Password Management

by Rick Chin May 14, 2015

Topics

• Password Problems

• Password Security

• Password Strategies

• Password Managers

Passwords Problems• Too Simple

• Passwords are Reused

• Too Many Passwords/Sites to Maintain

• Too Complicated

• Sometimes Passwords Expire and Must Be Changed

Passwords Threats• You (are too trusting and don’t believe it will happen to you)

• Easier to Guess than Expected

• Brute Force

• Hacking / Keyboard Loggers / Sniffing / Nosy People

• Social Engineering

• Use Familiar “Tricks”

• Transformations and substitutions (f00tb@ll or sdrawkcab)

• Keyboard patterns (qwertyasdf)

• Padding (Montana12&*-&*-&*-)

Password Security

• Passwords need to be mathematically complex

• Passwords are more guessable than you think

• “Complex” is not the same as “Complicated”

• Passwords need to be memorable

Complexity Components• Length

• Character Set (letters, numbers, symbols)

• Randomness (absence of a discernible pattern)

• Ladnomics (not a word but follows a pattern)

• 8vgz2N'A (no discernable pattern)8 visa golf zip 2 NUT ' APPLE

Password Length Flaws• possibilities - 13 characters long

• Readable

• Dictionary word

• Not complex

• iYb48zJ# - 8 characters long

• Short but complex

• Not memorable

Character Set Flaws

• P@ssw0rd

• Multiple character sets

• Easily broken by a computer

Complexity:human vs. computer

Can You Crack This? (Test 1)

Password: SjdlDijo <— what’s my pattern?

Can You Crack This? (Answer 1)

• RickChin - shift one character in the alphabet

• A computer will crack this in under 1 second

Can You Crack This? (Test 2)

Password: SkfoHnpw <— what’s my pattern?

Can You Crack This? (Answer 2)

• RickChin - shift 1x(character position) characters in the alphabet, character by character

• R =1, shift one to S

• i = 2, shift two to k

• c = 3, shift 3 to f

• etc.

• A computer will crack this quickly

Why Your PasswordsNeed Help

• A computer will crack over 2 billion password combinations in less than 1 second

• If a human could crack 1 password combination per second continuously (but we can’t), it would take 3.8 years to crack 2 billion

Password Cracking

• There are many free and commercially available password crackers and recovery tools

• Rainbow tables and more

• Databases of pre-cracked (i.e., no computational delay) lists of password combinations

Ways People Keep Their Passwords

• Post It Notes

• Taped to the bottom of their keyboard

• Text, Word, or Excel file on their desktop (password protected or not)

• No place, I use (one, two, three) main passwords and rotate between them

What Happens When a Password is Compromised

• Passwords are often entered into a program/database that tries to access every major bank, credit card company, payment system, retail stores, email systems, and more at blistering speed

• They will cross-match with public information records for addresses and other information to answer security questions

• Information gathered from one system (like email addresses or mother’s maiden name) will be used in attacks on other systems

• For this reason, reusing passwords is one of the most dangerous practices you can do

Password Strategy• There are a few key passwords you must know

• Generally these are passwords you might need often or in an emergency to get access to everything else. Common examples:

• Master password for a password manager

• Computer login password

• Your Apple ID password

• Dropbox or cloud storage password

• Create strong but memorable passwords for these

• Practice and memorize them

• Use a Password Manager for everything else

Password Managers• A software vault that stores your passwords encrypted

• Has a master password that grants access to all the other passwords

• Can generate and store random complex passwords that you can use instead of less complex passwords

• Syncs your passwords and makes them available on the devices you use, wherever you are, even without Internet access

Suggested Features• Works in a browser, preferably also on your phone and

tablet

• Autofills most places (occasionally you’ll need to copy and paste)

• Syncs via Dropbox, iCloud, or their own cloud service

• Preferably syncs automatically, not just when you manually initiate a sync

• Allows you to share certain logins securely with other people (like family members)

Example Password Managers

• 1Password - www.agilebits.com

• LastPass - www.lastpass.com

• Dashlane - www.dashlane.com

• Roboform - www.roboform.com

• iCloud Keychain - availability began in OS X 10.9 and iOS 7