Post on 17-Dec-2015
transcript
• Using a Password ManagerAre your passwords safe?
Ryan LeavittDoIT Security
What We Will Cover:• Password review• Password Management• Password Management Myths• Flaws of Gray Matter Password Management• What are the benefits of a Password Manager• Password Manager Recommendations• Demo
Password Review
P@$$w0rds
The most commonly used authentication
mechanisms
Password Review
P@$$w0rds
The most commonly used authentication
mechanisms
Usually considered one of the weakest
security mechanisms available
Password Review
P@$$w0rds
The most commonly used authentication
mechanisms
Usually considered one of the weakest
security mechanisms available
Users usually choose passwords that are
easily guessed
Password Review
P@$$w0rds
The most commonly used authentication
mechanisms
Usually considered one of the weakest
security mechanisms available
Users usually choose passwords that are
easily guessed
Users write the passwords down on a
sticky note and clearly hide under
the keyboard
Password Review
P@$$w0rds
The most commonly used authentication
mechanisms
Usually considered one of the weakest
security mechanisms available
Users usually choose passwords that are
easily guessed
Users write the passwords down on a
sticky note and clearly hide under
the keyboard
This is where Password Management steps in
Password ManagementWhat can you do to protect your credentials?
1. Never provide your password to anyone
Nobody should ask for your password, not even other staff such as Help Desk. This includes via email, phone, or in person.
2. Change your password frequently and use strong password
Dictionary attack - Files of thousands of words are compared to the user’s password until a match is found. Many people choose short passwords (7 characters or less). Therefore dictionary attack is often successful to crack their passwords.
Password management
3. Avoid re-using or duplicating passwords between work and personal accounts
Dropbox email breach – Cloud storage service. Customers receiving spam email advertising online casinos.o The customer data were contained in a document that was stolen from the
Dropbox account of one of the company's employeeso Attacker managed to gain access to the account because of a different attack on
another websiteo The account holder used the same password for both accounts
http://www.scmagazine.com/employee-password-reuse-behind-dropbox-spam-outbreak/article/253004/
You should not reuse passwords across multiple systems.
Password Management Myths• Stored passwords in your browser are secure.
Incorrect: No encryption provided and easy to recover.
• Storing passwords in a Excel or Word document that is natively encrypted is a secure practice.Incorrect: Encryption is getting better than it used to be but you do not have the functionality.
• Writing down passwords is a secure practice if kept hidden.Incorrect: No encryption and easy to steal.
Password cracking monster
Flaws of Gray Matter Password Management• Password Strength: Having to remember large
complex strings.• Quantity of Accounts: Having to manage a large
number of accounts.• Password Redundancy: Reusing passwords across
applications/systems.• Underutilized Accounts: Remembering passwords
for accounts rarely used.
What are the Benefits of a Password Manager
• Password Storage: Store complex passwords without having to remember them.
• Strong Industry Standard Encryption: AES• Stronger Authentication Security: Ability to
Leverage Multi-Factor• Password Generation: Ability to create very
strong/complex passwords.
What are the Benefits of a Password Manager
• Password Expiration: Configure password expiration reminders.
• Password History: Configurable unique password enforcement.
• User-Friendly Password Usage: Ability to copy/paste, auto password cache cleanup, and URL storage.
Password Manager Recommendations
Password Safe: http://passwordsafe.sourceforge.net
Kee Pass: http://keepass.info
Password Manager DEMO
Contact us at …
Send you questions, comments and suggestions to …
DOIT-Security@doit.wisc.edu