So Many Passwords

IT Security Roundtable
January 15, 2010

Harvard Townsend
Chief Information Security Officer
harv@ksu.edu

Agenda

So many passwords, so few brain cells

Threats to passwords
Which ones are important?
eID password (importance, rules, policy)
Definitions (password, passphrase, etc.)
Choosing a good password
Misc. cautions/tips/tricks
Q&A

My accts/passwords:

K-State (eID, my office computer, my laptop, several servers,

Bluecoat PacketShaper, PGP encryption, TrueCrypt
encryption, Trend Micro OfficeScan servers, Trend Micro
support portal, Zimbra customer care portal, Zimbra security
shared account, LISTSERV, State of KS employee selfservice, HealthQuest health screening, IT Tuesday news
authoring, IT Security Threats blog, network usage graphs)
Shopping (PayPal, amazon.com, expedia.com, iTunes, REI)
Financial (checking acct, two savings accounts, ATM PIN,
retirement accts, credit cards, health insurance, flexible health
spending acct, auto loan, home mortgage)
Other personal (cell phone, cell phone provider, Internet
provider, cable TV, Netflix, Pandora, Skype, Facebook, Gmail,
Yahoo!, Flickr, K-Tag, mission work, charitable organizations,
Manhattan Mercury, State Dept (travel advisories), several
airline frequent flier accts, UFM, trails.com, job applications,
etc.)
3

Whats a feller to do?

Same password everywhere?

Rely on your memory?

PLEASE, NO!!!
If one is compromised, all are compromised
Different systems have different pw rules
Violates K-State policy about eID passwords
Value is inversely proportional to your age!
Youll often click on Forgot Your Password? links!

Write em down?

Risky, but not out of the question if you keep the note in a safe
place (NOT your desk pencil drawer)
Bigger issue is quantity of passwords you have to remember
Generally considered a bad idea
4

Whats a feller to do?

Let your browser store them all?

OK for some passwords, but not others

Too risky for accounts with access to sensitive information
Easy for someone to view the stored passwords, unless you
Use Firefox and password-protect viewing stored passwords
and dont forget THAT password!
DONT do it with your eID password, financial accounts,
anything with access to personal identity info (like SSN)
Never do this on a shared, lab, or public computer
IE stores browser (AutoComplete) passwords in Registry

Free tools readily available to recover them.

Delete in IE8 with Tools->Internet Options->General->
Browsing history->Delete, check the Passwords box

Firefox had built-in tool to view them and delete them

(Tools->Options->Security->Saved Passwords); be sure to use
5
a Master Password to protect the stored passwords

Whats a feller to do?

Use the same password for similar categories of accounts
Reasonable solution
Have at least four categories:
1.
2.
3.
4.

Financial
eID and other important K-State accts
Shopping accts that store your credit card info
Innocuous accts w/ no sensitive information

#1 and #2 should be long, complex, and changed

regularly
#3 not as long, less complex, changed less often
#4 can be short, simple, never changed
Differing password rules may pose a challenge

Whats a feller to do?

Use a password management tool

Software that organizes and stores (encrypted) passwords

Effective way to manage many passwords
Relies on a single master password to protect all the other
passwords
Can be a challenge if use multiple computers since password
database usually stored locally; are tools available that work on
multiple computers, but that means your passwords are stored
on the companys server(s). Do you trust them? Example is
lastpass.com
Windows example: Password Safe
passwordsafe.sourceforge.net
Mac example: Password Gorilla
www.fpx.de/fp/Software/Gorilla/

Also available for Windows and Linux

Can read Password Safe database

Password Safe Demo

Windows only
Available for free at
passwordsafe.sourceforge.net
Mature product, lots of nice features
Has a sophisticated password generator
Allows you to jump to a web site and
auto-enter the username/pw used for that
site.
Demo
8

Other Strategies?

How do you manage your passwords?

