password security everything (well… a lot, anyway) you didn’t know, or want to, but really...
TRANSCRIPT
Password Security
Everything (well… a lot, anyway) you didn’t know, or want to, but
really actually need to.
Quote of the Day:
• Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.”
• Clifford Stoll- astronomer, author, and the first to utilize “digital forensics” successfully
IN A WORLD…
• Where you don’t have any access to your online life, how would you cope? What would you miss the
most?
Recent Major Security Breaches
• Lulz Security hacks Sony Pictures website– Releases 50,00 users’ information
• Rouge members of hacker-collective Anonymous hack Playstation Network and Quiriocity– All user information made available
• LulzSec strikes Sony again with and exploit of the PSN password reset solution URL– Prevents owner of account from fixing prior
hack
LulzSec logo
So… What can I do to make sure my information is safe?
• In the case of the URL exploit and sonypictures.com hacks, very little– These were simple errors made by Sony
techs; a (technologically speaking) basic error was made in each case.
• Anything involving the internet is inherently more risky then anything not leaving your computer.
• Passwords are the front line of defense.
• Most people’s are not strong enough to withstand a brute-force database attack; today we are going to look at how best to strengthen our passwords
CONCERN: It’s too easy to hack a password
This is true… but only IF the password is weak.
FOR EXAMPLE:
• CHS defaults to using “panthers” as the password for any accounts made by the school.
• If this is left unchanged for too long the security of the account would be compromised.
• This password only contains lowercase letters; introducing a variety of characters, such as “Panthers,” or, even better, “PaNtHeRs,” increases the password strength considerably.
QUESTION: Does it matter if 2+ people use the same password
• Only if that same password is overly simple or obvious.
• For the Pokemon Tower Defense game, 2000 accounts share the password of “pokemon.” Though trivial in this case, matching application and password is an awful habit to develop.
• If 2+ people shared the password “ILikeCheezBurgurz” as their password for their bank account, the odds of this being an issue are significantly lower (though this is still not the best password one could use… more on that shortly).
QUESTION: How secure are passwords, really?
• In terms of their strength; as secure as you make them.
• In terms of their safety; as secure as the site’s database security, and as secure as you physically make them.
QUESTION: are there ways to get into my accounts without my password?
• If the database storing your information is compromised then yes, it is possible.
• These attacks are less frequent then brute-force attempts for a single users password, and more far reaching- many people will be affected at the same time as you are.
Is it possible for passwords to be stolen if your computer is infected with a virus
or does not have a firewall?
• ABSOLUTELY• Viruses can check your browsers saved
passwords, log keystrokes, or send your data to places other then where you think you are sending them.
• Firewalls prevent people from accessing your computer remotely, and using encrypted internet access prevents data sniffing to discover your information.
To protect your information:
• Use a STRONG password
• Keep your password safe
• Be smart when using the internet
The accounts I have behind passwords are unimportant; why should I care?
• These accounts are tied to your email- which you probably use for a very long time to come.
• Many people reuse passwords across sites; a breach in one site could then lead to total loss of security across all sites.
Password importance ctnd
• Those passwords could be, or could at least lead, a hacker to your password for your bank account later in life.
• Preparing now with good habits and solid defenses that will be effective in the future when your life and livelihood are shielded by a password will help prevent crippling identity theft and related troubles later in life.
What constitutes a strong password?
• Paradoxically, the strongest password you can have is the one you cannot remember.
• Software solutions exist to this end- anything else is probably not feasible as it would be inherently less secure (i.e. writing your password down on a piece of paper and putting it next to your computer.
Software solution?• Lastpass.com lets you
register an account and, behind a super-strong password you create, hides your other passwords for access to any sites you use.
• Includes a password generator, produces passwords you do not have to remember that are very strong
• One password to remember, accessible from anywhere.
How do I create a strong password?
• Utilize different characters– i.e. symbols, numbers and upper/lower case
numbers
• Avoid standard patterns– Most passwords using capital letters have
them as the first character and last; mix this up and capitalize other letters instead
Strong Password Creation ctnd.
• Use multiple “phrases” instead of a single idea password– Instead of “iLoveMyDog2002” (perhaps 2002
is the year you got your dog?) use “1994ILoveMyDog2002” (possibly the year of your birth)
– This maintains the “memorality” of the password for yourself while making it more difficult to brute-force guess the code as it does not follow a single logical progression
How long should my password be?
• According to recent studies performed at the Georgia Tech Research Institute, due to modern hardware power- specifically within the GPU- any password with less then 12 characters is far too weak, and should be changed as soon as possible.
Exit Activity
• Using what has been discussed in this power point, on your own (for security’s sake!) come up with a memorable but strong password. If possible, avoid writing it down.