root accounts on serversK-State eID

*

eID PasswordWhats the big deal with eIDs? Gains access to:HRIS self-serviceEmailiSISK-State OnlineeProfile (eid.ksu.edu) w/ emergency contact infoOracle CalendarK-State Single-Sign-On environmentAccess to licensed software, databasesSGA electionsUniversity Computing LabsStudent access to network in residence halls

*

*

eID PasswordWhats the big deal?431 people at K-State replied to phishing scams in 2009, giving away their eID password377 of them were used by criminals to login to K-State Webmail (often from Nigeria) and send hundreds of thousands of spam messagesCompromised accounts are locked so hacker cant use it, which means the legitimate owner cant use it eitherK-State seen as a source of spam and put on spam blocklists, resulting in all email from K-State being blocked by the likes of Hotmail, Gmail, Yahoo!, Comcast, Road Runner, Cox, AT&T, etc. Thus one persons mistake can affect the entire campusContributes to spam, the scourge of the InternetRecently, hackers havent used stolen passwords right away, sometimes waiting 3-4 months before using it. Thus if in the mean time the password is changed by the legitimate owner, the hacker cant use the account. Is a good case for regular password changes.

*

*

eID Password PoliciesWhy do you have to change it?The longer you have the same password the more likely someone will discover it (because of the threats just discussed)eID passwords stolen in spear phishing scams not used until 3-4 months later!Changing it limits the amount of time a hacker can wreak havoc in your lifeChanging your password regularly is standard best practiceIt could be worse! (most standards specify a change every 30-90 days)Pending state security policy requires change every 30/60/90 days depending on sensitivity of account

http://www.k-state.edu/policies/ppm/3430.html#require *

*

eID Password PoliciesDo not share it with anyone!NEVER give your password in an email!!!!Do not use it for non-university accountsSuch as hotmail, amazon.com, bankIs okay for departmental servers (is an acceptable risk)Can I write it down?Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.

http://www.k-state.edu/policies/ppm/3430.html#require *

*

eID password rules7-30 characters in length (longer is better)Must contain at least 5 different charsMust contain 3 of the 4 following:Uppercase lettersLowercase lettersNumbersSpecial characters (!, @, #, &, etc.)Cant be based on eID or real nameCannot contain recognizable word, phrase, acronym, or K-State related nameCant be on of 4 million+ words in hacker dictionary

*

*

eID Password PoliciesThese policies apply to ALL K-State passwords, not just the eIDEnable the password on your screen saverLock your computer screen when you leave it unattended

http://www.k-state.edu/policies/ppm/3430.html#require *

*

Authentication & AuthorizationAuthentication (AuthN) verify who you areAuthorization (AuthZ) determine what you are allowed to doYour eID (or other username) and password provide authenticationAfter authN, the system or application determines what you can access (authZ)

*

Authentication is the process of verifying a person's identity, while authorization is the process of verifying that a known person has the authority to perform a certain operation. They are often treated like they are the same thing, but theyre not.

Authentication, therefore, must precede authorization. For example, when you show proper identification to a bank teller, you could be authenticated by the teller, and you would be authorized to access information about your bank accounts. You would not be authorized to access accounts that are not your own.

The authorization process is used to decide if person, program or device X is allowed to have access to data, functionality or service Y.*

Forms of Authentication4-digit PIN (aka Passcode)Username/PasswordChallenge-Response (aka security question)Two-factor AuthenticationTwo different methods required to authNSomething you know plus something you have (e.g., PIN + bank card)Biometrics (e.g., thumbprint reader)PassphraseOne-time passwordsDigital signature

*

4 digit PINs very insecure since they are very easy to guess. A computer can run through all possible combinations of numbers VERY quickly.

