Choosing the Right Wand(or for those who like boring titles – Managing Account Passwords: Policies and Best Practices)

Harvard TownsendIT Security Officerharv@ksu.eduOctober 31, 2007Revised January 11, 2008

Whose responsibility is it?

“Security is not just the CIO’s problem; it is everyone’s problem. And everyone is responsible for the solution.”

Diane Oblinger

Brian Hawkins

EDUCAUSE

2

TJX Inc. now understands…

3

Agenda Authentication and authorization eID password

What’s the big deal? Threats to passwords Policies Why do we have to change it twice a year? Writing it down

Tips for choosing a strong password Managing multiple accounts/passwords Cautions about Windows storing

passwords 4

Authentication & Authorization

Authentication (AuthN) – verify who you are

Authorization (AuthZ)– determine what you are allowed to do

Your eID (or other username) and password provide authentication

After authN, the system or application determines what you can access (authZ)

5

Forms of Authentication 4-digit PIN Username/Password Challenge-Response Two-factor Authentication

Two different methods required to authN Something you know plus something you

have (e.g., bank card + PIN) Biometrics (e.g., thumbprint reader) Passphrase One-time passwords Digital signature

Strong

Weak

6

eID Password

What’s the big deal? HRIS self-service E-mail KATS/iSIS K-State Online Oracle Calendar K-State Single-Sign-On environment Access to licensed software, databases SGA elections University Computing Labs Student access to network in residence halls

7

Threats to Passwords

Keyloggers – a program that records every keystroke and sends it to the hacker; can be configured to watch for passwords

“Sniffing” the network – someone intercepting network traffic; wireless networks particularly vulnerable

Malware that gives the hacker full control of a computer and access to anything on it

Internet cafés – a favorite target for hackers to use keyloggers or other forms of malware

Hackers stealing passwords from a compromised server Password “cracking” - a hacker being able to guess your

password Programs to do this are readily available on the Internet Faster computers make this easier

8

Threats to Passwords

Phishing – tricking you into providing account information“Shoulder surfing” – someone looking over your shoulder as you type

Web browsers storing your password – is easy for someone else using your computer to see your password(s)

Typing your password into the wrong place on the screen

Sharing your password with a “friend” Giving your password to someone who is

helping you with a computer problem 9

eID Password Policies

Why do you have to change it? Is standard best practice It could be worse! (most standards

specify a change every 30-90 days) The longer you have the same password

the more likely someone will discover it (because of the threats just discussed)

Changing it limits the amount of time a hacker can wreak havoc in your life

http://www.k-state.edu/policies/ppm/3430.html#require

10

eID Password Policies

Do not share it… with anyone! Do not use it for non-university accounts

Such as hotmail, amazon.com, bank Is okay for departmental servers (not ideal, but

acceptable risk) Can I write it down?

“Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.”

http://www.k-state.edu/policies/ppm/3430.html#require

11

eID Password Policies

These apply to ALL K-State passwords, not just the eID

Enable the password on your screen saver

Lock your computer screen when you leave it unattended

http://www.k-state.edu/policies/ppm/3430.html#require

12

Hints for Choosing a Strong (eID) Password

7-8 characters in length Limits your choices Maximum length will increase in the future to

give you more choices and allow passphrases

General rule – hard to guess, easy to remember (strong, memorable)

Let eProfile (eid.ksu.edu) choose one for you (not ideal since is random, so you will likely write it down)

13

Hints for Choosing a Strong (eID) Password Use character/word substitutions

“2” instead of “to/too” “4” for “for” “4t” for “Fort” “L8” for “late” (r8, g8, b8, d8, etc.) “r” for “are” “u” for “you” “$” for “S” “1” (one) for “l” (el) or “i” (eye) “!” for “1”, “l”, or “i”

14

Hints for Choosing a Strong (eID) Password Capitalize letters where it makes

sense to get upper/lower case mix Take a phrase and abbreviate it:

2Bor~2b! = “To be, or not to be” Watch custom license plates for ideas

im4KSU2 (and add punctuation, like “!”)

15

Hints for Choosing a Strong (eID) Password

Use a password strength meter:http://www.securitystats.com/tools/password.phphttp://www.microsoft.com/protect/yourself/password/checker.mspx

Gotchas: Avoid space character Beware of special characters that are not on

foreign keyboards ($) What are your tips and tricks?

16

Steps to create a strong, memorable password

http://www.microsoft.com/protect/yourself/password/create.mspx

1. Think of a sentence that you can remember as the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old”

2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters), do so.

17

Steps to create a strong, memorable password

3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each to create a new, nonsensical word. Using the example above, you'd get: “msaityo”

4. Add complexity Mix uppercase and lowercase letters and numbers. Swap some letters or intentionally misspell.

“My SoN Ayd3N is 3 yeeRs old”

18

Steps to create a strong, memorable password

5. Substitute some special characters Add punctuation (“!”, “;”, “()”, etc.) Use symbols that look like letters

“$” for “S”, “3” for “E”, “1” for “i”, “@” for “a” Combine words (remove spaces).

“MySoN 8N i$ 3yeeR$ old;” or “M$8ni3y0;”

6. Test your new password with Password Strength Checker and/or eProfile (eid.ksu.edu)

19

Acct/Password Categories

Ideal = different password for each acct Acceptable = different password for

each type of account1. eID and some other K-State accounts

2. Financial accounts

3. Online shopping (if stores credit card info)

4. All others

20

Managing Your Passwords

Try to remember them all? Have someone younger than you help

you remember them all? Write them all down?

OK if keep in private place, like purse/wallet Write down a hint, not actual password

Web browser? Use a tool like Password Safe?

http://passwordsafe.sourceforge.net/ 21

Don’t Let Windows Store Your eID or Banking Passwords

22

Windows Passwords Windows stores encrypted passwords in several

formats: LAN Manager (“LANMAN”) NTLMv1 NTLMv2

LANMAN is particularly insecure Stored in two 7-character pieces that can be cracked

independently Converts all characters to upper case No “salt” used so the “hash” is the same for a given

string of characters – easy to build a table of hash values for a list of possible passwords for comparison

Thus prone to brute force password attacks Once hacker cracks LANMAN, cracks NTLM by

trying all upper/lower case combinations 23

Windows Passwords

Windows 2000 and newer do not use LANMAN, but store it by default for backwards compatibility

Samba uses LANMAN – it’s holding us back… but not for long

Windows does NOT store the LANMAN form if the password > 14 characters long

Best practice – make Windows Administrator account passwords > 14 characters

Or use Windows Vista since it doesn’t store the LANMAN hash

24

Windows Passwords

Disable storing the “LANMAN hash” on Windows computers, if possible

This may break some applications (like Samba) Is done with a “group policy” object called

“NoLMHash” (note – changing this switch does not remove LM hashes already stored)

Or edit the Registry

See:http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&

25

What’s on your mind?

26