Passwords and Password PoliciesAn Important Part of IT Control – by Craig Piercy
Why Passwords?
Primary means for many systems for implementing authentication and authorization.
Authentication – verifying that you are who you say you are.
Authorization – allowing access to the parts of the system that you need and only those parts.
Could this be you?
Or This?
How well do you follow good Password procedures? Do you use a name for your password? Do you use a real, “dictionary” word? Do you use the same password for all or most
of your accounts? Is you password short (< 6 digits)? Do you still use the default or provided
password? Do you keep your password forever? Is you password “password,” “default”, “123”?If you answered “yes” to any of the above, then
you are failing an important part of good use of passwords.
Why do you do these things?
“weak” password – a password that is fairly easy to guess or “crack.”
“strong” password – a password that is difficult to guess or “crack.”
For most, there is a trade-off between having “strong” passwords and being able to remember them.
Passwords as Business Control “Just saw that UGA has now implemented
strong password requirement controls. The password policy found on MyID.uga.edu is a good example of a policy which contains controls that have been implemented and are required to be followed. The verbiage and layout are similar to what I have seen at the clients I audit” – Jason Lannen, KPMG
UGA’s Password Policy Why do you think it is important that
organizations require their associates to follow good password policies?
Characteristics of “strong” passwords DO NOT use a real word or name Long rather than short --- >=8 characters Use a mix of characters – text characters –
upper and lower case, numeric digits, punctuation
Use different passwords on different accounts
Change your password regularly. DO NOT write your passwords down.
(see TIES box on page 209 – Chapter 7)
A two step Method for Making Strong Passwords that you can remember. 1. Come up with a “key” that you can
remember easily.2. Come up with as set of simple rules
for converting your key into a password
Example - Key
1. Choose a key – my preference is a line of text – favorite song titles are good, could be a proverb, famous quotation, line from a poem, etc.
Example – “The leaves have fallen all around…”
Key – Rule 1
2. Make up some rules2.1 - Take initials of key phrase.
The leaves have fallen all around tlhfaa
Key – Rule 2
2. Make up some rules2.2 – Starting with second character
every other one upper case.
tlhfaa tLhFaA
Key – Rule 3
2. Make up some rules2.3 – Add one or more special
characters in-between the letters.
tLhFaA t$L$h$F$a$A
Notes: These are my rules. Make up your own! Make as many rules in your algorithm
that you can remember – rule of thumb 3 to 5 is probably good enough.
Make sure that your key is long enough to generate a long enough password.
Even though you have a stronger password, you still need to be aware of how you use it and when it might be compromised. What should you do if you think that your
password has been compromised?
What about multiple accounts?Some come up with a code for each account
and then concatenate onto their password. Example:
Account Account Code
Password
My laptop plap t$L$h$F$a$A_plap
UGA account Uga t$L$h$F$a$A_uga
Gmail account Gm t$L$h$F$a$A_gm
What about changing regularly?Change the key and apply the rules.Example: New key: “… Time I was on my way.” Apply rules:
1. Take initials of key phrase.2. Starting with second character every other one
upper case.3. Add one or more special characters in-between the
letters.
What’s the new password for the uga account?
t$I$w$O$m$W_uga
Discussion
Are there any problems in my algorithm?
How could I improve it? Incidentally, I did a slightly dangerous
thing in choosing the second key: 1st key – 1st line of Ramble On by Led
Zeppelin 2nd key – 2nd line of Ramble On by Led
Zeppelin What would be a safer way of choosing
second key?
How about PIN numbers?
Can’t make them as strong. Why? Should we try to keep our PIN numbers
strong? What characteristics should a strong
PIN number have?
A PIN number example:1. Pick a key: 1492 (Columbus sailed the ocean blue)2. Rules:
1. Choose last for digits of credit card2. For cards: Add key to last for digits of card for PIN. For other
accounts find a “look-up-able” related number and add to key.
Account Last 4 or related PIN
MasterCard
3004 4496
AMEX 1206 2698
OASIS 3452 (last four of student ID)
4944
Discussion
What’s good about the example PIN number algorithm?
What’s bad about it? How would you improve it?
Call to Action
1. Come up with your key and password algorithm.
2. Use it to come up with your new UGA MyID.
3. Use it to adjust your other passwords.4. Start changing your password
frequently. About once every 3 months (policies may vary)