What is a Passphrase?
• ITS defines a passphrase as an easy to remember string of words, numbers and symbols
• A UI passphrase must be 15 characters or more
• SEE: APM 30.15 UI Password/Passphrase Policy (http://www.uihome.uidaho.edu/default.aspx?pid=97508)
Passphrase examples
• Passphrases should be long, yet memorable:– “EveryGOODboydoesfine#”– “Listen,Children!”– “Mymom#isbetter.”
• Passphrases should not be common phrases or repeats like:– “My voice is my password.”– “Strawberry fields forever.”– “Passwordpassword.”
Don’t Passphrases have a space?
• Passphrases are commonly used with a space
• Security vs. Usability requires balance
• UI passphrases or passwords mayno longer have a space! *
• Banner users have additional restrictions on spaces and numerous special characters
What other characters can’t be used?
• Disallowed characters as of October 14* include:o<space>o {o }o \o :o=
How many users have a passphrase?
• 3,049 users have switched to passphrase
• 14,751 password changes since August
21%
PassphraseSimple
Why a Passphrase?
• 400 instead of 90 day expiration (only when set on the ITS Support website)
• Easier to remember• Whole words can be used• More difficult to crack or guess
(easily available tools can crack short passwords)
Cracking vs. Guessing
• Cracking involves reversing the password hash captured off the wire or from the local disk
• Guessing, or brute force methods simply try many or common passwords against accounts
What is a “brute-force” attack?
• Hackers write programs to automatically attempt login to systems using common passwords
• A common ssh brute force attack will use a team of computers to perform the attack
But I don’t use ssh…
• UI accounts are exposed to the Internet on a number of fronts for the convenience of all users:– SSH/SFTP (unix.uidaho.edu)– https forms (mail.uidaho.edu / OWA)
• Both of these can be attacked from around the world
Do people really attack us?
• It is hard to tell the difference between user failed logins and break-in attempts
• 10,407 failures in last 7 days
Length vs. Complexity
• There are limited numbers of combinations to make up a short password
Password Examples
• 4-digit PIN is obvious:– 0000 to 9999 : 10,000 choices
• 10 * 10 * 10 * 10 = 10,000
Password complexity helps
• Basic alphabet (abcdefg…)– aaaa to zzzz ??
• 26 * 26 * 26 * 26 = 456,976
• UPPER, lower, numbers and symbols– AAAA to ++++ ???
• If only the 76 most common characters..• 76 * 76 * 76 * 76 = 33,362,176
Password Length Helps More
• 76 ^ 4 = 33,362,176• 76 ^ 8 = 1,113,034,787,454,976
• 76 ^ 15 = – 163,006,110,274,334,700,000,000,00
0,000
Functional Account Passphrases
• Accounts shared and used by applications and processes “Behind the Scenes”
• Must have 30+ character passphrase or longer up to the maximum allowed by system
Password Safety Still Applies!
• Passphrase shall not be written down or stored in your office
• Passphrase shall not be stored within an application’s “Remember Password” function
• UI password or passphrase shall not be the same as any non-UI accounts
Password Safety
• Passphrase shall not be shared with anyone – must be kept confidential
• ITS will never ask for your password!
• Any time you can “see” your password, sound the alarm!
How DO I store a Passphrase?
• Passwords can only be stored with adequate encryption, for example, programs like:– Keepass (http://keepass.info)– eWallet (
http://www.iliumsoft.com/site/ew/ewallet.php)
– Apple Keychain (Applications / Utilities / Keychain)
How do I generate a Passphrase?
• Many password tools like Keepass also have generators for long passwords
• Apple Keychain also has a passphrase generator
How do I generate a Passphrase?
• Poems and song lyrics are popular• Make sure and alter them to be
unique• “IdahoIdahoGoGoG0” is too simple
Thank YouQuestions?