Password Security Overview What are passwords why are

Password Security

Overview • • • What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices How to create a secure password

What are passwords? • Secret combination of characters that only a user should know. • "Passwords are a compromise between security and convenience" • Password security used to secure information, and provide that information to authorized users easily.

How are Passwords Compromised? • Brute force Attack • Dictionary Attack • Hybrid Attack • Social Engineering

Brute Force Attack • Most widely used method of cracking passwords • Every combination of every character tried until password is found • Password is guaranteed to be found • The longer the password, the longer it will take to crack. • E. g password that is 2 chars long, is case sensitive, consists of letters and numbers * First char: lower case letters (26) + upper case letters (26) + numbers (10) = 62 *Second char: same as first = 62 * Total permutations 62 * 62 = 3, 844

Time to Crack Passwords using Brute Force

Dictionary Attack • • Uses a list of common values or words "Dictionary" is uploaded to a cracking app Words run against passwords Intended to narrow field of possible password values • Succeed if password is single word that is easily predictable. • Easy to defeat, (adding single random char in middle)

Hybrid Attack • Combines Brute force and Dictionary Attack • Checks all words in the dictionary along with it's variations. • Noticeably slower than a dictionary attack * Common: Integrates dictionary words with common mutations * Dates: Combines dictionary attack with dates in various formats * Numbers: Mixes dictionary words with various number combinations

Social Engineering • Use of social skills to convince people to reveal access credentials or other valuable information • People are the easiest way to get information • Posing as someone else to gain access to a system • Stroking someones ego to get them to reveal information or passwords • Use of Authority to get information from someone

Social Engineering Example http: //www. youtube. com/watch? v=ZQDy. CR Hptb. U Kevin Mitnic social engineering example

What is a safe password? • Basic goal of a secure password is one that is easy for YOU to remember but hard for someone else to find out • Long complicated passwords are not always the best solution • E. g. : random password like !$fj. Dd&^fw 43_f%@+ • Will you really be able to memorize that?

Problems with Complicated Passwords If a password is too complicated and hard to remember, you are likely to: • Write it down • Need password resets • Use complicated password in many places • A password is only as secure as the weakest system you use it on.

Easy to remember, easy to guess • • • Your Birthday City you live in/ were born Your boyfriend/ girlfriend Pets names Family members names Any favorite thing (e. g. favorite team) • Student ID – Avoid any information, numbers, or words that anyone can associate with you

Easy to remember, hard to guess • Birthday of a famous person • City your grandpa was born in • Any information that means something to you, but not anything that friends, family, would know

Bad Practices • DO NOT write down your passwords • DO NOT share your password with anyone • DO NOT use any personal information • DO NOT use word or number patterns (e. g. "aaabbb", "qwerty" "123321", etc. )

Good Practices • Minimum length of 8 characters • User numeric characters (0 -9) • Use upper and lower case • Use special characters (e. g. ! ? & # * ) • Use passphrases

Pass Phrases to Create Passwords 1. Think of a phrase or sentence that's easy for you to remember. – Example: "Making passwords is easy when you follow these 5 steps“ 2. Turn your sentence or phrase into a password. - Take the first letter of each word in your sentence to create a password - Example: "mpiewyft 5 s"

Pass Phrases Continued. . • 3. Make your password complex by using special characters and upper and lowercase. - For instance, substitute "i" with "!" , "e" with "3" and "s" with "$" - "mpiewyft 5 s" becomes "Mp!3 w. Yft 53$" • 4. Consider testing your password with a password checker, which will rate your password on strength, complexity, length, etc.

Pass Phrases Continued. . • 5. Change your passwords at least every 90 days and do not "recycle" passwords; i. e. using old passwords again, or slightly modifying your existing password.

Conclusion • Be aware of different attacks, and how they are used to crack passwords • Do not fall for social engineering! • Basic goal of a secure password is one that is easy for YOU to remember but hard for someone else to find out • Use pass phrases to create secure passwords • Check the strength of your passwords • Change passwords often

Questions?