A password (or PIN) that is all numeric sometimes called a Passcode

Username/password generally a weak form of authN. Why? Easy to find someones username so you already have half the information; easy for someone to mimic (compared to your fingerprint or retina scan); can share it (unlike your fingerprint); computer can guess it; humans make them too simple; sometimes they are left off of an account

Challenge-response present a challenge that only the authentic owner of the account should know, require a correct response before continuing; like online banking that makes you establish a set of question/answers, like your mothers maiden name.Passwords actually a form of challenge-response

Password + other challenge-response questions a form of 2-factor authN; CapFed prompts you for challenge-response if you access your online account from a different location.

Usually, 2-factor involves something you know (a password) and something you have (like a SmartCard or a USB token)

SmartCard is credit card sized card with chip on it that stores info about you; could be your password, or a digital signature (ie, your authN credentials). Sometimes used by itself; really just a different form fact from USB token. Both just store login credentials.

Biometrics recognize the person (ie, authenticate) based on a physical characteristic, like a thumbprint, retinal scan, voice recognition, even DNA; is possible to spoof them. Sometimes used by itself (ie, not part of 2-factor)

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security (should be 20-30 chars). A good rule of thumb is to purposely misspell at least one or preferably a few words in the passphrase, mix words up from different languages, and/or add symbols to the words.

One-time pw good for 60 seconds or so. Sometimes used in addition to your regular acct pw; common for sysadmins

Digital signature can be used for authentication uses your private key of public/private key pair. Can be stored on your computer, a SmartCard (unlock with a PIN), USB token.

Key point is that username/password is a weak form of authentication, which means we have to be all the more careful about how we manage our passwords.*

PassphraseA passphrase is password consisting of a sequence of words or other text. Its similar to a password in that it controls access to a computer or system, but its generally longer for added security (should be 20-30 chars). A good rule of thumb is to purposely misspell at least one or preferably a few words in the passphrase, mix words up from different languages, and/or add symbols to the words.Advantage is in its length (more secure) and ease of remembering since you can use a familiar phrase or sentenceeID password can now be a passphrase, using words and spaces, but same complexity rules apply (must use digits, mixed case, special characters, etc.)Can be frustrating since is harder to type a long passphrase error-free when you cant see what youre typing. Using a password manager like Password Safe or Gorilla allows you to submit a long password without typing it.

*

Challenge-Response(aka security questions)Present a challenge (i.e., a question) that only the authentic owner of the account should know, then require a correct response before continuingCommon example is asking your mothers maiden name, or your first pet, or the city you were born inOnline banking often makes you establish a set of question/answers, then poses one (in addition to your password) when you login from a different locationAlso used for resetting an account passwordTreat these like a password put effort into choosing effective questions and answers, ones not easily discovered via a Google search of your nameSarah Palins Yahoo email was broken into during 2008 campaign by guessing her three security questions.For more information:itnews.itac.k-state.edu/2008/12/palin-email-password-security/

*

Beware of keeping yourself logged in via the browser*Anyone using the computerhas access to the accountThis is slightly different from having the browser/OSsave your passwords, but the same end result anyone using the computer has access to your account.

*

Other password newsSIRT subcommittee developing recommendations for updating password policyImplement account lock-out (lock account after X failed logins)Add a password strength meter where eID passwords are changedPrepare for higherminimum lengthNEVER give outyour passwordin an email!!!!

*

*

Hints for Choosing a Strong (eID) PasswordGeneral rule hard to guess, easy to remember (strong, memorable)You could let eProfile (eid.ksu.edu) choose one for you (not ideal since is random, so is hard to remember and you will likely write it down)Better to come up with a system that makes sense to you and accommodates regular changes without a lot of effort

*

*

Hints for Choosing a Strong (eID) PasswordUse character/word substitutions2 instead of to/too4 for for4t for FortL8 for late (r8, g8, b8, d8, etc.)r for areu for you$ for S1 (one) for l (el) or i (eye)! for 1, l, or i

*

Mention the maximum will increase, probably next summer*

Hints for Choosing a Strong (eID) PasswordCapitalize letters where it makes sense to get upper/lower case mixTake a phrase and abbreviate it:2Bor~2b! = To be, or not to beWatch custom license plates for ideasim4KSU2 (and add punctuation, like !)

