Slide 1

PASSWORD MANAGEMENT: Creating and managing passwords to be as secure as possible Slide 2 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords Characteristic of strong and weak passwords Tips and techniques Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS Slide 3 Slide 4 Slide 5 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords Characteristic of strong and weak passwords Tips and techniques Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS Slide 6 A password is a string of characters that gives you access to a computer or an online account. WHATS A PASSWORD? Slide 7 Password cracking is the process of breaking passwords in order to gain unauthorized access to a computer or account. Guessing: Method of gaining access to an account by attempting to authenticate using computers, dictionaries, or large word lists. Brute force uses every possible combination of characters to retrieve a password Dictionary attack uses every word in a dictionary of common words to identify the password Social Engineering/Phishing: Deceiving users into revealing their username and password. (easier than technical hacking) Usually by pretending to be an IT help desk agent or a legitimate organization such as a bank. DO NOT EVER SHARE YOUR PASSWORDS, sensitive data, or confidential banking details on sites accessed through links in emails. COMMON THREATS AGAINST YOUR PASSWORD Slide 8 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords Characteristic of strong and weak passwords Tips and techniques Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS Slide 9 Banking and Business services HOW MANY PASSWORDS DO YOU HAVE? Personal Emails Social media & news Work related accounts Slide 10 DONT FORGET YOUR COMPUTER AND PHONE LOGINS! Slide 11 Tiered password systems involve having different levels of passwords for different types of websites, where the complexity of the password depends on what the consequences would be if that password is compromised/obtained. Low security: for signing up for a forum, newsletter, or downloading a trial version for a certain program. Medium security: for social networking sites, webmail and instant messaging services. High security: for anything where your personal finance is involved such as banking and credit card accounts. If these are compromised it could drastically and adversely affect your life. This may also include your computer login credentials. Keep in mind that this categorization should be based on how critical each type of website is to you. What goes in which category will vary from person to person. TIERED PASSWORD SYSTEMS Slide 12 1.Categorize your passwords into 3 categories: high, medium, or low. Categorization should be based on how critical each type of website is to you. Take 5 minutes to categorize some of your online accounts. 2.Your high security passwords are the most important. Keep in mind: You should change any password that is weak. If you have used any of your passwords for more than 1 site, you should change. HANDS-ON PART 1: REVIEW AND CATEGORIZE YOUR PASSWORDS Slide 13 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords Characteristic of strong and weak passwords Tips and techniques Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS Slide 14 COMMON MISTAKES IN CREATING PASSWORDS Slide 15 RISK EVALUATION OF COMMON MISTAKES MistakeExampleRisk Evaluation Using a Common Password. 123456789 password qwerty Too risky. These are most criminals first guesses, so dont use them. Using a Password that is based on personal data Gladiator Bobby Jenny Scruffy Too risky: anyone who knows you can easily guess this information. Basing a password on your social security number, nicknames, family members names, the names of your favorite books or movies or football team are all bad ideas. Using a Short Password John12 Jim2345 The shorter a password, the more opportunities for observing, guessing, and cracking it. Using the same password everywhere. Using one password on every site or online service. Too risky: its a single point of failure. If this password is compromised, or someone finds it, the rest of your accounts including your sensitive information are at risk. Writing your passwords down. Writing your password down on a postit note stuck to your monitor. Very high risk, especially in corporate environments. Anyone who physically gets the piece of paper or sticky note that contains your password can log into your account. Slide 16 Slide 17 Strong passwords: are a minimum of 8 characters in length, its highly recommended that its 12 characters or more contain special characters such as @#$%^& and/or numbers. use a variation of upper and lower case letters. WHAT MAKES A PASSWORD SAFE? Slide 18 It must not contain easily guessed information such your birth date, phone number, spouses name, pets name, kids name, login name, etc. It shouldnt contain words found in the dictionary. WHAT MAKES A PASSWORD SAFE? (CONT.) Slide 19 Slide 20 Treat your password like your toothbrush. Dont let anybody else use it, and get a new one every six months. ~ Clifford StollClifford Stoll The stronger your password, the more protected your account or computer is from being compromised or hacked. You should make sure you have a unique and strong password for each of your accounts. HOW TO MAKE A STRONG PASSWORD Slide 21 1.Pick up a familiar phrase or quote, for example, May the force be with you and then abbreviate it by taking the first letter of each word, so it becomes mtfbwy 2.Add some special characters on either sides of the word to make it extra strong (like #mtfbwy!) 