Password Security

Overview

• What are passwords, why are they used?

• Different types of attacks

• Bad password practices to avoid

• Good password practices

• How to create a secure password

What are passwords?

• Secret combination of characters that only a user should know.

• "Passwords are a compromise between security and convenience"

• Password security used to secure information, and provide that information to authorized users easily.

How are Passwords Compromised?

• Brute force Attack

• Dictionary Attack

• Hybrid Attack

• Social Engineering

Brute Force Attack

• Most widely used method of cracking passwords• Every combination of every character tried until

password is found • Password is guaranteed to be found• The longer the password, the longer it will take to crack.• E.g password that is 2 chars long, is case

sensitive,consists of letters and numbers

* First char: lower case letters (26) +

upper case letters (26) + numbers (10) = 62

*Second char: same as first = 62

* Total permutations 62 * 62 = 3,844

Time to Crack Passwords using Brute Force

Dictionary Attack

• Uses a list of common values or words

• "Dictionary" is uploaded to a cracking app

• Words run against passwords

• Intended to narrow field of possible password values

• Succeed if password is single word that is easily predictable.

• Easy to defeat, (adding single random char in middle)

Hybrid Attack

• Combines Brute force and Dictionary Attack• Checks all words in the dictionary along with it's

variations. • Noticeably slower than a dictionary attack

* Common: Integrates dictionary words with common mutations

* Dates: Combines dictionary attack with dates in various formats

* Numbers: Mixes dictionary words with various number combinations

Social Engineering

• Use of social skills to convince people to reveal access credentials or other valuable information

• People are the easiest way to get information• Posing as someone else to gain access to a

system• Stroking someones ego to get them to reveal

information or passwords • Use of Authority to get information from

someone

Social Engineering Example

http://www.youtube.com/watch?v=ZQDyCRHptbU

Kevin Mitnic social engineering example

What is a safe password?

• Basic goal of a secure password is one that is easy for YOU to remember but hard for someone else to find out

• Long complicated passwords are not always the best solution

• E.g. : random password like !$fjDd&^fw43_f%@+

• Will you really be able to memorize that?

Problems with Complicated Passwords

If a password is too complicated and hard to remember, you are likely to:

• Write it down

• Need password resets

• Use complicated password in many places• A password is only as secure as the weakest

system you use it on.

Easy to remember, easy to guess

• Your Birthday• City you live in/ were born • Your boyfriend/ girlfriend• Pets names• Family members names• Any favorite thing (e.g.

favorite team)• Student ID

– Avoid any information, numbers, or words that anyone can associate with you

Easy to remember, hard to guess

• Birthday of a famous person

• City your grandpa was born in

• Any information that means something to you, but not anything that friends, family, would know

Bad Practices

• DO NOT write down your passwords

• DO NOT share your password with anyone

• DO NOT use any personal information

• DO NOT use word or number patterns (e.g. "aaabbb", "qwerty" "123321", etc. )

Good Practices

• Minimum length of 8 characters

• User numeric characters (0-9)

• Use upper and lower case

• Use special characters (e.g. ! ? & # * )

• Use passphrases

Pass Phrases to Create Passwords

1. Think of a phrase or sentence that's easy for you to remember.

– Example: "Making passwords is easy when you follow these 5 steps“

2. Turn your sentence or phrase into a password.

- Take the first letter of each word in your sentence to create a password

  - Example: "mpiewyft5s"

Pass Phrases Continued..

• 3. Make your password complex by using special characters and upper and lowercase.

   - For instance, substitute "i" with "!" , "e" with "3" and "s" with "$"

   - "mpiewyft5s" becomes "Mp!3wYft53$"

• 4. Consider testing your password with a password checker, which will rate your password on strength, complexity, length, etc.

Pass Phrases Continued..

• 5. Change your passwords at least every 90 days and do not "recycle" passwords; i.e. using old passwords again, or slightly modifying your existing password.

Conclusion

• Be aware of different attacks, and how they are used to crack passwords

• Do not fall for social engineering!• Basic goal of a secure password is one that is

easy for YOU to remember but hard for someone else to find out

• Use pass phrases to create secure passwords• Check the strength of your passwords• Change passwords often

Questions?