So Many Passwords…
IT Security Roundtable
January 15, 2010
Harvard Townsend
Chief Information Security Officer
harv@ksu.edu
Agenda








So many passwords, so few brain cells…
Threats to passwords
Which ones are important?
eID password (importance, rules, policy)
Definitions (password, passphrase, etc.)
Choosing a good password
Misc. cautions/tips/tricks
Q&A
2
My accts/passwords:




K-State (eID, my office computer, my laptop, several servers,
Bluecoat PacketShaper, PGP encryption, TrueCrypt
encryption, Trend Micro OfficeScan servers, Trend Micro
support portal, Zimbra customer care portal, Zimbra “security”
shared account, LISTSERV, State of KS employee selfservice, HealthQuest health screening, IT Tuesday news
authoring, IT Security Threats blog, network usage graphs)
Shopping (PayPal, amazon.com, expedia.com, iTunes, REI)
Financial (checking acct, two savings accounts, ATM PIN,
retirement accts, credit cards, health insurance, flexible health
spending acct, auto loan, home mortgage)
Other personal (cell phone, cell phone provider, Internet
provider, cable TV, Netflix, Pandora, Skype, Facebook,
Gmail, Yahoo!, Flickr, K-Tag, mission work, charitable
organizations, Manhattan Mercury, State Dept (travel
advisories), several airline frequent flier accts, UFM,
trails.com, job applications, etc.)
3
What’s a feller to do?

Same password everywhere?





Rely on your memory?



PLEASE, NO!!!
If one is compromised, all are compromised
Different systems have different pw rules
Violates K-State policy about eID passwords
Value is inversely proportional to your age!
You’ll often click on “Forgot Your Password?” links!
Write ‘em down?



Risky, but not out of the question if you keep the note in a safe
place (NOT your desk pencil drawer)
Bigger issue is quantity of passwords you have to remember
Generally considered a bad idea
4
What’s a feller to do?

Let your browser store them all?







OK for some passwords, but not others
Too risky for accounts with access to sensitive information
Easy for someone to view the stored passwords, unless you…
Use Firefox and password-protect viewing stored passwords…
and don’t forget THAT password!
DON’T do it with your eID password, financial accounts,
anything with access to personal identity info (like SSN)
Never do this on a shared, lab, or public computer
IE stores browser (“AutoComplete”) passwords in Registry



Free tools readily available to recover them.
Delete in IE8 with Tools->Internet Options->General->
Browsing history->Delete, check the “Passwords” box
Firefox had built-in tool to view them and delete them
(Tools->Options->Security->Saved Passwords); be sure to use
a “Master Password” to protect the stored passwords
5
What’s a feller to do?
Use the same password for similar categories of accounts
 Reasonable solution
 Have at least four categories:
1.
2.
3.
4.




Financial
eID and other important K-State accts
Shopping accts that store your credit card info
Innocuous accts w/ no sensitive information
#1 and #2 should be long, complex, and changed
regularly
#3 not as long, less complex, changed less often
#4 can be short, simple, never changed
Differing password rules may pose a challenge
6
What’s a feller to do?

Use a password management tool






Software that organizes and stores (encrypted) passwords
Effective way to manage many passwords
Relies on a single master password to protect all the other
passwords
Can be a challenge if use multiple computers since password
database usually stored locally; are tools available that work on
multiple computers, but that means your passwords are stored
on the company’s server(s). Do you trust them? Example is
lastpass.com
Windows example: Password Safe
passwordsafe.sourceforge.net
Mac example: Password Gorilla
www.fpx.de/fp/Software/Gorilla/


Also available for Windows and Linux
Can read Password Safe database
7
Password Safe Demo






Windows only
Available for free at
passwordsafe.sourceforge.net
Mature product, lots of nice features
Has a sophisticated password generator
Allows you to jump to a web site and
auto-enter the username/pw used for that
site.
Demo…
8
Other Strategies?