3.And then associate it with the website by adding a few characters from the website name into the original password as either a suffix or prefix. So the new password for Amazon could become #mtfbwy!AmZ, #mtfbwy!FbK for Facebook and so on. *While this technique lets us reuse the phrase-generated part of the password on a number of different websites, it would still be a bad idea to use it on a site like a bank account which contains high-value information. Sites like that deserve their own password selection phrase. MOZILLAS SAFE PASSWORD METHODOLOGY Slide 22 While generating a password you should follow two rules; Length and Complexity. Lets start by using the following sentence: May the force be with you. Lets turn this phrase into a password. 1.Take the first letter from each word: Mtfbwy. 2.Now increase its strength by adding symbols and numbers: !20Mtfbwy13! The 20 and 13 refer to the year, 2013. Secondly, I put a ! symbol on each end of the password Try using the name of your online account in the password !20Mtfbwy13!Gmail (for gmail) fb!20Mtfbwy13! (for Facebook) Thats one password developing strategy. Lets keep adding complexity, while also attempting to keep things possible to memorize. *you actually should not use a should not be a common phrase. USING A PASSPHRASE TO WRITE A SECURE PASSWORD Slide 23 Password Haystack is a methodology of making your password extremely difficult to brute force by padding the password with a pattern like (//////) before or/and after your password. HAYSTACKING YOUR PASSWORD: A SIMPLE AND POWERFUL WAY OF SECURING YOUR PASSWORD Heres how it works: 1.Come up with a password, but try to make it as a mix of uppercase and lowercase letters, numbers and symbols 2.Come up with a pattern/scheme you can remember, such as the first letter of each word from an excerpt of your favorite song or a set of symbols like (../////) 3.Use this pattern and repeat using it several times (padding your password) Lets have an example of this: Password: !20Mtfbwy13! By applying this approach, the password becomes a Haystacked Password: ../////!20Mtfbwy13!..///// Slide 24 Use these tools to test the strength of a password. As a precaution, you probably shouldnt use these services to test your actual password. Instead, simply use it to learn what works and what doesnt work. Just play with the strength checkers by constructing fake passwords and testing them. http://rumkin.com/tools/password/passchk.php http://rumkin.com/tools/password/passchk.php https://www.microsoft.com/security/pc-security/password- checker.aspx https://www.microsoft.com/security/pc-security/password- checker.aspx http://www.grc.com/haystack.htm http://www.grc.com/haystack.htm http://howsecureismypassword.net/ http://howsecureismypassword.net/ HANDS-ON PART 2: TESTING YOUR PASSWORDS Slide 25 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords Characteristic of strong and weak passwords Tips and techniques Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS Slide 26 PASSWORD OVERLOAD: HOW CAN ANYONE REMEMBER THEM ALL? Many people use a few passwords for all of their major accounts. The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them. Slide 27 If one of your accounts is hacked, its likely that your other accounts that used the same password will quickly follow. More than 60% of people use the same password across multiple sites PASSWORD SECURITY Slide 28 Human memory is the safest database for storing all your passwords Writing passwords down on a piece of paper Storing passwords on a computer in a Word document or Excel file Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web. You should not rely totally on any type of password manager Your single master password must be unique and complex PASSWORD MANAGEMENT TECHNIQUES (WAYS TO STORE YOU PASSWORDS) Slide 29 HUMAN MEMORY Strength: safest database for storing all your passwords Weakness: Easy to forget Slide 30 Strength: ease of access Weaknesses: You can lose the paper Paper could be easily stolen or viewed by other people WRITING PASSWORDS DOWN ON A PIECE OF PAPER Slide 31 Strength: ease of access Weaknesses: Data is not encrypted, anyone who has access to the computer that the file is saved on can easily read your passwords If your computer breaks, you could possibly permanently lose the file STORING PASSWORDS ON A COMPUTER IN A WORD DOCUMENT OR EXCEL FILE Slide 32 Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web. You should not rely totally on any type of password manager Your single master password must be unique and complex PASSWORD MANAGER IS SOFTWARE Slide 33 Password management tools are really good solutions for reducing the likelihood that passwords will be compromised, but dont rely on a single source. Why? Because any computer or system is vulnerable to attack. Relying on a password management tool creates a single point of potential failure. But before you turn to a password-management service based in the cloud or on your PC, it's best to review the quality of the service, said Tim Armstrong, malware researcher at Kaspersky Lab. He pointed out that you've got to ensure against data leakage or insecure database practices. "Users must be extra careful