1 / 21

Passwords and Password Policies

Passwords and Password Policies. An Important Part of IT Control – by Craig Piercy. Why Passwords?. Primary means for many systems for implementing authentication and authorization. Authentication – verifying that you are who you say you are.

tieve
Télécharger la présentation

Passwords and Password Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Passwords and Password Policies An Important Part of IT Control – by Craig Piercy

  2. Why Passwords? Primary means for many systems for implementing authentication and authorization. • Authentication – verifying that you are who you say you are. • Authorization – allowing access to the parts of the system that you need and only those parts.

  3. Could this be you?

  4. Or This?

  5. How well do you follow good Password procedures? • Do you use a name for your password? • Do you use a real, “dictionary” word? • Do you use the same password for all or most of your accounts? • Is you password short (< 6 digits)? • Do you still use the default or provided password? • Do you keep your password forever? • Is you password “password,” “default”, “123”? If you answered “yes” to any of the above, then you are failing an important part of good use of passwords.

  6. Why do you do these things? “weak” password – a password that is fairly easy to guess or “crack.” “strong” password – a password that is difficult to guess or “crack.” For most, there is a trade-off between having “strong” passwords and being able to remember them.

  7. Passwords as Business Control • “Just saw that UGA has now implemented strong password requirement controls. The password policy found on MyID.uga.edu is a good example of a policy which contains controls that have been implemented and are required to be followed. The verbiage and layout are similar to what I have seen at the clients I audit” – Jason Lannen, KPMG • UGA’s Password Policy • Why do you think it is important that organizations require their associates to follow good password policies?

  8. Characteristics of “strong” passwords • DO NOT use a real word or name • Long rather than short --- >=8 characters • Use a mix of characters – text characters – upper and lower case, numeric digits, punctuation • Use different passwords on different accounts • Change your password regularly. • DO NOT write your passwords down. (see TIES box on page 209 – Chapter 7)

  9. A two step Method for Making Strong Passwords that you can remember. • Come up with a “key” that you can remember easily. • Come up with as set of simple rules for converting your key into a password

  10. Example - Key • Choose a key – my preference is a line of text – favorite song titles are good, could be a proverb, famous quotation, line from a poem, etc. Example – “The leaves have fallen all around…”

  11. Key – Rule 1 2. Make up some rules 2.1 - Take initials of key phrase. The leaves have fallen all around tlhfaa

  12. Key – Rule 2 2. Make up some rules 2.2 – Starting with second character every other one upper case. tlhfaa tLhFaA

  13. Key – Rule 3 2. Make up some rules 2.3 – Add one or more special characters in-between the letters. tLhFaA t$L$h$F$a$A

  14. Notes: • These are my rules. Make up your own! • Make as many rules in your algorithm that you can remember – rule of thumb 3 to 5 is probably good enough. • Make sure that your key is long enough to generate a long enough password. • Even though you have a stronger password, you still need to be aware of how you use it and when it might be compromised. • What should you do if you think that your password has been compromised?

  15. What about multiple accounts? Some come up with a code for each account and then concatenate onto their password. • Example:

  16. What about changing regularly? Change the key and apply the rules. Example: • New key: “… Time I was on my way.” • Apply rules: • Take initials of key phrase. • Starting with second character every other one upper case. • Add one or more special characters in-between the letters. What’s the new password for the uga account? t$I$w$O$m$W_uga

  17. Discussion • Are there any problems in my algorithm? • How could I improve it? • Incidentally, I did a slightly dangerous thing in choosing the second key: • 1st key – 1st line of Ramble On by Led Zeppelin • 2nd key – 2nd line of Ramble On by Led Zeppelin • What would be a safer way of choosing second key?

  18. How about PIN numbers? • Can’t make them as strong. Why? • Should we try to keep our PIN numbers strong? • What characteristics should a strong PIN number have?

  19. A PIN number example: • Pick a key: 1492 (Columbus sailed the ocean blue) • Rules: • Choose last for digits of credit card • For cards: Add key to last for digits of card for PIN. For other accounts find a “look-up-able” related number and add to key.

  20. Discussion • What’s good about the example PIN number algorithm? • What’s bad about it? • How would you improve it?

  21. Call to Action • Come up with your key and password algorithm. • Use it to come up with your new UGA MyID. • Use it to adjust your other passwords. • Start changing your password frequently. About once every 3 months (policies may vary)

More Related