The Simplest Security
A Guide to better Password
Practices
Provided By: Utah Education Network – DSO
Terms of Use

Use of this presentation is granted to education and nonprofit entities for education in security topics as described
herein. The following limitations and restrictions apply:
•
•
•
•
The content of this presentation remain unchanged from its
original published format, except for updates to the content
for accuracy or current tactics/trends
Any changes made to the presentation are understood to
not be the original work of the author, and noted in the
presentation as such.
Credit to the author is retained as-is in the original
presentation format.
Use by “for profit” or “commercial” entities must be granted
permission by the author, and are subject to further
restrictions.
A Refresher – Password Usage

Passwords are Annoying
• Need passwords for everything
• Difficult to come up with one we can
•
•
remember
Procrastinate changing them
Oh the PAIN !
A Refresher – Password Usage

Passwords are often the First and ONLY
defense against intrusion
• They protect Personal and Company
information


Passwords are simple and cheap
Define “Password”
Password Cracking




Cracking is the process of figuring out or
breaking passwords in order to gain
unauthorized access.
Most Passwords can be cracked easily
• Its Much easier than you think
Dictionary Cracking
Brute Force Cracking
Password Cracking


Literally Hundreds of tools to crack
passwords
Social Engineering of Passwords
• The “Post-it™” Note
• “Under the Keyboard”
• Over the Phone
• What ABOUT You?
Passwords Cracking

Other technological ways of getting
passwords
• Cleartext vs. Encrypted Passwords
• Network Sniffers

It is Possible and even Likely that
someone knows at least one of your
passwords right now.
Choosing Good Passwords
What NOT to use

The Don'ts
• No Dictionary words
• nimda (Backwards ‘admin’)
• Difficult to figure out but NO Match for Crackers or
Brute Force Guessers.
• No Proper Nouns
• No Foreign Words
• Foreign Dictionaries Exist too.
Even Japanese 
Choosing Good Passwords
No Personal Information

It is easy for hackers to social engineer
personal information about you.
• The Dumpster Dive for personal info.

Don’t include personal information in
your passwords.
• Birthdates, Anniversary, Phone Numbers
• Pet Names, Nicknames, Name of Family
Members
Choosing Good Passwords
Length, Width and Depth

Length
• Probability dictates that the longer the
•
password is, the more difficult it will be to
crack. Simply put, Longer is Better.
Recommendations:
• Between 6 to 8 Characters in Length
• Greater length is better if the OS can support it.
• Shorter passwords should be avoided
Choosing Good Passwords
Length, Width and Depth

Width
• Width is the variation of characters used in a
password.
• Don’t just consider the Alphabet.
There are also
Numbers and Special Characters.
• Case Sensitive Passwords, ALT Characters,
Spaces should also be considered.
Choosing Good Passwords
Length, Width and Depth

Width
• As a General Rule the following character
sets should all included in every password
• Uppercase letters such as A, B, C
• Lowercase letters such as a, b, c
• Numerals such as 1, 2, 3
• Special Characters such as %, $, #, !, *
• ALT Characters such as Є, ψ, Ω, β
• May not be supported by some OS’s
Choosing Good Passwords
Length, Width and Depth

Depth
• Depth refers to choosing a password with a
challenging meaning.
• A Good Password is easy to remember but Hard to
guess
• Stop thinking in terms of PassWORDS, and start
thinking in terms of Phrases.
• Mnemonic Phrases allow the creation of complex
passwords without the need to write them down.
Choosing Good Passwords
Length, Width and Depth

Depth
• Examples of Mnemonic phrases include a
phrase spelled phonetically:
• Such as: ‘ImuKat!’ (instead of ‘I’m a cat!’)
• Or: ‘qbfjold*’ (quick brown fox jumped over the lazy dog)
• You may want to choose a phrase of
personal meaning (Not Personal Info)
• Substitution of Characters are useful like
using “3” for the letter “E”
• Such as: M@gaZyn3 (Magazine)
Extra Protection


All of the good Password Crackers
include Foreign words, backwards
words, etc.
But the easiest way to get a Password is
to steal it!
• Its easier to never give it away
Extra Protection


In some cases, a Good password is enough to
keep intruders out.
In other cases, its just a start. The use of
further protection is necessary.
•
•
Encryption
• Means Garbling the password to protect from sniffers or
other onlookers.
One Time Passwords
• Means just what it says.
good once.
Using a password that is only
Extra Protection

Users should avoid the use of the same
password on multiple systems.
•

Doing this creates a single point of failure.
Users should not share passwords with
Anyone.
•
•
•
If someone else needs access, they should get their
own account to the system.
System Admins should Never ask you for your
password.
NEVER Share a password to anyone over the phone.
Not even with a “System Administrator”
Extra Protection

Exercise extreme caution when writing
down or storing passwords.
• Dumpster Diving, Shoulder Surfing.

