ITSS 2015

Password Security Review

Your password is the last line of defense. Keep your data safe with good password practices.

Mikio OlinKevin Matteson

ITSS 2015

Overview• Ohio University Policy (91.004)• Your Credentials are Important• Password Best Practices• Ohio University Credential Complexity Standards• Two factor Authentication Demo

ITSS 2015

Ohio University Policy (91.004)University Credentials

https://www.ohio.edu/policy/91-004.html

• Policy SectionsA. OverviewB. IndividualsC. Credentials

• Data Stewards (93.001 Data Classification)• Authentication Credentials Complexity Standard

D. Information system ownersE. Authentication servers

ITSS 2015

Umm no, I was not in Nigeria last week…

91.004 A (Overview)Credentials… are often the first line of attack, and the last line of defense, in the protection of these resources. Because of this, they must be used with care, and adequately protected.

Your password is confirmation of your identity• Attackers can impersonate you• View/Change your personal information• View/Change others personal information

One password leads to another• Access to an account or device opens a door to other accounts.

ITSS 2015

OU Policy says…

91.004 B (Individual’s responsibilities)• Keep your credentials, secret questions, and their answers private

and known only to you. • Use unique credentials (username and password combination) for

Ohio university that are different from any other service or website. • Your credentials are for your personal authentication to university

resources, and should not be used as a means to provision services to other users. • If you suspect that your credentials have been compromised,

change your credentials and questions immediately and inform the information security office by e-mail to security@ohio.edu.

ITSS 2015

Keep it hidden… Keep it safe…

Even Strong passwords become weak if they are written on a Post-it® under your keyboard.

Password Habits to Avoid• Writing passwords down or storing in a document• Reusing an old password • Using your password on an insecure device

Good Password Habits• Store passwords encrypted in Keepass• Change your password annually• Be mindful of the situation

ITSS 2015

What’s your Risk Level?

91.004 C (Risk and Credential Level)• Not all University accounts carry the same level of risk. • Risk is measured by the type of data an individual can view/change

with their credentials.• (93.001 Data Classification) - University Data Stewards are

responsible for rating and classifying their data. Data is labeled as a High, Medium, or Low Level based on potential impact to the university.• University Data Stewards also are responsible for reviewing the

Authentication Credentials Complexity Standard annually• Authentication Credential Complexity Standards

ITSS 2015

Authentication and Credential Complexity Standard

Risk Level = Credential LevelRisk Levels

1. Low Risk – Access to only their own information or information classified as “Low” (Students, Guests)

2. Medium Risk – Access to University information classified as “Medium or High” (Faculty, Staff, Contract Employee)

3. Medium Risk with higher Credential Level – Same Risk as Medium Level4. High Risk – Privileged access to “Medium or High” (System Administrators, DBA, Bursar, Registrar,

Admissions Staff, etc)

Credential Levels

Level Character Classes Length Expiration MultiFactor Enrolled

Level 1 2 or more 8 minimum 5 years Not required

Level 2 3 or more 8 minimum 6 months Not required

Level 3 3 or more 10 minimum 1 year Not required

Level 4 3 or more 10 minimum 1 year Required

ITSS 2015

What is a weak Password?

Weak password are easy to guess or easy to break.• Contains a name or dictionary word

(Including the following simple alterations of password)• Modifying capitalization (PasSWorD)• Reversing word order (drowssap)• Character substitutions (pa55w0rd)• Removing vowels (psswrd)

• Uses keys adjacent on the keyboard (1234asdf)• Contains a single character type (18042010)• Contains less than 8 characters (pwd123)

ITSS 2015

What are STRONG Passwords?

Strong passwords are difficult to guess and break• Contains more than 8 characters• Contains multiple character types

• UPPERCASE LETTERS• lower case letters• Numbers• Special Characters ($%^&*!@#)

• Means something to you but no one else.!dnlg3aH$Ia ! do not like green 3ggs and Ham $am I am

How to choose a strong password

ITSS 2015

Under Construction

• Password expiration (Notification and Enforcement)• Password Meter

• MultiFactor Authentication (MFA)• DUO (Phone Factor Voice, Text, App Push)• Azure (Phone factor)• YubiKey (Generated Token)• Other?

ITSS 2015

Multifactor Authentication

• Knowledge Factors – (What you know)• Passwords• Security Pins• Secret questions

• Possession Factors - (What you have)• Physical Key• Security Token

• Transmitted to or from a device you possess

• Inherence Factors – (What you are)• Biometrics

• Fingerprint scanner• Retina scanners• Face recognition• Voice recognition

ITSS 2015

Multifactor Demo