*

Mention the maximum will increase, probably next summer*

Hints for Choosing a Strong (eID) PasswordUse a password strength meter:www.passwordmeter.comwww.microsoft.com/protect/yourself/password/checker.mspxGotchas:Beware of special characters that are not on foreign keyboards (e.g., $)What are your tips and tricks?

*

Mention the maximum will increase, probably next summer*

http://www.microsoft.com/protect/yourself/password/create.mspxThink of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as My son Aiden is three years oldCheck if the computer or online system supports the passphrase directly. If you can use a pass phrase (with spaces between characters), do so.*The gospel according to Microsoft

*

If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: msaityoAdd complexityMix uppercase and lowercase letters and numbers. Swap some letters or intentionally misspell.

My SoN Ayd3N is 3 yeeRs old*The gospel according to Microsoft

Substitute some special charactersAdd punctuation (!, ;, (), etc.)Use symbols that look like letters$ for S, 3 for E, 1 for i, @ for aCombine words (remove spaces).

MySoN 8N i$ 3yeeR$ old; or M$8ni3y0;Test your new password with Password Strength Checker and/or eProfile (eid.ksu.edu)*The gospel according to Microsoft

Whats on your mind?*

*

*

*

*Takes a computer 28 days to work through all combinations of 76 characters that can be used to form a 7-character password, based on a computer being able to test 3,000,000 passwords per second.*

*

*

*

*

*

*Authentication is the process of verifying a person's identity, while authorization is the process of verifying that a known person has the authority to perform a certain operation. They are often treated like they are the same thing, but theyre not.

Authentication, therefore, must precede authorization. For example, when you show proper identification to a bank teller, you could be authenticated by the teller, and you would be authorized to access information about your bank accounts. You would not be authorized to access accounts that are not your own.

The authorization process is used to decide if person, program or device X is allowed to have access to data, functionality or service Y.*4 digit PINs very insecure since they are very easy to guess. A computer can run through all possible combinations of numbers VERY quickly.

A password (or PIN) that is all numeric sometimes called a Passcode

Username/password generally a weak form of authN. Why? Easy to find someones username so you already have half the information; easy for someone to mimic (compared to your fingerprint or retina scan); can share it (unlike your fingerprint); computer can guess it; humans make them too simple; sometimes they are left off of an account

Challenge-response present a challenge that only the authentic owner of the account should know, require a correct response before continuing; like online banking that makes you establish a set of question/answers, like your mothers maiden name.Passwords actually a form of challenge-response

Password + other challenge-response questions a form of 2-factor authN; CapFed prompts you for challenge-response if you access your online account from a different location.

Usually, 2-factor involves something you know (a password) and something you have (like a SmartCard or a USB token)

SmartCard is credit card sized card with chip on it that stores info about you; could be your password, or a digital signature (ie, your authN credentials). Sometimes used by itself; really just a different form fact from USB token. Both just store login credentials.

Biometrics recognize the person (ie, authenticate) based on a physical characteristic, like a thumbprint, retinal scan, voice recognition, even DNA; is possible to spoof them. Sometimes used by itself (ie, not part of 2-factor)

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security (should be 20-30 chars). A good rule of thumb is to purposely misspell at least one or preferably a few words in the passphrase, mix words up from different languages, and/or add symbols to the words.

One-time pw good for 60 seconds or so. Sometimes used in addition to your regular acct pw; common for sysadmins

Digital signature can be used for authentication uses your private key of public/private key pair. Can be stored on your computer, a SmartCard (unlock with a PIN), USB token.

Key point is that username/password is a weak form of authentication, which means we have to be all the more careful about how we manage our passwords.*

*

*

*Mention the maximum will increase, probably next summer*Mention the maximum will increase, probably next summer*Mention the maximum will increase, probably next summer*

*