Transcript Document
MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE) BUT PASSWORD MANAGEMENT IS HARD WHY CAN’T WE USE EASY PASSWORDS? THIS IS A GRAPHICS CARD It’s cheap and good at playing video games. About every teenager has access to one. It’s also very good at hacking your password. “A $1000 computer can process 3.3 billion passwords per second… a professional can make thousands of dollars a day selling your information on the black market.” (PCPro.com) IT’S JUST A MATTER OF TIME Dictionary Attacks: • “GoBuffs!” a couple minutes • “P@$$w0rd1” a couple hours Brute Force: • “fjR8n” in 24 seconds • “%fjR8nQNUc5GPj9” would take over ten years *Extra credit: 15 characters or more forces windows to store passwords differently – which breaks certain attacks. HACKING IS BIG BUSINESS 2011 = 12.5 billion in reported losses Some estimates put that number closer to 10 times as much. www.hotforsecurity.com HOW DO HACKERS GET YOUR PASSWORD? Physical access to your office or computer Social Engineering/Phishing (asking nicely) Hacking commonly used sites Malware Infections Network based attacks LOSING YOUR PASSWORDS SINCE 1978 “SECURING YOUR PASSWORD DOESN’T MEAN USING TAPE” Under Keyboard In a Rolodex Top desk drawer Under desk calendar In the planter Wallet/Purse/Gym Bag NOW THAT YOU KNOW WHERE PEOPLE HIDE THEIR PASSWORDS NOW THAT YOU KNOW WHERE PEOPLE HIDE THEIR PASSWORDS DON’T DO IT SURE, LONG PASSWORDS ARE SECURE BUT I CAN’T REMEMBER THEM…. MAKING MEMORABLE PASSWORD REQUIRES THOUGHT ABBREVIATE I like taking the bus, but I ended up 20 minutes late! Becomes: Ilttb,bIeu20ml! (15 characters) LETTER SUBSTITUTION Create a long word or phrase: I Like To Eat Tacos Remove spaces: ILikeToEatTacos Replace letters with symbols: IL!k3T0e@tT@c0$ A FEW SUBSTITUTION SUGGESTIONS Letter Becomes A E S I O K C @ 3 $ ! 0 |< ( WORD JUMBLE Take two words: Bot & Kneecap Scramble a few letters: Bocat_&_Kneep Add Complexity: 54 Bocat_&_Kne54ep KEYBOARD PATTERNS Use the Shift Key to Add Complexity Becomes: 5^YghjkmnbVCX Use with caution, easy ones are in dictionary attacks! OK, SO I’VE GOT A GREAT PASSWORD, I’LL JUST KEEP USING THAT ONE RIGHT? REUSED PASSWORDS ARE DANGEROUS LINKEDIN LOST 6.4 MILLION USERS PASSWORDS Hackers can use those passwords to commit identity fraud including: • Hack into corporate accounts • Break into bank accounts • Spam email accounts • Gather more info for offline use (Credit Cards) LinkedIn is now facing $5 million class action lawsuit due to the loss. PRO TIP: MAKING PASSWORDS UNIQUE TO EACH SITE Have a secure base password: 5^YghjkbVCX Select two letters from the site or program: usbank.com (2nd & 4th in this case) Add those letters to your password: 5^YghjsakbVCX WAIT A MINUTE… THIS SITE WANT’S ME TO CHANGE IT NOW… Todays Date: 1/11/13 Pick a couple characters of the date: 11 Shift the numbers (+3 in this case): 44 Add those numbers to your password 5^Yghjsak becomes 5^Yghjsak44 Write down when you last change the password INSTANT, UNIQUE AND SECURE PASSWORDS FOR ALL USES A FEW TOOLS TO HELP… PASSWORD GENERATORS Many free ones, but be careful! We suggest changing the results before using them. http://www.pctools.com/guid es/password/ PASSWORD MANAGERS TWO FACTOR AUTHENTICATION QUESTIONS? Joe Kuster IT Projects Manager [email protected] IDENTIKEY Your “username” is the Identikey assigned to you by the University. Keep private Commit to memory Do not use Username or Password for any other purpose! HR IDENTIKEY REQUIREMENTS 15 characters or longer Avoid repeating characters No words that can be found in a dictionary (in any language) Not be easily guessable (e.g., your birthday, age, anniversary…) All four character sets: capital, lowercase, numerical and symbol (e.g., A,a,1,!)