in choosing a provider," Armstrong said. "Make sure they're a valid and reputable vendor.review the quality of the service Grant Brunner wrote a fascinating article at ExtremeTech about Staying safe online: Using a password manager just isnt enough. In it, he wrote, using a password manager for all of your accounts is a very sensible idea, but dont be lulled into a false sense of security Youre not immune from cracking or downtime. Broadly speaking, password managers such as LastPass are like any software: vulnerable to security breaches. For example, LastPass experienced a security breach in 2011, but users with strong master passwords were not affected.Staying safe online: Using a password manager just isnt enoughsecurityLastPass experienced a security breach in 2011, but users with strong master passwords were not affected Disadvantage: If you forget the master password, all your other passwords in the database are lost forever, and there is no way of recovering them. Dont forget that password! SO WHICH ONE IS THE BEST? Slide 34 KeePass is a popular open-source, cross-platform, desktop- based password manager. It is available for Windows, Linux and Mac OS X as well as mobile operating systems like iOS and Android. It stores all your passwords in a single database (or a single file) that is protected and locked with one master key. The KeePass database is mainly one single file which can be easily transferred to (or stored on) any computer. Go to the download page to get your copy. KeePass download page KeePass is a local program, but you can make it cloud-based by syncing the database file using Dropbox, or another service like it. Check out Justin Pots article, Achieve Encrypted Cross- Platform Password Syncing With KeePass & Dropbox.Achieve Encrypted Cross- Platform Password Syncing With KeePass & Dropbox Make sure you always hit save after making a new entry to the database! KEEPASS Slide 35 MOZILLA FIREFOXS PASSWORD MANAGER Slide 36 You should never record or write your password down on a post-it note. Never share your password with anyone, even your colleagues. You have to be very careful when using your passwords on public PCs like schools, universities and librariesetc. Why? Because theres a chance these machines are infected with keyloggers (or keystroke logging methods) or password-stealing trojan horses.keystroke logging Do not use any password-saving features such as Google Chromes Auto Fill feature or Microsofts Auto Complete feature, especially on public PCs. Do not fill any form on the Web with your personal information unless you know you can trust it. Nowadays, the Internet is full of fraudulent websites, so you have to be aware of phishing attempts. Use a trusted and secure browser such as Mozilla Firefox. Firefox patches hundreds of security updates and makes significant improvements just to protect you from malware, phishing attempts, other security threats, and to keep you safe as you browse the Web. DO NOT PUT ALL YOUR EGGS IN ONE BASKET. Slide 37 This free tool helps users figure out if their account credentials have been hacked. If you go to the website of the service, you will see up-to-date statistics of the number of leaked credentials, passwords and email addresses. PwnedList keeps monitoring (or crawling) the Web in order to find stolen data posted by hackers on the public sites and then indexes all the login information it finds. PWNEDLIST Slide 38 ALWAYS use a mix of uppercase and lowercase letters along with numbers and special characters. Have a different strong password for each site, account, computer etc., and DO NOT have any personal information like your name or birth details in your password. DO NOT share any of your passwords or your sensitive data with anyone even your colleagues or the helpdesk agent in your company. In addition, use your passwords carefully, especially in public PCs. Dont be a victim of shoulder surfing.shoulder surfing Last recommendation that we strongly encourage is for you to start evaluating your passwords, building your tiered password system, alternating your ways of creating passwords and storing them using password managers. POINTS TO REMEMBER Slide 39 1.Decide which methods you plan to store each password. 2.Download and practice using KeePass 3.Check your primary emails on PwnedList.com/PwnedList.com/ HANDS-ON PART 3: MANAGING YOUR PASSWORDS Slide 40 1.The scale of consumer cyber crime 2.What is a password and facts about password security and its importance 3.Tiered password system - review and categorize your existing passwords 4.Writing secure passwords Characteristic of strong and weak passwords Tips and techniques Testing the strength of a password 5.Password management techniques 6.Additional tips to secure your identity TABLE OF CONTENTS Slide 41 Open Wi-fi connection can be easily hacked using a free packet sniffer software Always enable HTTPS (also called secure HTTP) settings in all online services that support it this includes Twitter, Google, Facebook and more. Spoofed Website ADDITIONAL TIPS TO SECURE YOUR IDENTITY Slide 42 Slide 43 Slide 44 Internet crime schemes that steal millions of dollars each year from victims continue to plague the Internet through various methods. Following are preventative measures that will assist you in being informed prior to entering into transactions over the Internet: Auction Fraud Auction Fraud