Choosing the Right Wand Harvard Townsend IT Security Officer
advertisement
Choosing the Right Wand (or for those who like boring titles – Managing Account Passwords: Policies and Best Practices) Harvard Townsend IT Security Officer harv@ksu.edu October 31, 2007 Revised January 11, 2008 Whose responsibility is it? “Security is not just the CIO’s problem; it is everyone’s problem. And everyone is responsible for the solution.” Diane Oblinger Brian Hawkins EDUCAUSE 2 TJX Inc. now understands… 3 Agenda Authentication and authorization eID password What’s the big deal? Threats to passwords Policies Why do we have to change it twice a year? Writing it down Tips for choosing a strong password Managing multiple accounts/passwords Cautions about Windows storing passwords 4 Authentication & Authorization Authentication (AuthN) – verify who you are Authorization (AuthZ)– determine what you are allowed to do Your eID (or other username) and password provide authentication After authN, the system or application determines what you can access (authZ) 5 Forms of Authentication Weak 4-digit PIN Username/Password Challenge-Response Two-factor Authentication Strong Two different methods required to authN Something you know plus something you have (e.g., bank card + PIN) Biometrics (e.g., thumbprint reader) Passphrase One-time passwords Digital signature 6 eID Password What’s the big deal? HRIS self-service E-mail KATS/iSIS K-State Online Oracle Calendar K-State Single-Sign-On environment Access to licensed software, databases SGA elections University Computing Labs Student access to network in residence halls 7 Threats to Passwords Keyloggers – a program that records every keystroke and sends it to the hacker; can be configured to watch for passwords “Sniffing” the network – someone intercepting network traffic; wireless networks particularly vulnerable Malware that gives the hacker full control of a computer and access to anything on it Internet cafés – a favorite target for hackers to use keyloggers or other forms of malware Hackers stealing passwords from a compromised server Password “cracking” - a hacker being able to guess your password Programs to do this are readily available on the Internet Faster computers make this easier 8 Threats to Passwords Phishing – tricking you into providing account information“Shoulder surfing” – someone looking over your shoulder as you type Web browsers storing your password – is easy for someone else using your computer to see your password(s) Typing your password into the wrong place on the screen Sharing your password with a “friend” Giving your password to someone who is helping you with a computer problem 9 eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require Why do you have to change it? Is standard best practice It could be worse! (most standards specify a change every 30-90 days) The longer you have the same password the more likely someone will discover it (because of the threats just discussed) Changing it limits the amount of time a hacker can wreak havoc in your life 10 eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require Do not share it… with anyone! Do not use it for non-university accounts Such as hotmail, amazon.com, bank Is okay for departmental servers (not ideal, but acceptable risk) Can I write it down? “Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.” 11 eID Password Policies http://www.k-state.edu/policies/ppm/3430.html#require These apply to ALL K-State passwords, not just the eID Enable the password on your screen saver Lock your computer screen when you leave it unattended 12 Hints for Choosing a Strong (eID) Password 7-8 characters in length Limits your choices Maximum length will increase in the future to give you more choices and allow passphrases General rule – hard to guess, easy to remember (strong, memorable) Let eProfile (eid.ksu.edu) choose one for you (not ideal since is random, so you will likely write it down) 13 Hints for Choosing a Strong (eID) Password Use character/word substitutions “2” instead of “to/too” “4” for “for” “4t” for “Fort” “L8” for “late” (r8, g8, b8, d8, etc.) “r” for “are” “u” for “you” “$” for “S” “1” (one) for “l” (el) or “i” (eye) “!” for “1”, “l”, or “i” 14 Hints for Choosing a Strong (eID) Password Capitalize letters where it makes sense to get upper/lower case mix Take a phrase and abbreviate it: 2Bor~2b! = “To be, or not to be” Watch custom license plates for ideas im4KSU2 (and add punctuation, like “!”) 15 Hints for Choosing a Strong (eID) Password Use a password strength meter: http://www.securitystats.com/tools/password.php http://www.microsoft.com/protect/yourself/password/checker.mspx Gotchas: Avoid space character Beware of special characters that are not on foreign keyboards ($) What are your tips and tricks? 16 Steps to create a strong, memorable password http://www.microsoft.com/protect/yourself/password/create.mspx 1. 2. Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old” Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters), do so. 17 Steps to create a strong, memorable password 3. 4. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo” Add complexity Mix uppercase and lowercase letters and numbers. Swap some letters or intentionally misspell. “My SoN Ayd3N is 3 yeeRs old” 18 Steps to create a strong, memorable password 5. Substitute some special characters Add punctuation (“!”, “;”, “()”, etc.) Use symbols that look like letters “$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” Combine words (remove spaces). “MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;” Test your new password with Password Strength Checker and/or eProfile (eid.ksu.edu) 6. 19 Acct/Password Categories Ideal = different password for each acct Acceptable = different password for each type of account 1. 2. 3. 4. eID and some other K-State accounts Financial accounts Online shopping (if stores credit card info) All others 20 Managing Your Passwords Try to remember them all? Have someone younger than you help you remember them all? Write them all down? OK if keep in private place, like purse/wallet Write down a hint, not actual password Web browser? Use a tool like Password Safe? http://passwordsafe.sourceforge.net/ 21 Don’t Let Windows Store Your eID or Banking Passwords 22 Windows Passwords Windows stores encrypted passwords in several formats: LANMAN is particularly insecure LAN Manager (“LANMAN”) NTLMv1 NTLMv2 Stored in two 7-character pieces that can be cracked independently Converts all characters to upper case No “salt” used so the “hash” is the same for a given string of characters – easy to build a table of hash values for a list of possible passwords for comparison Thus prone to brute force password attacks Once hacker cracks LANMAN, cracks NTLM by trying all upper/lower case combinations 23 Windows Passwords Windows 2000 and newer do not use LANMAN, but store it by default for backwards compatibility Samba uses LANMAN – it’s holding us back… but not for long Windows does NOT store the LANMAN form if the password > 14 characters long Best practice – make Windows Administrator account passwords > 14 characters Or use Windows Vista since it doesn’t store the LANMAN hash 24 Windows Passwords Disable storing the “LANMAN hash” on Windows computers, if possible This may break some applications (like Samba) Is done with a “group policy” object called “NoLMHash” (note – changing this switch does not remove LM hashes already stored) Or edit the Registry See: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656& 25 What’s on your mind? 26