Threats to Passwords

Keyloggers a program that records every keystroke and

sends it to the hacker; can be configured to watch for
passwords or other account information
Sniffing the network someone intercepting network
traffic; wireless networks particularly vulnerable
Malware that gives the hacker full control of a computer and
access to anything on it

Torpig malware infected 27 K-State computers in the last

year watches Internet traffic and intercepts bank acct info,
username/pw

Hackers stealing passwords from a compromised server

Password cracking - a hacker being able to guess your
password, usually with the help of a computer program

Programs to do this are readily available on the Internet

Faster computers make this easier

10

Threats to Passwords

Internet cafs a favorite target for hackers to use keyloggers or

other forms of malware to interecept acct info and passwords
Phishing tricking you into providing account information

431 K-Staters replied to phishing scams with their eID passwords in

2009
377 were used by criminals to login to Webmail and send spam
Consider what can be accessed with your eID

Spear phishing phishing that targets a specific population, like

sending an email to K-Staters to steal eID passwords
Shoulder surfing someone looking over your shoulder as you
type
Web browsers storing your password is easy for someone else
using your computer to see or use your password(s)
Typing your password into the wrong place on the screen
11

Threats to Passwords

Sharing your password with a friend or family

member
Giving your password to someone who is
helping you with a computer problem
Disgruntled system administrator or others
with privileged access to servers
Bottom line the threats are real and
happening at K-State. Take password
security seriously!

12

Which passwords matter?

Pay particular attention to these passwords; make
them complex, long, and change them regularly
Anything that provides access to sensitive
information:

Bank account
Credit/debit card account
Personal Identity Information (name + SSN, for
example)
Shopping account that stores credit card data;
normally credit card # is masked, but person could
change shipping address and spend lots of money

Administrator
K-State

eID

or root accounts on servers

13

eID Password

Whats the big deal with eIDs? Gains access to:

HRIS self-service
Email
iSIS
K-State Online
eProfile (eid.ksu.edu) w/ emergency contact info
Oracle Calendar
K-State Single-Sign-On environment
Access to licensed software, databases
SGA elections
University Computing Labs
Student access to network in residence halls
14

eID Password

Whats the big deal?

431 people at K-State replied to phishing scams in 2009, giving

away their eID password
377 of them were used by criminals to login to K-State Webmail
(often from Nigeria) and send hundreds of thousands of spam
messages
Compromised accounts are locked so hacker cant use it, which
means the legitimate owner cant use it either
K-State seen as a source of spam and put on spam blocklists,
resulting in all email from K-State being blocked by the likes of
Hotmail, Gmail, Yahoo!, Comcast, Road Runner, Cox, AT&T, etc.
Thus one persons mistake can affect the entire campus
Contributes to spam, the scourge of the Internet
Recently, hackers havent used stolen passwords right away,
sometimes waiting 3-4 months before using it. Thus if in the
mean time the password is changed by the legitimate owner, the
hacker cant use the account. Is a good case for regular
password changes.
15

eID Password Policies

http://www.k-state.edu/policies/ppm/3430.html#require
Why do you have to change it?

The longer you have the same password the more likely
someone will discover it (because of the threats just
discussed)

eID passwords stolen in spear phishing scams not used

until 3-4 months later!

Changing it limits the amount of time a hacker can wreak

havoc in your life
Changing your password regularly is standard best
practice
It could be worse! (most standards specify a change
every 30-90 days)

Pending state security policy requires change every

30/60/90 days depending on sensitivity of account

16

eID Password Policies

http://www.k-state.edu/policies/ppm/3430.html#require

Do not share it with anyone!

Do not use it for non-university accounts

NEVER give your password in an email!!!!

Such as hotmail, amazon.com, bank
Is okay for departmental servers (is an
acceptable risk)

Can I write it down?

Passwords

that are written down or stored

electronically must not be accessible to
anyone other than the owner and/or issuing
authority.

17

eID password rules

7-30 characters in length (longer is better)

Must contain at least 5 different chars
Must contain 3 of the 4 following:

Uppercase letters
Lowercase letters
Numbers
Special characters (!, @, #, &, etc.)

Cant be based on eID or real name

Cannot contain recognizable word, phrase,
acronym, or K-State related name
Cant be on of 4 million+ words in hacker
dictionary
18

eID Password Policies

http://www.k-state.edu/policies/ppm/3430.html#require

These policies apply to ALL K-State

passwords, not just the eID
Enable the password on your screen
saver
Lock your computer screen when you
leave it unattended
19

Authentication & Authorization

Authentication (AuthN) verify who you are

Authorization (AuthZ) determine what you
are allowed to do
Your eID (or other username) and
password provide authentication
After authN, the system or application
determines what you can access (authZ)
20

Forms of Authentication
Weak

4-digit PIN (aka Passcode)

Username/Password
Challenge-Response (aka security question)
Two-factor Authentication

