1 / 53

Password Management:

Password Management:. Creating and managing passwords to be as secure as possible. Table of contents. The scale of consumer cyber crime What is a password and facts about password security and its importance Tiered password system - review and categorize your existing passwords

marlee
Download Presentation

Password Management:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password Management: Creating and managing passwords to be as secure as possible

  2. Table of contents • The scale of consumer cyber crime • What is a password and facts about password security and its importance • Tiered password system - review and categorize your existing passwords • Writing secure passwords • Characteristic of strong and weak passwords • Tips and techniques • Testing the strength of a password • Password management techniques • Additional tips to secure your identity

  3. Table of contents • The scale of consumer cyber crime • What is a password and facts about password security and its importance • Tiered password system - review and categorize your existing passwords • Writing secure passwords • Characteristic of strong and weak passwords • Tips and techniques • Testing the strength of a password • Password management techniques • Additional tips to secure your identity

  4. What’s a Password? • A password is a string of characters that gives you access to a computer or an online account.

  5. Common Threats against your password Password cracking is the process of breaking passwords in order to gain unauthorized access to a computer or account. Social Engineering/Phishing: Deceiving users into revealing their username and password. (easier than technical hacking) Usually by pretending to be an IT help desk agent or a legitimate organization such as a bank. DO NOT EVER SHARE YOUR PASSWORDS, sensitive data, or confidential banking details on sites accessed through links in emails. Guessing: Method of gaining access to an account by attempting to authenticate using computers, dictionaries, or large word lists. • Brute force – uses every possible combination of characters to retrieve a password • Dictionary attack – uses every word in a dictionary of common words to identify the password

  6. Table of contents • The scale of consumer cyber crime • What is a password and facts about password security and its importance • Tiered password system - review and categorize your existing passwords • Writing secure passwords • Characteristic of strong and weak passwords • Tips and techniques • Testing the strength of a password • Password management techniques • Additional tips to secure your identity

  7. How many passwords do you have? Personal Emails Banking and Business services Social media & news Work related accounts

  8. Don’t forget your computer and phone logins!

  9. tiered password systems Tiered password systems involve having different levels of passwords for different types of websites, where the complexity of the password depends on what the consequences would be if that password is compromised/obtained. • Low security:for signing up for a forum, newsletter, or downloading a trial version for a certain program. • Medium security:for social networking sites, webmail and instant messaging services. • High security:for anything where your personal finance is involved such as banking and credit card accounts. If these are compromised it could drastically and adversely affect your life. This may also include your computer login credentials. Keep in mind that this categorization should be based on how critical each type of website is to you. What goes in which category will vary from person to person.

  10. HANDS-ON PART 1: Review and categorize your passwords • Categorize your passwords into 3 categories: high, medium, or low. Categorization should be based on how critical each type of website is to you. Take 5 minutes to categorize some of your online accounts. • Your high securitypasswords are the most important. Keep in mind: • You should change any password that is weak. • If you have used any of your passwords for more than 1 site, you should change.

  11. Table of contents • The scale of consumer cyber crime • What is a password and facts about password security and its importance • Tiered password system - review and categorize your existing passwords • Writing secure passwords • Characteristic of strong and weak passwords • Tips and techniques • Testing the strength of a password • Password management techniques • Additional tips to secure your identity

  12. Common mistakes in creating passwords

  13. Risk Evaluation of common mistakes

  14. What Makes A Password Safe? • Strong passwords: • are a minimum of 8 characters in length, it’s highly recommended that it’s 12 characters or more • contain special characters such as @#$%^& and/or numbers. • use a variation of upper and lower case letters.

  15. What Makes A Password Safe? (cont.) • It must not contain easily guessed information such your birth date, phone number, spouse’s name, pet’s name, kid’s name, login name, etc. • It shouldn’t contain words found in the dictionary.

  16. How to make a strong password • “Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” ~ Clifford Stoll • The stronger your password, the more protected your account or computer is from being compromised or hacked. You should make sure you have a unique and strong password for each of your accounts.

  17. Mozilla’s Safe Password Methodology • Pick up a familiar phrase or quote, for example, “May the force be with you” and then abbreviate it by taking the first letter of each word, so it becomes “mtfbwy” • Add some special characters on either sides of the word to make it extra strong (like #mtfbwy!) • And then associate it with the website by adding a few characters from the website name into the original password as either a suffix or prefix. So the new password for Amazon could become #mtfbwy!AmZ, #mtfbwy!FbK for Facebook and so on. *While this technique lets us reuse the phrase-generated part of the password on a number of different websites, it would still be a bad idea to use it on a site like a bank account which contains high-value information. Sites like that deserve their own password selection phrase.

