m

Intended Audience:
Y All persons concerned about ways to protect their identity and
privacy.

Objectives: upon successful completion of this presentation

you should, without error, be able to «
Y Agree that strong passwords and password practices
contribute to protection of identity and privacy
Y Discriminate passwords as ÷
 or m

Y ©ecognize the role of passwords in authentication
Y ©ecognize the relationship between authentication and both
identity and privacy.
|here may be other characteristics of your
password and its use that put your identity at risk.

Lets take a quick look at a few characteristics and

practices that make a password vulnerable to
attack «
’ î
 asswords
Y based on common dictionary words
J Including dictionary words that have been altered:
J ©eversed (e.g., ³terces´)
J Mixed case (e.g., SeCre|)
J Character/Symbol replacement (e.g., ³$ecret´)
J Words with vowels removed (e.g., ³scrt´)
Y based on common names
Y based on user/account identifier
Y short (under 6 characters)
Y based on keyboard patterns (e.g., ³qwerty´)
Y composed of single symbol type (e.g., all characters)
Y resemble license plate values
Y are difficult for you to remember
’ Weak assword practices
Y recycling passwords
Y recording (writing down) passwords
Y use of previously recorded passwords (combination of
above practices)
Y use of password on two or more systems/contexts
 ×ow lets explore

the characteristics of m
 passwords and

password practices «
’ Strong asswords
Y contain at least „ „

 of the following:
J digit (0..9)
J letter (a..Z)
J punctuation symbol (e.g., !)
J control character (e.g., ^s, Ctrl-s)
Y are based on a verse (e.g., passphrase) from an
obscure work where the password is formed from the
characters in the verse
J e.g., ³ypyiyp´ derived from the title of this module
J sometimes referred to as a Ô


÷„

Y are easily remembered by you but very difficult
(preferably impossible) for others to guess
’ Strong assword ractices
Y never recycle passwords
Y never record a password anywhere
J exceptions include use of encrypted password ³vaults´
Y use a different password for each system/context
Y be aware |rojan horse programs can masquerade as login prompts so always
reset the system as appropriate to obtain a trusted login prompt
Y check for keyboard buffer devices/software that intercept keystrokes (including
password capture)
Y change password occasionally
Y change your password immediately if you suspect it has been ³stolen´
Y ³passwords should be protected in a manner that is consistent with the damage
that could be caused by their compromise.´9
Y monitor for possible eavesdroppers during entry of password
Y do not use the "©emember assword" feature of applications (e.g., Microsoft®
Internet Explorer®).
Y inquire about proactive password checking measures with your system
administration
 ×ow lets explore

two common password attacks and

ways to reduce the risk of being attacked «
’ Most successful attacks are based on:
Y Dictionary attacks
J ³|he guessing [often automated] of a password by repeated
trial and error.´1
Y Social engineering
J ³Social engineering is the process of using social skills to
convince people to reveal access credentials or other
valuable information to the attacker.´2
 ×ow lets explore

passwords in the context of Your Identity and

rivacy «
’ What is a password?
Y ³A password is information associated with an entity
that confirms the entity¶s identity.´1
’ Why are passwords needed?
Y asswords are used for
  
 „
J Authentication can be thought of as the act of linking yourself to
your electronic identity within the system you are connecting to
J Your password is used to verify to the system that you are the
legitimate owner of the user/account identifier
J Commonly referred to as ³logging in´
’ rotection of Your Identity and rivacy in the information
age hinges on sound password knowledge and practice
’ |hose who do not use strong passwords and password
practices are often their own worst enemy
’ |he risks are real, they affect you either directly or
indirectly and they can be diminished by using m

passwords and password practices
 our assword

mour Identity
our rivacy