Counterfeit Cashier's Check Counterfeit Cashier's Check Credit Card Fraud Credit Card Fraud Debt Elimination Debt Elimination DHL/UPS DHL/UPS Employment/Business Opportunities Employment/Business Opportunities Escrow Services Fraud Escrow Services Fraud Identity Theft Identity Theft Internet Extortion Internet Extortion Investment Fraud Investment Fraud Lotteries Lotteries Nigerian Letter or "419" Nigerian Letter or "419" Phishing/Spoofing Phishing/Spoofing Ponzi/Pyramid Ponzi/Pyramid Reshipping Reshipping Spam Spam Third Party Receiver of Funds Third Party Receiver of Funds INTERNET CRIME PREVENTION TIPS FROM THE INTERNET CRIME COMPLAINT CENTER (IC3). IC3 IS A PARTNERSHIP BETWEEN THE FEDERAL BUREAU OF INVESTIGATION AND THE NATIONAL WHITE COLLAR CRIME CENTER.FEDERAL BUREAU OF INVESTIGATIONNATIONAL WHITE COLLAR CRIME CENTER Slide 45 Auction Fraud Before you bid, contact the seller with any questions you have. Review the seller's feedback. Be cautious when dealing with individuals outside of your own country. Ensure you understand refund, return, and warranty policies. Determine the shipping charges before you buy. Be wary if the seller only accepts wire transfers or cash. If an escrow service is used, ensure it is legitimate. Consider insuring your item. Be cautious of unsolicited offers. Counterfeit Cashier's Check Inspect the cashier's check. Ensure the amount of the check matches in figures and words. Check to see that the account number is not shiny in appearance. Be watchful that the drawer's signature is not traced. Official checks are generally perforated on at least one side. Inspect the check for additions, deletions, or other alterations. Contact the financial institution on which the check was drawn to ensure legitimacy. Obtain the bank's telephone number from a reliable source, not from the check itself. Be cautious when dealing with individuals outside of your own country. ONLINE CRIME PREVENTION IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 46 Credit Card Fraud Ensure a site is secure and reputable before providing your credit card number online. Don't trust a site just because it claims to be secure. If purchasing merchandise, ensure it is from a reputable source. Promptly reconcile credit card statements to avoid unauthorized charges. Do your research to ensure legitimacy of the individual or company. Beware of providing credit card information when requested through unsolicited emails. Debt Elimination Know who you are doing business with do your research. Obtain the name, address, and telephone number of the individual or company. Research the individual or company to ensure they are authentic. Contact the Better Business Bureau to determine the legitimacy of the company. Be cautious when dealing with individuals outside of your own country. Ensure you understand all terms and conditions of any agreement. Be wary of businesses that operate from P.O. boxes or maildrops. Ask for names of other customers of the individual or company and contact them. If it sounds too good to be true, it probably is. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 47 DHL/UPS Beware of individuals using the DHL or UPS logo in any email communication. Be suspicious when payment is requested by money transfer before the goods will be delivered. Remember that DHL and UPS do not generally get involved in directly collecting payment from customers. Fees associated with DHL or UPS transactions are only for shipping costs and never for other costs associated with online transactions. Contact DHL or UPS to confirm the authenticity of email communications received. Employment/Business Opportunities Be wary of inflated claims of product effectiveness. Be cautious of exaggerated claims of possible earnings or profits. Beware when money is required up front for instructions or products. Be leery when the job posting claims "no experience necessary". Do not give your social security number when first interacting with your prospective employer. Be cautious when dealing with individuals outside of your own country. Be wary when replying to unsolicited emails for work-at-home employment. Research the company to ensure they are authentic. Contact the Better Business Bureau to determine the legitimacy of the company. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 48 Escrow Services Fraud Always type in the website address yourself rather than clicking on a link provided. A legitimate website will be unique and will not duplicate the work of other companies. Be cautious when a site requests payment to an "agent", instead of a corporate entity. Be leery of escrow sites that only accept wire transfers or e-currency. Be watchful of spelling errors, grammar problems, or inconsistent information. Beware of sites that have escrow fees that are unreasonably low. Identity Theft Ensure websites are secure prior to submitting your credit card number. Do your homework to ensure the business or website is legitimate. Attempt to obtain a physical address, rather than a P.O. box or maildrop. Never throw away credit card or bank statements in usable form. Be aware of missed bills which could indicate your account has been taken over. Be cautious of scams requiring you to provide your personal information. Never give your credit card number over the phone unless you make the call. Monitor your credit statements monthly for any fraudulent activity. Report unauthorized transactions to your bank or credit card company as soon as possible. Review a copy of your credit report at least once a year. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 49 Internet Extortion Security needs to be multi-layered so that numerous obstacles will be in the way of the intruder. Ensure security is installed at every possible entry point. Identify all machines connected to the Internet and assess the defense that's engaged. Identify whether your servers are utilizing any ports that have been known to represent insecurities. Ensure you are utilizing the most up-to- date patches for your software. Investment Fraud If the "opportunity" appears too good to be true, it probably is. Beware of promises to make fast profits. Do not invest in anything unless you understand the deal. Don't assume a company is legitimate based on "appearance" of the website. Be leery when responding to invesment offers received through unsolicited email. Be wary of investments that offer high returns at little or no risk. Independently verify the terms of any investment that you intend to make. Research the parties involved and the nature of the investment. Be cautious when dealing with individuals outside of your own country. Contact the Better Business Bureau to determine the legitimacy of the company. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 50 Lotteries If the lottery winnings appear too good to be true, they probably are. Be cautious when dealing with individuals outside of your own country. Be leery if you do not remember entering a lottery or contest. Be cautious if you receive a telephone call stating you are the winner in a lottery. Beware of lotteries that charge a fee prior to delivery of your prize. Be wary of demands to send additional money to be eligible for future winnings. It is a violation of federal law to play a foreign lottery via mail or phone. Nigerian Letter or "419 If the "opportunity" appears too good to be true, it probably is. Do not reply to emails asking for personal banking information. Be wary of individuals representing themselves as foreign government officials. Be cautious when dealing with individuals outside of your own country. Beware when asked to assist in placing large sums of money in overseas bank accounts. Do not believe the promise of large sums of money for your cooperation. Guard your account information carefully. Be cautious when additional fees are requested to further the transaction. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 51 Phishing/Spoofing Be suspicious of any unsolicited email requesting personal information. Avoid filling out forms in email messages that ask for personal information. Always compare the link in the email to the link that you are actually directed to. Log on to the official website, instead of "linking" to it from an unsolicited email. Contact the actual business that supposedly sent the email to verify if the email is genuine. Ponzi/Pyramid If the "opportunity" appears too good to be true, it probably is. Beware of promises to make fast profits. Exercise diligence in selecting investments. Be vigilant in researching with whom you choose to invest. Make sure you fully understand the investment prior to investing. Be wary when you are required to bring in subsequent investors. Independently verify the legitimacy of any investment. Beware of references given by the promoter. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 52 Reshipping Be cautious if you are asked to ship packages to an "overseas home office." Be cautious when dealing with individuals outside of your own country. Be leery if the individual states that his country will not allow direct business shipments from the United States. Be wary if the "ship to" address is yours but the name on the package is not. Never provide your personal information to strangers in a chatroom. Don't accept packages that you didn't order. If you receive packages that you didn't order, either refuse them upon delivery or contact the company where the package is from. Spam Don't open spam. Delete it unread. Never respond to spam as this will confirm to the sender that it is a "live" email address. Have a primary and secondary email address - one for people you know and one for all other purposes. Avoid giving out your email address unless you know how it will be used. Never purchase anything advertised through an unsolicited email. Third Party Receiver of Funds Do not agree to accept and wire payments for auctions that you did not post. Be leery if the individual states that his country makes receiving these type of funds difficult. Be cautious when the job posting claims "no experience necessary". Be cautious when dealing with individuals outside of your own country. ONLINE CRIME PREVENTION (CONT.) IF THE "OPPORTUNITY" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS. Slide 53 Al-Marhoon, M. (n.d.). Password Management Guide. MakeUseOf. Retrieved April 10, 2013, from http://www.makeuseof.com/pages/the-password- management-guide-fulltext http://www.makeuseof.com/pages/the-password- management-guide-fulltext http://www.slideshare.net/NortonOnline/2012-norton- cybercrime-report-14207489 http://www.slideshare.net/NortonOnline/2012-norton- cybercrime-report-14207489 http://www.ic3.gov/media/annualreports.aspx http://www.ic3.gov/media/annualreports.aspx REFERENCES