1 choosing the right wand (or for those who like boring titles – managing account passwords:...
TRANSCRIPT
1
Choosing the Right Wand(or for those who like boring titles – Managing Account Passwords: Policies and Best Practices)
Harvard TownsendIT Security [email protected] 31, 2007
Whose responsibility is it?
“Security is not just the CIO’s problem; it is everyone’s problem. And everyone is responsible for the solution.”
Diane Oblinger
Brian Hawkins
EDUCAUSE
TJX Inc. now understands…
Agenda
Authentication and authorization eID password
What’s the big deal? Policies Why do we have to change it twice a year? Writing it down
Tips for choosing a strong password Different passwords for different accts So many passwords…
Authentication & Authorization
Authentication (AuthN) – verify who you are
Authorization (AuthZ)– determine what you are allowed to do
Your eID (or other username) and password provide authentication
After authN, the system or application determines what you can access (authZ)
Forms of Authentication 4-digit PIN Username/Password Challenge-Response Two-factor Authentication
Two different methods required to authN Something you know plus something you
have (e.g., bank card + PIN) Biometrics (e.g., thumbprint reader) Passphrase One-time passwords Digital signature
Strong
Weak
eID Password
What’s the big deal? HRIS self-service E-mail KATS/iSIS K-State Online Oracle Calendar Access to licensed software, databases SGA elections University Computing Labs Student access to network in residence halls
eID Password Policies
Why do you have to change it? Is standard best practice It could be worse! The longer you have the same password the
more likely someone will discover it Hacked computer - keylogger Network sniffer Someone helped you with a problem Password stored in web browser Faster computers = faster password cracking Typed it into the wrong place on the screen
Changing it limits the amount of time a hacker can wreak havoc in your life
http://www.k-state.edu/policies/ppm/3430.html#require
eID Password Policies
Do not share it… with anyone! Do not use it for non-university accounts
Such as hotmail, amazon.com, bank Is okay for departmental servers (not ideal, but
acceptable risk) Can I write it down?
“Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.”
http://www.k-state.edu/policies/ppm/3430.html#require
eID Password Policies
These apply to ALL K-State passwords, not just the eID
http://www.k-state.edu/policies/ppm/3430.html#require
Hints for Choosing a Strong (eID) Password
7-8 characters in length Limits your choices Maximum length will increase in the
future to give you more choices and allow passphrases
General rule – hard to guess, easy to remember (strong, memorable)
Let eProfile choose one for you (is random, so will likely write it down)
Hints for Choosing a Strong (eID) Password
Use “2” instead of “to/too”, “4” for “for”“4t” for “Fort”, “L8” for “late”
Capitalize letters where it makes sense
Take a phrase and abbreviate it: 2Bor~2B! = “To be, or not to be”
Watch custom license plates for ideas im4KSU2 (and add punctuation, like “!”)
Hints for Choosing a Strong (eID) Password
Use a password strength meter:http://www.securitystats.com/tools/password.phphttp://www.microsoft.com/protect/yourself/password/checker.mspx
Gotchas: Avoid space character Beware of special characters that are not on
foreign keyboards ($) What are your examples?
Steps to create a strong, memorable password
http://www.microsoft.com/protect/yourself/password/create.mspx
1. Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old”
2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters), do so.
Steps to create a strong, memorable password
3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo”
4. Add complexity Mix uppercase and lowercase letters and numbers. Swap some letters or intentionally misspell.
“My SoN Ayd3N is 3 yeeRs old”
Steps to create a strong, memorable password
5. Substitute some special characters Add punctuation (“!”, “;”, “()”, etc.) Use symbols that look like letters
“$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” Combine words (remove spaces).
“MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;”
6. Test your new password with Password Strength Checker and/or eProfile (eid.ksu.edu)
Acct/Password Categories
Ideal = different password for each acct Acceptable = different password for
each type of account1. eID and some other K-State accounts
2. Financial accounts
3. Online shopping (if stores credit card info)
4. All others
Managing Your Passwords
Try to remember them all? Have someone younger than you help
you remember them all? Write them all down?
OK if keep in private place, like purse/wallet Write down a hint, not actual password
Web browser? Use a tool like Password Safe?
http://passwordsafe.sourceforge.net/
Don’t Let Windows Store Your eID or Banking Passwords
What’s on your mind?