  18. Using a passphrase to Write a secure password While generating a password you should follow two rules; Length and Complexity. Let’s start by using the following sentence: “May the force be with you”. Let’s turn this phrase into a password. • Take the first letter from each word: Mtfbwy. • Now increase its strength by adding symbols and numbers: !20Mtfbwy13! • The 20 and 13 refer to the year, 2013. • Secondly, I put a “!” symbol on each end of the password • Try using the name of your online account in the password • !20Mtfbwy13!Gmail (for gmail) • fb!20Mtfbwy13! (for Facebook) • That’s one password developing strategy. Let’s keep adding complexity, while also attempting to keep things possible to memorize. *you actually should not use a should not be a common phrase.

  19. Haystacking Your Password: A Simple and powerful way of securing your password • Password Haystack is a methodology of making your password extremely difficult to brute force by padding the password with a pattern like (//////) before or/and after your password. Here’s how it works: Come up with a password, but try to make it as a mix of uppercase and lowercase letters, numbers and symbols Come up with a pattern/scheme you can remember, such as the first letter of each word from an excerpt of your favorite song or a set of symbols like (…../////) Use this pattern and repeat using it several times (padding your password) Let’s have an example of this: Password: !20Mtfbwy13! By applying this approach, the password becomes a Haystacked Password: …../////!20Mtfbwy13!…../////

  20. HANDS-ON PART 2:Testing your Passwords Use these tools to test the strength of a password. As a precaution, you probably shouldn’t use these services to test your actual password. Instead, simply use it to learn what works and what doesn’t work. Just play with the strength checkers by constructing fake passwords and testing them. • http://rumkin.com/tools/password/passchk.php • https://www.microsoft.com/security/pc-security/password-checker.aspx • http://www.grc.com/haystack.htm • http://howsecureismypassword.net/

  21. Table of contents • The scale of consumer cyber crime • What is a password and facts about password security and its importance • Tiered password system - review and categorize your existing passwords • Writing secure passwords • Characteristic of strong and weak passwords • Tips and techniques • Testing the strength of a password • Password management techniques • Additional tips to secure your identity

  22. Password Overload: How Can Anyone Remember Them All? • Many people use a few passwords for all of their major accounts. • The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them.

  23. Password Security • More than 60%of people use the same password across multiple sites • If one of your accounts is hacked, it’s likely that your other accounts that used the same password will quickly follow.

  24. Password management Techniques(ways to store you passwords) • Human memory is the safest database for storing all your passwords • Writing passwords down on a piece of paper • Storing passwords on a computer in a Word document or Excel file • Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web. • You should not rely totally on any type of password manager • Your single master password must be unique and complex

  25. Human memory • Strength: safest database for storing all your passwords • Weakness: Easy to forget

  26. Writing passwords downon a piece of paper • Strength: ease of access • Weaknesses: • You can lose the paper • Paper could be easily stolen or viewed by other people

  27. Storing passwords on a computer in a Word document or Excel file • Strength: ease of access • Weaknesses: • Data is not encrypted, anyone who has access to the computer that the file is saved on can easily read your passwords • If your computer breaks, you could possibly permanently lose the file

  28. Password Manager is software • Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web. • You should not rely totally on any type of password manager • Your single master password must be unique and complex

  29. So which one is the best? • Password management tools are really good solutions for reducing the likelihood that passwords will be compromised, but don’t rely on a single source. Why? Because any computer or system is vulnerable to attack. Relying on a password management tool creates a single point of potential failure. • But before you turn to a password-management service based in the cloud or on your PC, it's best to review the quality of the service, said Tim Armstrong, malware researcher at Kaspersky Lab. He pointed out that you've got to ensure against data leakage or insecure database practices. "Users must be extra careful in choosing a provider," Armstrong said. "Make sure they're a valid and reputable vendor.“ • Grant Brunner wrote a fascinating article at ExtremeTech about Staying safe online: Using a password manager just isn’t enough. In it, he wrote, “using a password manager for all of your accounts is a very sensible idea, but don’t be lulled into a false sense of security  You’re not immune from cracking or downtime.” Broadly speaking, password managers such as LastPass are like any software: vulnerable to security breaches. For example, LastPass experienced a security breach in 2011, but users with strong master passwords were not affected. • Disadvantage: If you forget the master password, all your other passwords in the database are lost forever, and there is no way of recovering them. Don’t forget that password!

  30. KEEPASS • KeePass is a popular open-source, cross-platform, desktop-based password manager. It is available for Windows, Linux and Mac OS X as well as mobile operating systems like iOS and Android. It stores all your passwords in a single database (or a single file) that is protected and locked with one master key. The KeePass database is mainly one single file which can be easily transferred to (or stored on) any computer. Go to the download page to get your copy. • KeePass is a local program, but you can make it cloud-based by syncing the database file using Dropbox, or another service like it. Check out Justin Pot’s article, Achieve Encrypted Cross-Platform Password Syncing With KeePass & Dropbox. • Make sure you always hit save after making a new entry to the database!