Choose passwords that are easy to
remember so that they don’t need to be
written down.
Changing and Storing
Passwords

To ensure effectiveness, passwords should be
changed on a regular basis.
•
•
•
•
Changing Passwords is Generally Simple. Ask your
systems admin if you need help.
Change Passwords as CLOSE to the Account as
possible
Don’t let anyone watch while you type in your
password
If possible, the password should be changed over a
secure connection like a Secure Shell (SSH)
Changing and Storing
Passwords

How often do you change passwords (General
Rule)
•
•
•

Financial or SIS Accounts – 1-2 Months
Network Passwords – 2-3 Months
Just use Good Judgment “Don’t Be Lazy”
• All Passwords should Never be over 4 Months old.
Changing a password is relatively quick and
painless compared to the irritating and
expensive process of Hacked Systems
Recovery, or Identity Theft.
Tips for Organizations
And Network Admins

Strong Password Policies
•
•
•
Require the Best Practices in Password Management
Educate users on how easy it is for someone to get
their password.
• Social Engineering
• Online Attacks, etc.
• New Users should be taught Good password practices
The Password Policy should be integrated into the
overall Security policy of the organization.
Tips for Organizations
And Network Admins






Implement safeguards to ensure systems are
using Strong Passwords. (PAM)
Set Password Expiration Dates according to
account type and access to services.
Keep Password history to prevent reuse, Lock
accounts with 3-5 Bad attempts
Fewer people with access is better
Remove accounts for people who have left.
ALWAYS Change the default passwords to
systems you install.
References














The Simplest Security: A Guide To Better Password Practices
by Sarah Granger
http://www.securityfocus.com/infocus/1537
Compiled and Updated by Troy Jessup
Utah Education Network – Departmental Security Office
http://www.uen.org/security
Armstrong, Del and Simonson, John: “Password Guessing” and “Password Sniffing,” An Intro to Computer Security, School of
Engineering & Applied Sciences, University of Rochester, Oct. 25, 1996.
http://www.seas.rochester.edu:8080/CNG/docs/Security/security.html
Belgers, Walter: “UNIX Password Security,” JANET-CERT, Dec. 6, 1993.
http://www.ja.net/CERT/Belgers/UNIX-password-security.html
Cliff, A.: “Password Crackers - Ensuring the Security of Your Password”, Security Focus, Feb. 19, 2001.
http://www.securityfocus.com/infocus/1192
Cons, Lionel: CERN Security Handbook (Practical computer security for CERN users), Version 1.2, 12 December 1996.
http://consult.cern.ch/writeups/security/security_3.html#SEC7
Donovan, Craig: “Strong Passwords,” SANS Institute, June 2, 2000. http://www.sans.org/infosecFAQ/policy/password.htm
Garfinkel, Simson and Spafford, Gene: Practical UNIX Security, O’Reilly & Associates, Inc. Sebastopol, CA, 1991 & 1996.
MacGregor, Tina: “Password Auditing and Password Filtering to Improve Network Security”, SANS Institute, May 13, 2001.
http://rr.sans.org/authentic/improve.php
“Password Security: A Guide for Students, Faculty, and Staff of the University of Michigan,” University of Michigan, Information
Technology Division, Reference R1192, Revised April 1997.
http://www.umich.edu/~policies/pw-security.html
Russell, Deborah and Gangemi Sr., G.T.: Computer Security Basics, O’Reilly & Associates, Inc. Sebastopol, CA, 1991.
Thomas, Stephen: “Popular Myths on Password Authentication,” 2600, Summer 2001
http://www.2600.com
Visser, Joe: “On NT Password Security,” Open Solution Providers, 1997.
http://www.osp.nl/infobase/ntpass.html
PLEASE DO NOT REMOVE THESE REFERENCES FROM THE PRESENTATION