How do you manage your passwords?
9
Threats to Passwords



Keyloggers – a program that records every keystroke and
sends it to the hacker; can be configured to watch for
passwords or other account information
“Sniffing” the network – someone intercepting network
traffic; wireless networks particularly vulnerable
Malware that gives the hacker full control of a computer and
access to anything on it



“Torpig” malware infected 27 K-State computers in the last
year – watches Internet traffic and intercepts bank acct info,
username/pw
Hackers stealing passwords from a compromised server
Password “cracking” - a hacker being able to guess your
password, usually with the help of a computer program


Programs to do this are readily available on the Internet
Faster computers make this easier
10
Threats to Passwords


Internet cafés – a favorite target for hackers to use keyloggers or
other forms of malware to interecept acct info and passwords
Phishing – tricking you into providing account information







431 K-Stater’s replied to phishing scams with their eID passwords in
2009
377 were used by criminals to login to Webmail and send spam
Consider what can be accessed with your eID…
“Spear phishing” – phishing that targets a specific population, like
sending an email to K-Staters to steal eID passwords
“Shoulder surfing” – someone looking over your shoulder as you
type
Web browsers storing your password – is easy for someone else
using your computer to see or use your password(s)
Typing your password into the wrong place on the screen
11
Threats to Passwords



Sharing your password with a friend or family
member
Giving your password to someone who is
helping you with a computer problem
Disgruntled system administrator or others
with privileged access to servers
Bottom line – the threats are real and
happening at K-State. Take password
security seriously!
12
Which passwords matter?
Pay particular attention to these passwords; make
them complex, long, and change them regularly
 Anything that provides access to sensitive
information:






Bank account
Credit/debit card account
Personal Identity Information (name + SSN, for
example)
Shopping account that stores credit card data;
normally credit card # is masked, but person could
change shipping address and spend lots of money
Administrator or root accounts on servers
K-State eID
13
eID Password

What’s the big deal with eIDs? Gains access to:











HRIS self-service
Email
iSIS
K-State Online
eProfile (eid.ksu.edu) w/ emergency contact info
Oracle Calendar
K-State Single-Sign-On environment
Access to licensed software, databases
SGA elections
University Computing Labs
Student access to network in residence halls
14
eID Password

What’s the big deal?






431 people at K-State replied to phishing scams in 2009, giving
away their eID password
377 of them were used by criminals to login to K-State Webmail
(often from Nigeria) and send hundreds of thousands of spam
messages
Compromised accounts are locked so hacker can’t use it, which
means the legitimate owner can’t use it either
K-State seen as a source of spam and put on spam blocklists,
resulting in all email from K-State being blocked by the likes of
Hotmail, Gmail, Yahoo!, Comcast, Road Runner, Cox, AT&T,
etc. Thus one person’s mistake can affect the entire campus
Contributes to spam, the scourge of the Internet
Recently, hackers haven’t used stolen passwords right away,
sometimes waiting 3-4 months before using it. Thus if in the
mean time the password is changed by the legitimate owner, the
hacker can’t use the account. Is a good case for regular
password changes.
15
eID Password Policies
http://www.k-state.edu/policies/ppm/3430.html#require
Why do you have to change it?

The longer you have the same password the more likely
someone will discover it (because of the threats just
discussed)




eID passwords stolen in spear phishing scams not used
until 3-4 months later!
Changing it limits the amount of time a hacker can wreak
havoc in your life
Changing your password regularly is standard best
practice
It could be worse! (most standards specify a change
every 30-90 days)

Pending state security policy requires change every
30/60/90 days depending on sensitivity of account
16
eID Password Policies
http://www.k-state.edu/policies/ppm/3430.html#require

Do not share it… with anyone!


Do not use it for non-university accounts



NEVER give your password in an email!!!!
Such as hotmail, amazon.com, bank
Is okay for departmental servers (is an
acceptable risk)
Can I write it down?
“Passwords
that are written down or stored
electronically must not be accessible to
anyone other than the owner and/or issuing
authority.”
17
eID password rules



7-30 characters in length (longer is better)
Must contain at least 5 different chars
Must contain 3 of the 4 following:







Uppercase letters
Lowercase letters
Numbers
Special characters (!, @, #, &, etc.)
Can’t be based on eID or real name
Cannot contain recognizable word, phrase,
acronym, or K-State related name
Can’t be on of 4 million+ words in hacker
dictionary
18
eID Password Policies
http://www.k-state.edu/policies/ppm/3430.html#require



These policies apply to ALL K-State
passwords, not just the eID
Enable the password on your screen
saver
Lock your computer screen when you
leave it unattended
19
Authentication & Authorization




Authentication (AuthN) – verify who you
are
Authorization (AuthZ)– determine what
you are allowed to do
Your eID (or other username) and
password provide authentication
After authN, the system or application
determines what you can access (authZ)
20
Forms of Authentication
Weak




4-digit PIN (aka Passcode)
Username/Password
Challenge-Response (aka “security question”)
Two-factor Authentication