  31. Mozilla Firefox’s Password Manager

  32. DO NOT PUT ALL YOUR EGGS IN ONE BASKET. • You should never record or write your password down on a post-it note. • Never share your password with anyone, even your colleagues. • You have to be very careful when using your passwords on public PCs like schools, universities and libraries…etc. Why? Because there’s a chance these machines are infected with keyloggers (or keystroke logging methods) or password-stealing trojan horses. • Do not use any password-saving features such as Google Chrome’s Auto Fill feature or Microsoft’s Auto Complete feature, especially on public PCs. • Do not fill any form on the Web with your personal information unless you know you can trust it. Nowadays, the Internet is full of fraudulent websites, so you have to be aware of phishing attempts. • Use a trusted and secure browser such as Mozilla Firefox. Firefox patches hundreds of security updates and makes significant improvements just to protect you from malware, phishing attempts, other security threats, and to keep you safe as you browse the Web.

  33. PwnedList • This free tool helps users figure out if their account credentials have been hacked. If you go to the website of the service, you will see up-to-date statistics of the number of leaked credentials, passwords and email addresses. • PwnedList keeps monitoring (or crawling) the Web in order to find stolen data posted by hackers on the public sites and then indexes all the login information it finds.

  34. Points to Remember • ALWAYS use a mix of uppercase and lowercase letters along with numbers and special characters. • Have a different strong password for each site, account, computer etc., and DO NOT have any personal information like your name or birth details in your password. • DO NOT share any of your passwords or your sensitive data with anyone – even your colleagues or the helpdesk agent in your company. In addition, use your passwords carefully, especially in public PCs. Don’t be a victim of shoulder surfing. • Last recommendation that we strongly encourage is for you to start evaluating your passwords, building your tiered password system, alternating your ways of creating passwords and storing them using password managers.

  35. HANDS-ON PART 3:Managing your Passwords • Decide which methods you plan to store each password. • Download and practice using KeePass • Check your primary emails on PwnedList.com/

  36. Table of contents • The scale of consumer cyber crime • What is a password and facts about password security and its importance • Tiered password system - review and categorize your existing passwords • Writing secure passwords • Characteristic of strong and weak passwords • Tips and techniques • Testing the strength of a password • Password management techniques • Additional tips to secure your identity

  37. Additional Tips to secure your identity • Open Wi-fi connection can be easily hacked using a free packet sniffer software • Always enable “HTTPS” (also called secure HTTP) settings in all online services that support it – this includes Twitter, Google, Facebook and more. • Spoofed Website

  38. Internet Crime Prevention Tipsfrom the Internet Crime Complaint Center (IC3). IC3 is a partnership between the Federal Bureau of Investigationand the National White Collar Crime Center. • Internet crime schemes that steal millions of dollars each year from victims continue to plague the Internet through various methods. Following are preventative measures that will assist you in being informed prior to entering into transactions over the Internet: • Auction Fraud • Counterfeit Cashier's Check • Credit Card Fraud • Debt Elimination • DHL/UPS • Employment/Business Opportunities • Escrow Services Fraud • Identity Theft • Internet Extortion • Investment Fraud • Lotteries • Nigerian Letter or "419" • Phishing/Spoofing • Ponzi/Pyramid • Reshipping • Spam • Third Party Receiver of Funds

  39. Online Crime PreventionIf the "opportunity" appears too good to be true, it probably is. Counterfeit Cashier's Check • Inspect the cashier's check. • Ensure the amount of the check matches in figures and words. • Check to see that the account number is not shiny in appearance. • Be watchful that the drawer's signature is not traced. • Official checks are generally perforated on at least one side. • Inspect the check for additions, deletions, or other alterations. • Contact the financial institution on which the check was drawn to ensure legitimacy. • Obtain the bank's telephone number from a reliable source, not from the check itself. • Be cautious when dealing with individuals outside of your own country. Auction Fraud • Before you bid, contact the seller with any questions you have. • Review the seller's feedback. • Be cautious when dealing with individuals outside of your own country. • Ensure you understand refund, return, and warranty policies. • Determine the shipping charges before you buy. • Be wary if the seller only accepts wire transfers or cash. • If an escrow service is used, ensure it is legitimate. • Consider insuring your item. • Be cautious of unsolicited offers.

