Password Security

Transcript

1. PASSWORD SECURITY Panggi Libersa Jasri Akadol Scientist at Veritrans Indonesia

2. Objective Agree that strong passwords and password practices contribute to

   protection of identity and privacy ! Discriminate passwords as weak or strong ! Recognize the role of passwords in authentication ! Recognize the relationship between authentication and both identity and privacy

3. Numbers

4. 61% 54% 44% 89% 21% of consumers reuse passwords among

   multiple websites. of consumers only have five passwords or less. of consumers change their passwords only once a year or less. of consumers feel secure with their current password management and use habits. of consumers have had an online account compromised. source: http://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf

5. Three fifths of internet users reuse passwords on multiple websites.

   39% 61% Reuse Do not reuse

6. 6% 5% 7% 28% 54% 1 - 5 6 -

   10 11 - 15 16 - 20 20+ More than half of internet users have five passwords or less.

7. None of these Easy to enter Site Requirements Easy to

   remember Strength & Security 0 20 40 60 80 73 57 33 12 1 Strength is the top concern in password creation

8. 8% 24% 12% 31% 20% 5% Once a week Once

   a month Once every 6 months Once a year Less than once a year Never 44% of internet users change their passwords only once a year or less.

9. Had malware steal passwords from computer Been tricked by phising

   sites to reveal passwords Had an online account compromised Had personal info stolen as result of company breach None of above 0 18 35 53 70 65 12 21 6 8 1 in 5 people has had an online account compromised

10. Passwords in the Context of Your Identity and Privacy

11. What is a password? “A password is information associated with

    an entity that confirms the entity’s identity.” Why are passwords needed? • Passwords are used for authentication • Authentication can be thought of as the act of linking yourself to your electronic identity within the system you are connecting to • Your password is used to verify to the system that you are the legitimate owner of the user/account identifier • Commonly referred to as “logging in”

12. Passwords/Identity/Privacy • Attackers who obtain your password can authenticate themselves

    on various systems and in turn … • Access your personal information (invade Your Privacy) • Impersonate you by acting on your behalf (steal Your Identity)

13. YourPassword Identity Privacy

14. Which of the following best describes the reason your password

    is easy to remember: ! A.based on common dictionary words B.based on common names C.based on user/account name D.is short (under 6 characters) QUIZ

15. Unfortunately, the characteristic you have selected also makes your password

    vulnerable to attack thus putting your Identity and Privacy at risk you are not alone

16. • based on common dictionary words • Including dictionary words

    that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Words with vowels removed (e.g., “scrt”) • based on common names • based on user/account identifier • short (under 6 characters) • based on keyboard patterns (e.g., “qwerty”) • composed of single symbol type (e.g., all numbers) • are difficult for you to remember CHARACTERISTICS OF WEAK PASSWORDS

17. WEAK PASSWORD PRACTICES • recycling passwords • recording (writing down)

    passwords • use of previously recorded passwords (combination of above practices) • use of password on two or more systems/contexts • Especially risky when passwords are reused in low-trust systems (e.g., online gaming) since increased exposure

18. • contain at least one of each of the following:

    • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • are based on a verse (e.g., passphrase) • are easily remembered by you but very difficult (preferably impossible) for others to guess CHARACTERISTICS OF STRONG PASSWORDS

19. STRONG PASSWORD PRACTICES • never recycle passwords • never record

    (write down) a password anywhere • use a different password for each system/context • check for keyboard buffer devices/ software that intercept keystrokes (including password capture) • change password occasionally • change your password immediately if you suspect it has been “stolen”

20. DEMO

21. Self test

22. QUESTION 1 Strong passwords and password practices contribute to protection

    of identity and privacy. A. TRUE B. FALSE

23. strong passwords and password practices do contribute to protection of

    identity and privacy CORRECT!

24. QUESTION 2 Which pair contains both a weak and a

    strong password? A. cs101ra, ME11111 B. WYSIWYG, passwd C. ig*hh4, f9%Wfh D. kirk, on$7mur

25. cs101ra, ME11111 (weak, common), (weak, license #) ! WYSIWYG, passwd

    (weak, common acronym), (weak, common) ! ig*hh4, f9%Wfh (strong), (strong) ! kirk, on$7mur (weak, common name), (strong) CORRECT!

26. Recommendations

27. CONSUMER • DO use long passwords with a mix of

    letters, numbers and symbols. They are hardest to crack. Create passwords that are 10 characters or longer that include uppercase letters, lowercase letters, symbols and numbers. • DO use a unique password for each account and vary the email addresses you use for accounts. • DO NOT store your account information in an unsecured document on your computer or network. • DO NOT share your password — even with friends and family

28. BUSINESS • DO educate employees about the potential consequences for

    poor password habits, as well as proper password creation and management techniques. • DO consider compulsory education for passwords and understand the risk-to-cost ratio for implementing these protocols. • DO monitor employee credentials for compromise, and offer identity monitoring packages to employees and/or customers. • DO research and implement two-factor authentication techniques for online accounts. • DO have a plan in place in case of a company breach.

29. Thanks!