2009 mit 019
TRANSCRIPT
-
8/3/2019 2009 Mit 019
1/17
G.G.K.P.Gunawardana
2009/MIT/019
University of Colombo School of Computing
Masters of Information Technology
-
8/3/2019 2009 Mit 019
2/17
Concerns when selecting a User name Should be Easily identify the user
Should be unique (Users may have common
Surnames ) Shouldnt be complex easy to remember
Best practice is dont use special characters
Most of the companies use employee number
as user name (Ex. HSBC) Some organizations uses first name and first
letter of the surname
Larger organizations uses fist name .
surname.
-
8/3/2019 2009 Mit 019
3/17
Why we need password policy
General words people use as a passwords
Words based on common dictionary Names based on common names Names based on user/account name Short passwords (under 6 characters) Consequent keys of the keyboard
-
8/3/2019 2009 Mit 019
4/17
Unfortunately, the characteristics people have selected also
makes their password vulnerable to attack for
attackers and putting their Identity and Privacyat risk
They are not alone be victims, but others
Lets carefully analyze few more characteristics
and practices that make a password vulnerableto attack
-
8/3/2019 2009 Mit 019
5/17
Words based on common dictionary Including dictionary words that have been altered: Reversed (e.g., terces) Mixed case (e.g., SeCreT)
Character/Symbol replacement (e.g., $ecret) Words with vowels removed (e.g., scrt) based on common names based on user/account identifier short (under 6 characters)
based on keyboard patterns (e.g., qwerty) composed of single symbol type (e.g., all characters) resemble license plate values are difficult for you to remember
-
8/3/2019 2009 Mit 019
6/17
recycling passwords recording (writing down) passwords use of previously recorded passwords
(combination of above practices) use of password on two or more
systems/contexts
Especially risky when passwords arereused in low-trust systems (e.g., onlinegaming) since increased exposure
-
8/3/2019 2009 Mit 019
7/17
contain at least one of each of the following: digit (0..9) letter (a..Z) punctuation symbol (e.g., !) control character (e.g., ^s, Ctrl-s) are based on a verse (e.g., passphrase) from
an obscure work where the password isformed from the characters in the verse
e.g., ypyiyp derived from the title of thismodule
sometimes referred to as a virtual password are easily remembered by you but very
difficult (preferably impossible) for others toguess
-
8/3/2019 2009 Mit 019
8/17
never recycle passwords never record a password anywhere exceptions include use of encrypted password vaults use a different password for each system/context be aware Trojan horse programs can masquerade as login
prompts so always reset the system as appropriate to obtain atrusted login prompt
check for keyboard buffer devices/software that interceptkeystrokes (including password capture)
change password occasionally change your password immediately if you suspect it has been
stolen
passwords should be protected in a manner that is consistentwith the damage that could be caused by their compromise.
monitor for possible eavesdroppers during entry of password do not use the "Remember Password" feature of applications
(e.g., Microsoft Internet Explorer). inquire about proactive password checking measures with your
system administration
-
8/3/2019 2009 Mit 019
9/17
Dictionary attacks The guessing [often automated] of a
password by repeated trial and error.
Social engineering Social engineering is the process of
using social skills to convince people to
reveal access credentials or othervaluable information to the attacker.
-
8/3/2019 2009 Mit 019
10/17
Most hackers utilize widely availablepassword cracking dictionaries to
uncover weak passwords
Ex: Brute force type of attacks
Ways to reduce Your risk:
Create and use strong passwords
-
8/3/2019 2009 Mit 019
11/17
What is a password? A password is information associated with
an entity that confirms the entitys identity. Why are passwords needed? Passwords are used for authentication Authentication can be thought of as the act
of linking yourself to your electronic identitywithin the system you are connecting to
Your password is used to verify to thesystem that you are the legitimate owner ofthe user/account identifier
Commonly referred to as logging in
-
8/3/2019 2009 Mit 019
12/17
Passwords/Identity/Privacy Attackers who obtain your password can
authenticate themselves on various
systems and in turn
Access your personal information(invade Your Privacy)
Impersonate you by acting on your behalf(steal Your Identity)
-
8/3/2019 2009 Mit 019
13/17
Protection of Your Identity and Privacy in theinformation age hinges on sound passwordknowledge and practice
Those who do not use strong passwords andpassword practices are often their own worstenemy
If you feel you have too many passwords toremember then consider using a password
vault (e.g., Password Safe) The risks are real, they affect you either
directly or indirectly and they can bediminished by using strong passwords and
password practices
-
8/3/2019 2009 Mit 019
14/17
Many computer users today have to keep track ofdozens of passwords: for network accounts, onlineservices, premium web sites.
With Password Safe, a free Windows 9x/2000 utilityfrom Counterpane Labs, users can keep their
passwords securely encrypted on their computers. Asingle Safe Combination--just one thing to remember--unlocks them all.
Password Safe features a simple, intuitive interfacethat lets users set up their password database inminutes.
Best of all, Password Safe is completely free: nolicense requirements, shareware fees, or other stringsattached.
You can learn more about this product by visiting
http://www.counterpane.com/passsafe.html
-
8/3/2019 2009 Mit 019
15/17
What is the role of passwords inauthentication?
to identify the user to verify you are the legitimate owner of
the user/account identifier
to provide security none of the above
-
8/3/2019 2009 Mit 019
16/17
This is a tool helpful to those who havemany passwords to remember.
ePassword Keeper Password Safe
Sphinx
TK8 Safe
-
8/3/2019 2009 Mit 019
17/17
http://web.mit.edu/net-security/www/pw.html http://www.umich.edu/~policies/pw-security.html http://www-
cgi.cs.cmu.edu/~help/security/pass_sec.html http://www.alw.nih.gov/Security/Docs/passwd.html http://www.ucsc.edu/banner/01ePwdSecurity.html#Pa
ssword%20Guidelines http://ithelp.indstate.edu/info/secure-
passwords.html#general http://www.lbl.gov/ITSD/Security/guidelines/password.
html#choose http://tigger.cc.uic.edu/~mbird/password.html http://psynch.com/docs/best_practices.html http://www.p-synch.com/docs/strength.html