  40. Online Crime Prevention (cont.)If the "opportunity" appears too good to be true, it probably is. Debt Elimination • Know who you are doing business with — do your research. • Obtain the name, address, and telephone number of the individual or company. • Research the individual or company to ensure they are authentic. • Contact the Better Business Bureau to determine the legitimacy of the company. • Be cautious when dealing with individuals outside of your own country. • Ensure you understand all terms and conditions of any agreement. • Be wary of businesses that operate from P.O. boxes or maildrops. • Ask for names of other customers of the individual or company and contact them. • If it sounds too good to be true, it probably is. Credit Card Fraud • Ensure a site is secure and reputable before providing your credit card number online. • Don't trust a site just because it claims to be secure. • If purchasing merchandise, ensure it is from a reputable source. • Promptly reconcile credit card statements to avoid unauthorized charges. • Do your research to ensure legitimacy of the individual or company. • Beware of providing credit card information when requested through unsolicited emails.

  41. Online Crime Prevention (cont.)If the "opportunity" appears too good to be true, it probably is. Employment/Business Opportunities • Be wary of inflated claims of product effectiveness. • Be cautious of exaggerated claims of possible earnings or profits. • Beware when money is required up front for instructions or products. • Be leery when the job posting claims "no experience necessary". • Do not give your social security number when first interacting with your prospective employer. • Be cautious when dealing with individuals outside of your own country. • Be wary when replying to unsolicited emails for work-at-home employment. • Research the company to ensure they are authentic. • Contact the Better Business Bureau to determine the legitimacy of the company. DHL/UPS • Beware of individuals using the DHL or UPS logo in any email communication. • Be suspicious when payment is requested by money transfer before the goods will be delivered. • Remember that DHL and UPS do not generally get involved in directly collecting payment from customers. • Fees associated with DHL or UPS transactions are only for shipping costs and never for other costs associated with online transactions. • Contact DHL or UPS to confirm the authenticity of email communications received.

  42. Online Crime Prevention (cont.)If the "opportunity" appears too good to be true, it probably is. Identity Theft • Ensure websites are secure prior to submitting your credit card number. • Do your homework to ensure the business or website is legitimate. • Attempt to obtain a physical address, rather than a P.O. box or maildrop. • Never throw away credit card or bank statements in usable form. • Be aware of missed bills which could indicate your account has been taken over. • Be cautious of scams requiring you to provide your personal information. • Never give your credit card number over the phone unless you make the call. • Monitor your credit statements monthly for any fraudulent activity. • Report unauthorized transactions to your bank or credit card company as soon as possible. • Review a copy of your credit report at least once a year. Escrow Services Fraud • Always type in the website address yourself rather than clicking on a link provided. • A legitimate website will be unique and will not duplicate the work of other companies. • Be cautious when a site requests payment to an "agent", instead of a corporate entity. • Be leery of escrow sites that only accept wire transfers or e-currency. • Be watchful of spelling errors, grammar problems, or inconsistent information. • Beware of sites that have escrow fees that are unreasonably low.

  43. Online Crime Prevention (cont.)If the "opportunity" appears too good to be true, it probably is. Investment Fraud • If the "opportunity" appears too good to be true, it probably is. • Beware of promises to make fast profits. • Do not invest in anything unless you understand the deal. • Don't assume a company is legitimate based on "appearance" of the website. • Be leery when responding to invesment offers received through unsolicited email. • Be wary of investments that offer high returns at little or no risk. • Independently verify the terms of any investment that you intend to make. • Research the parties involved and the nature of the investment. • Be cautious when dealing with individuals outside of your own country. • Contact the Better Business Bureau to determine the legitimacy of the company. Internet Extortion • Security needs to be multi-layered so that numerous obstacles will be in the way of the intruder. • Ensure security is installed at every possible entry point. • Identify all machines connected to the Internet and assess the defense that's engaged. • Identify whether your servers are utilizing any ports that have been known to represent insecurities. • Ensure you are utilizing the most up-to-date patches for your software.

  44. Online Crime Prevention (cont.)If the "opportunity" appears too good to be true, it probably is. Nigerian Letter or "419“ • If the "opportunity" appears too good to be true, it probably is. • Do not reply to emails asking for personal banking information. • Be wary of individuals representing themselves as foreign government officials. • Be cautious when dealing with individuals outside of your own country. • Beware when asked to assist in placing large sums of money in overseas bank accounts. • Do not believe the promise of large sums of money for your cooperation. • Guard your account information carefully. • Be cautious when additional fees are requested to further the transaction. Lotteries • If the lottery winnings appear too good to be true, they probably are. • Be cautious when dealing with individuals outside of your own country. • Be leery if you do not remember entering a lottery or contest. • Be cautious if you receive a telephone call stating you are the winner in a lottery. • Beware of lotteries that charge a fee prior to delivery of your prize. • Be wary of demands to send additional money to be eligible for future winnings. • It is a violation of federal law to play a foreign lottery via mail or phone.

More Related