Strong


Two different methods required to authN
Something you know plus something you have
(e.g., PIN + bank card)
Biometrics (e.g., thumbprint reader)
Passphrase
One-time passwords
Digital signature
21
Passphrase




A passphrase is password consisting of a sequence of words
or other text. It’s similar to a password in that it controls
access to a computer or system, but it’s generally longer for
added security (should be 20-30 chars). A good rule of thumb
is to purposely misspell at least one or preferably a few words
in the passphrase, mix words up from different languages,
and/or add symbols to the words.
Advantage is in its length (more secure) and ease of
remembering since you can use a familiar phrase or sentence
eID password can now be a passphrase, using words and
spaces, but same complexity rules apply (must use digits,
mixed case, special characters, etc.)
Can be frustrating since is harder to type a long passphrase
error-free when you can’t see what you’re typing. Using a
password manager like Password Safe or Gorilla allows you to
submit a long password without typing it.
22
Challenge-Response
(aka “security questions”)

Present a challenge (i.e., a question) that only the
authentic owner of the account should know, then
require a correct response before continuing






Common example is asking your mother’s maiden name,
or your first pet, or the city you were born in
Online banking often makes you establish a set of
question/answers, then poses one (in addition to your
password) when you login from a different location
Also used for resetting an account password
Treat these like a password – put effort into choosing
effective questions and answers, ones not easily
discovered via a Google search of your name
Sarah Palin’s Yahoo email was broken into during 2008
campaign by guessing her three security questions.
For more information:
itnews.itac.k-state.edu/2008/12/palin-email-password- 23
security/
Beware of keeping yourself
logged in via the browser
Anyone using the computer
has access to the account
This is slightly different from having the browser/OS
save your passwords, but the same end result –
anyone using the computer has access to your account.
24
Other password news

SIRT subcommittee developing
recommendations for updating password
policy




Implement account lock-out (lock account
after X failed logins)
Add a password strength meter where eID
passwords are changed
Prepare for higher
minimum length
NEVER give out
your password
in an email!!!!
25
Hints for Choosing a
Strong (eID) Password



General rule – hard to guess, easy to
remember (strong, memorable)
You could let eProfile (eid.ksu.edu)
choose one for you (not ideal since is
random, so is hard to remember and you
will likely write it down)
Better to come up with a system that
makes sense to you and accommodates
regular changes without a lot of effort
26
Hints for Choosing a
Strong (eID) Password

Use character/word substitutions









“2” instead of “to/too”
“4” for “for”
“4t” for “Fort”
“L8” for “late” (r8, g8, b8, d8, etc.)
“r” for “are”
“u” for “you”
“$” for “S”
“1” (one) for “l” (el) or “i” (eye)
“!” for “1”, “l”, or “i”
27
Hints for Choosing a
Strong (eID) Password


Capitalize letters where it makes
sense to get upper/lower case mix
Take a phrase and abbreviate it:


2Bor~2b! = “To be, or not to be”
Watch custom license plates for ideas

im4KSU2 (and add punctuation, like “!”)
28
Hints for Choosing a
Strong (eID) Password

Use a password strength meter:
www.passwordmeter.com
www.microsoft.com/protect/yourself/password/checker.mspx

Gotchas:


Beware of special characters that are not on
foreign keyboards (e.g., $)
What are your tips and tricks?
29
The gospel according to
Microsoft
http://www.microsoft.com/protect/yourself/password/create.mspx
1.
2.
Think of a sentence that you can remember
as the basis of your strong password or pass
phrase. Use a memorable sentence, such as
“My son Aiden is three years old”
Check if the computer or online system
supports the passphrase directly. If you can
use a pass phrase (with spaces between
characters), do so.
30
The gospel according to
Microsoft
3.
4.
If the computer or online system does not
support pass phrases, convert it to a
password. Take the first letter of each to create
a new, nonsensical word. Using the example
above, you'd get: “msaityo”
Add complexity
Mix uppercase and lowercase letters and numbers.

Swap some letters or intentionally misspell.
“My SoN Ayd3N is 3 yeeRs old”

31
The gospel according to
Microsoft
5.
Substitute some special characters


Add punctuation (“!”, “;”, “()”, etc.)
Use symbols that look like letters

“$” for “S”, “3” for “E”, “1” for “i”, “@” for “a”
Combine words (remove spaces).
“MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;”
Test your new password with Password
Strength Checker and/or eProfile (eid.ksu.edu)

6.
32
What’s on your mind?
33