Post on 08-May-2015
description
Online Self-Defense:
Passwords
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry CaplinChief Information Security
OfficialFairview Health Services
PasswordsWhy Are They A Problem?• Hard to remember• Hard to enter• Need too many• Inconsistent Rules• Changes
How Passwords Work
• Site saves encrypted pw• At login – enter pw – it’s
encrypted and compared to stored value
• Some sites:- Don’t encrypt well- Don’t encrypt at all!
And Passwords Get Stolen
It was a busy year
And Bad Choices Are Made
How Passwords Get Stolen
• Phishing or…• Site attacked – many methods• Encrypted pw file downloaded
(should be more difficult!)• Over time, attackers crack the
file
• What does that get them?
• Avg. web user has:- 25 separate accounts but- 6.5 unique passwords password reuse – not good
• So…
Passwords
Password Self-Defense
Tips for Home:
1. Choose good (long) passwords
2. Don’t reuse passwords
3. Use a Password Vault
4. Only enter on secure sites
Password Self-Defense
5. Care with “secret” questions
6. Care with linking accounts
7. Login notifications
8. 2-step authentication
9. Use separate email addresses
Password Self-Defense
Tips for the Office:
1. No one will ask for your password
2. Choose a good (long) password
3. Follow the policy
4. Don’t use a work password on a non-work system
Handouts•Password Self-Defense tips and resources
Password Self-Defense
Tips1. Don’t reuse passwords
The average online user needs passwords for 25 different websites and services, but uses only 6.5 different passwords. If one site gets compromised it can expose your password for another (perhaps more important) site.
2. Only enter on secure sites
Look for https:// in the address bar and a lock symbol to assure your passwords are kept confidential when traveling across the Internet.
3. Login notifications
Some sites will let you know when you last logged in, or if it looks like your account was logged in to from another country. Some sites allow you to block this.
4. Choose good (long) passwords
Length is more important than complexity! Choose 16-20 or longer length passwords if available. You can use all letters (upper and lower) if you are using 20 or more characters.
Tips5. Vault it
Password vaults are a great way to store all your passwords. Make sure you choose a good long master password and don’t forget it! Some great password vaults include: LastPass, 1Password, PasswordSafe and KeePass.
6. Care with “secret” questions
Many sites use “secret” questions to help identify you if you forget your password. Choose questions and answers that people can’t just look up on Facebook! Your place of birth, high school mascot, and other common information are not good choices. Or… you could provide fake answers to common questions. Just be sure you know what answers you give!
7. Care with linking accounts
Don’t just log into every site using your Facebook or Twitter logins (when available). If either of those accounts get compromised you could lose a lot more than just the one (or two) accounts).
Tips8. Write down your passwords
What??? You were always told to not do that! Well, you’re best option is using a password vault, but you can write down your passwords. Here are the “rules”: don’t write down what they’re for; keep them with your money (you already know how to protect that!), and; for extra credit – insert “fake” characters into the password – these are extra characters you know aren’t really part of the password but someone else would not.
9. 2-step authentication
Google (google authenticator), ebay, paypal, dropbox, facebook and other sites now allow 2-factor or 2-step authentication. It’s a bit more complicated to set up but definitely worth it. See the individual sites for info.
10. Use separate email addresses
If you use the same email account to associate with all your online accounts, then a hacker can own you online by compromising that email account. For instance, most online sites will send a confirmation email to your associated address if a change is made or to process a password change. If you can use different email addresses, then having one compromised won’t affect all your other online accounts.