1

Choosing the Right Wand(or for those who like boring titles – Managing Account Passwords: Policies and Best Practices)

Harvard TownsendIT Security Officerharv@ksu.eduOctober 31, 2007

Whose responsibility is it?

“Security is not just the CIO’s problem; it is everyone’s problem. And everyone is responsible for the solution.”

Diane Oblinger

Brian Hawkins

EDUCAUSE

TJX Inc. now understands…

Agenda

Authentication and authorization eID password

What’s the big deal? Policies Why do we have to change it twice a year? Writing it down

Tips for choosing a strong password Different passwords for different accts So many passwords…

Authentication & Authorization

Authentication (AuthN) – verify who you are

Authorization (AuthZ)– determine what you are allowed to do

Your eID (or other username) and password provide authentication

After authN, the system or application determines what you can access (authZ)

Forms of Authentication 4-digit PIN Username/Password Challenge-Response Two-factor Authentication

Two different methods required to authN Something you know plus something you

have (e.g., bank card + PIN) Biometrics (e.g., thumbprint reader) Passphrase One-time passwords Digital signature

Strong

Weak

eID Password

What’s the big deal? HRIS self-service E-mail KATS/iSIS K-State Online Oracle Calendar Access to licensed software, databases SGA elections University Computing Labs Student access to network in residence halls

eID Password Policies

Why do you have to change it? Is standard best practice It could be worse! The longer you have the same password the

more likely someone will discover it Hacked computer - keylogger Network sniffer Someone helped you with a problem Password stored in web browser Faster computers = faster password cracking Typed it into the wrong place on the screen

Changing it limits the amount of time a hacker can wreak havoc in your life

http://www.k-state.edu/policies/ppm/3430.html#require

eID Password Policies

Do not share it… with anyone! Do not use it for non-university accounts

Such as hotmail, amazon.com, bank Is okay for departmental servers (not ideal, but

acceptable risk) Can I write it down?

“Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.”

http://www.k-state.edu/policies/ppm/3430.html#require

eID Password Policies

These apply to ALL K-State passwords, not just the eID

http://www.k-state.edu/policies/ppm/3430.html#require

Hints for Choosing a Strong (eID) Password

7-8 characters in length Limits your choices Maximum length will increase in the

future to give you more choices and allow passphrases

General rule – hard to guess, easy to remember (strong, memorable)

Let eProfile choose one for you (is random, so will likely write it down)

Hints for Choosing a Strong (eID) Password

Use “2” instead of “to/too”, “4” for “for”“4t” for “Fort”, “L8” for “late”

Capitalize letters where it makes sense

Take a phrase and abbreviate it: 2Bor~2B! = “To be, or not to be”

Watch custom license plates for ideas im4KSU2 (and add punctuation, like “!”)

Hints for Choosing a Strong (eID) Password

Use a password strength meter:http://www.securitystats.com/tools/password.phphttp://www.microsoft.com/protect/yourself/password/checker.mspx

Gotchas: Avoid space character Beware of special characters that are not on

foreign keyboards ($) What are your examples?

Steps to create a strong, memorable password

http://www.microsoft.com/protect/yourself/password/create.mspx

1. Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old”

2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters), do so.

Steps to create a strong, memorable password

3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo”

4. Add complexity Mix uppercase and lowercase letters and numbers. Swap some letters or intentionally misspell.

“My SoN Ayd3N is 3 yeeRs old”

Steps to create a strong, memorable password

5. Substitute some special characters Add punctuation (“!”, “;”, “()”, etc.) Use symbols that look like letters

“$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” Combine words (remove spaces).

“MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;”

6. Test your new password with Password Strength Checker and/or eProfile (eid.ksu.edu)

Acct/Password Categories

Ideal = different password for each acct Acceptable = different password for

each type of account1. eID and some other K-State accounts

2. Financial accounts

3. Online shopping (if stores credit card info)

4. All others

Managing Your Passwords

Try to remember them all? Have someone younger than you help

you remember them all? Write them all down?

OK if keep in private place, like purse/wallet Write down a hint, not actual password

Web browser? Use a tool like Password Safe?

http://passwordsafe.sourceforge.net/

Don’t Let Windows Store Your eID or Banking Passwords

What’s on your mind?