Strong

Two different methods required to authN

Something you know plus something you have
(e.g., PIN + bank card)

Biometrics (e.g., thumbprint reader)

Passphrase
One-time passwords
Digital signature

21

Passphrase

A passphrase is password consisting of a sequence of words

or other text. Its similar to a password in that it controls
access to a computer or system, but its generally longer for
added security (should be 20-30 chars). A good rule of thumb
is to purposely misspell at least one or preferably a few words
in the passphrase, mix words up from different languages,
and/or add symbols to the words.
Advantage is in its length (more secure) and ease of
remembering since you can use a familiar phrase or sentence
eID password can now be a passphrase, using words and
spaces, but same complexity rules apply (must use digits,
mixed case, special characters, etc.)
Can be frustrating since is harder to type a long passphrase
error-free when you cant see what youre typing. Using a
password manager like Password Safe or Gorilla allows you
to submit a long password without typing it.
22

Challenge-Response
(aka security questions)

Present a challenge (i.e., a question) that only the

authentic owner of the account should know, then
require a correct response before continuing

Common example is asking your mothers maiden name,

or your first pet, or the city you were born in
Online banking often makes you establish a set of
question/answers, then poses one (in addition to your
password) when you login from a different location
Also used for resetting an account password

Treat these like a password put effort into choosing

effective questions and answers, ones not easily
discovered via a Google search of your name
Sarah Palins Yahoo email was broken into during 2008
campaign by guessing her three security questions.
For more information:
itnews.itac.k-state.edu/2008/12/palin-email-password- 23
security/

Beware of keeping yourself

logged in via the browser
Anyone using the computer
has access to the account

This is slightly different from having the browser/OS

save your passwords, but the same end result
anyone using the computer has access to your account.

24

Other password news

SIRT subcommittee developing

recommendations for updating password
policy

Implement account lock-out (lock account

after X failed logins)
Add a password strength meter where eID
passwords are changed

Prepare for higher

minimum length
NEVER give out
your password
in an email!!!!

25

Hints for Choosing a

Strong (eID) Password

General rule hard to guess, easy to

remember (strong, memorable)
You could let eProfile (eid.ksu.edu)
choose one for you (not ideal since is
random, so is hard to remember and you
will likely write it down)
Better to come up with a system that
makes sense to you and accommodates
regular changes without a lot of effort

26

Hints for Choosing a

Strong (eID) Password

Use character/word substitutions

2 instead of to/too
4 for for
4t for Fort
L8 for late (r8, g8, b8, d8, etc.)
r for are
u for you
$ for S
1 (one) for l (el) or i (eye)
! for 1, l, or i

27

Hints for Choosing a

Strong (eID) Password

Capitalize letters where it makes

sense to get upper/lower case mix
Take a phrase and abbreviate it:

2Bor~2b! = To be, or not to be

Watch custom license plates for ideas

im4KSU2 (and add punctuation, like !)

28

Hints for Choosing a

Strong (eID) Password

Use a password strength meter:

www.passwordmeter.com
www.microsoft.com/protect/yourself/password/checker.mspx

Gotchas:

Beware of special characters that are not on

foreign keyboards (e.g., $)

What are your tips and tricks?

29

The gospel according to

Microsoft
http://www.microsoft.com/protect/yourself/password/create.mspx
1.

2.

Think of a sentence that you can remember as

the basis of your strong password or pass
phrase. Use a memorable sentence, such as My
son Aiden is three years old
Check if the computer or online system
supports the passphrase directly. If you can
use a pass phrase (with spaces between
characters), do so.
30

The gospel according to

Microsoft
3.

4.

If the computer or online system does not

support pass phrases, convert it to a
password. Take the first letter of each to create
a new, nonsensical word. Using the example
above, you'd get: msaityo
Add complexity
Mix uppercase and lowercase letters and numbers.

Swap some letters or intentionally misspell.

My SoN Ayd3N is 3 yeeRs old

31

The gospel according to

Microsoft
5.

Substitute some special characters

Add punctuation (!, ;, (), etc.)

Use symbols that look like letters

$ for S, 3 for E, 1 for i, @ for a

Combine words (remove spaces).

MySoN 8N i$ 3yeeR$ old; or M$8ni3y0;
Test your new password with Password
Strength Checker and/or eProfile (eid.ksu.edu)

6.

32

Whats on your mind?

33