Harvard Townsend IT Security Officer harv@ksu October 31, 2007 Revised January 11, 2008
description
Transcript of Harvard Townsend IT Security Officer harv@ksu October 31, 2007 Revised January 11, 2008
Choosing the Right Wand(or for those who like boring titles – Managing Account Passwords: Policies and Best Practices)
Harvard TownsendIT Security [email protected] 31, 2007Revised January 11, 2008
Whose responsibility is it?
“Security is not just the CIO’s problem; it is everyone’s problem. And everyone is responsible for the solution.”
Diane Oblinger
Brian Hawkins
EDUCAUSE
2
TJX Inc. now understands…
3
Agenda Authentication and authorization eID password
What’s the big deal? Threats to passwords Policies Why do we have to change it twice a year? Writing it down
Tips for choosing a strong password Managing multiple accounts/passwords Cautions about Windows storing
passwords 4
Authentication & Authorization
Authentication (AuthN) – verify who you are
Authorization (AuthZ)– determine what you are allowed to do
Your eID (or other username) and password provide authentication
After authN, the system or application determines what you can access (authZ)
5
Forms of Authentication 4-digit PIN Username/Password Challenge-Response Two-factor Authentication
Two different methods required to authN Something you know plus something you
have (e.g., bank card + PIN) Biometrics (e.g., thumbprint reader) Passphrase One-time passwords Digital signature
Strong
Weak
6
eID Password
What’s the big deal? HRIS self-service E-mail KATS/iSIS K-State Online Oracle Calendar K-State Single-Sign-On environment Access to licensed software, databases SGA elections University Computing Labs Student access to network in residence halls
7
Threats to Passwords
Keyloggers – a program that records every keystroke and sends it to the hacker; can be configured to watch for passwords
“Sniffing” the network – someone intercepting network traffic; wireless networks particularly vulnerable
Malware that gives the hacker full control of a computer and access to anything on it
Internet cafés – a favorite target for hackers to use keyloggers or other forms of malware
Hackers stealing passwords from a compromised server Password “cracking” - a hacker being able to guess your
password Programs to do this are readily available on the Internet Faster computers make this easier
8
Threats to Passwords
Phishing – tricking you into providing account information“Shoulder surfing” – someone looking over your shoulder as you type
Web browsers storing your password – is easy for someone else using your computer to see your password(s)
Typing your password into the wrong place on the screen
Sharing your password with a “friend” Giving your password to someone who is
helping you with a computer problem 9
eID Password Policies
Why do you have to change it? Is standard best practice It could be worse! (most standards
specify a change every 30-90 days) The longer you have the same password
the more likely someone will discover it (because of the threats just discussed)
Changing it limits the amount of time a hacker can wreak havoc in your life
http://www.k-state.edu/policies/ppm/3430.html#require
10
eID Password Policies
Do not share it… with anyone! Do not use it for non-university accounts
Such as hotmail, amazon.com, bank Is okay for departmental servers (not ideal, but
acceptable risk) Can I write it down?
“Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.”
http://www.k-state.edu/policies/ppm/3430.html#require
11
eID Password Policies
These apply to ALL K-State passwords, not just the eID
Enable the password on your screen saver
Lock your computer screen when you leave it unattended
http://www.k-state.edu/policies/ppm/3430.html#require
12
Hints for Choosing a Strong (eID) Password
7-8 characters in length Limits your choices Maximum length will increase in the future to
give you more choices and allow passphrases
General rule – hard to guess, easy to remember (strong, memorable)
Let eProfile (eid.ksu.edu) choose one for you (not ideal since is random, so you will likely write it down)
13
Hints for Choosing a Strong (eID) Password Use character/word substitutions
“2” instead of “to/too” “4” for “for” “4t” for “Fort” “L8” for “late” (r8, g8, b8, d8, etc.) “r” for “are” “u” for “you” “$” for “S” “1” (one) for “l” (el) or “i” (eye) “!” for “1”, “l”, or “i”
14
Hints for Choosing a Strong (eID) Password Capitalize letters where it makes
sense to get upper/lower case mix Take a phrase and abbreviate it:
2Bor~2b! = “To be, or not to be” Watch custom license plates for ideas
im4KSU2 (and add punctuation, like “!”)
15
Hints for Choosing a Strong (eID) Password
Use a password strength meter:http://www.securitystats.com/tools/password.phphttp://www.microsoft.com/protect/yourself/password/checker.mspx
Gotchas: Avoid space character Beware of special characters that are not on
foreign keyboards ($) What are your tips and tricks?
16
Steps to create a strong, memorable password
http://www.microsoft.com/protect/yourself/password/create.mspx
1. Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old”
2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters), do so.
17
Steps to create a strong, memorable password
3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo”
4. Add complexity Mix uppercase and lowercase letters and numbers. Swap some letters or intentionally misspell.
“My SoN Ayd3N is 3 yeeRs old”
18
Steps to create a strong, memorable password
5. Substitute some special characters Add punctuation (“!”, “;”, “()”, etc.) Use symbols that look like letters
“$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” Combine words (remove spaces).
“MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;”
6. Test your new password with Password Strength Checker and/or eProfile (eid.ksu.edu)
19
Acct/Password Categories
Ideal = different password for each acct Acceptable = different password for
each type of account1. eID and some other K-State accounts
2. Financial accounts
3. Online shopping (if stores credit card info)
4. All others
20
Managing Your Passwords
Try to remember them all? Have someone younger than you help
you remember them all? Write them all down?
OK if keep in private place, like purse/wallet Write down a hint, not actual password
Web browser? Use a tool like Password Safe?
http://passwordsafe.sourceforge.net/ 21
Don’t Let Windows Store Your eID or Banking Passwords
22
Windows Passwords Windows stores encrypted passwords in several
formats: LAN Manager (“LANMAN”) NTLMv1 NTLMv2
LANMAN is particularly insecure Stored in two 7-character pieces that can be cracked
independently Converts all characters to upper case No “salt” used so the “hash” is the same for a given
string of characters – easy to build a table of hash values for a list of possible passwords for comparison
Thus prone to brute force password attacks Once hacker cracks LANMAN, cracks NTLM by
trying all upper/lower case combinations 23
Windows Passwords
Windows 2000 and newer do not use LANMAN, but store it by default for backwards compatibility
Samba uses LANMAN – it’s holding us back… but not for long
Windows does NOT store the LANMAN form if the password > 14 characters long
Best practice – make Windows Administrator account passwords > 14 characters
Or use Windows Vista since it doesn’t store the LANMAN hash
24
Windows Passwords
Disable storing the “LANMAN hash” on Windows computers, if possible
This may break some applications (like Samba) Is done with a “group policy” object called
“NoLMHash” (note – changing this switch does not remove LM hashes already stored)
Or edit the Registry
See:http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&
25
What’s on your mind?
26