PASSWORD SECURITY Panggi Libersa Jasri Akadol Scientist at Veritrans Indonesia 

Objective Agree that strong passwords and password practices contribute to protection of identity and privacy ! Discriminate passwords as weak or strong ! Recognize the role of passwords in authentication ! Recognize the relationship between authentication and both identity and privacy 

Numbers 

61% 54% 44% 89% 21% of consumers reuse passwords among multiple websites. of consumers only have five passwords or less. of consumers change their passwords only once a year or less. of consumers feel secure with their current password management and use habits. of consumers have had an online account compromised. source: http://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf 

Three fifths of internet users reuse passwords on multiple websites. 39% 61% Reuse Do not reuse 

6% 5% 7% 28% 54% 1 - 5 6 - 10 11 - 15 16 - 20 20+ More than half of internet users have five passwords or less. 

None of these Easy to enter Site Requirements Easy to remember Strength & Security 0 20 40 60 80 73 57 33 12 1 Strength is the top concern in password creation 

8% 24% 12% 31% 20% 5% Once a week Once a month Once every 6 months Once a year Less than once a year Never 44% of internet users change their passwords only once a year or less. 

Had malware steal passwords from computer Been tricked by phising sites to reveal passwords Had an online account compromised Had personal info stolen as result of company breach None of above 0 18 35 53 70 65 12 21 6 8 1 in 5 people has had an online account compromised 

Passwords in the Context of Your Identity and Privacy 

What is a password? “A password is information associated with an entity that confirms the entity’s identity.” Why are passwords needed? • Passwords are used for authentication • Authentication can be thought of as the act of linking yourself to your electronic identity within the system you are connecting to • Your password is used to verify to the system that you are the legitimate owner of the user/account identifier • Commonly referred to as “logging in” 

Passwords/Identity/Privacy • Attackers who obtain your password can authenticate themselves on various systems and in turn … • Access your personal information (invade Your Privacy) • Impersonate you by acting on your behalf (steal Your Identity) 

YourPassword Identity Privacy 

Which of the following best describes the reason your password is easy to remember: ! A.based on common dictionary words B.based on common names C.based on user/account name D.is short (under 6 characters) QUIZ 

Unfortunately, the characteristic you have selected also makes your password vulnerable to attack thus putting your Identity and Privacy at risk you are not alone 

• based on common dictionary words • Including dictionary words that have been altered: • Reversed (e.g., “terces”) • Mixed case (e.g., SeCreT) • Words with vowels removed (e.g., “scrt”) • based on common names • based on user/account identifier • short (under 6 characters) • based on keyboard patterns (e.g., “qwerty”) • composed of single symbol type (e.g., all numbers) • are difficult for you to remember CHARACTERISTICS OF WEAK PASSWORDS 

WEAK PASSWORD PRACTICES • recycling passwords • recording (writing down) passwords • use of previously recorded passwords (combination of above practices) • use of password on two or more systems/contexts • Especially risky when passwords are reused in low-trust systems (e.g., online gaming) since increased exposure 

• contain at least one of each of the following: • digit (0..9) • letter (a..Z) • punctuation symbol (e.g., !) • are based on a verse (e.g., passphrase) • are easily remembered by you but very difficult (preferably impossible) for others to guess CHARACTERISTICS OF STRONG PASSWORDS 

STRONG PASSWORD PRACTICES • never recycle passwords • never record (write down) a password anywhere • use a different password for each system/context • check for keyboard buffer devices/ software that intercept keystrokes (including password capture) • change password occasionally • change your password immediately if you suspect it has been “stolen” 

DEMO 

Self test 

QUESTION 1 Strong passwords and password practices contribute to protection of identity and privacy. A. TRUE B. FALSE 

strong passwords and password practices do contribute to protection of identity and privacy CORRECT! 

QUESTION 2 Which pair contains both a weak and a strong password? A. cs101ra, ME11111 B. WYSIWYG, passwd C. ig*hh4, f9%Wfh D. kirk, on$7mur 

cs101ra, ME11111 (weak, common), (weak, license #) ! WYSIWYG, passwd (weak, common acronym), (weak, common) ! ig*hh4, f9%Wfh (strong), (strong) ! kirk, on$7mur (weak, common name), (strong) CORRECT! 

Recommendations 

CONSUMER • DO use long passwords with a mix of letters, numbers and symbols. They are hardest to crack. Create passwords that are 10 characters or longer that include uppercase letters, lowercase letters, symbols and numbers. • DO use a unique password for each account and vary the email addresses you use for accounts. • DO NOT store your account information in an unsecured document on your computer or network. • DO NOT share your password — even with friends and family 

BUSINESS • DO educate employees about the potential consequences for poor password habits, as well as proper password creation and management techniques. • DO consider compulsory education for passwords and understand the risk-to-cost ratio for implementing these protocols. • DO monitor employee credentials for compromise, and offer identity monitoring packages to employees and/or customers. • DO research and implement two-factor authentication techniques for online accounts. • DO have a plan in place in case of a company breach. 

Thanks!