April 10, 2015 (V1)

Password Security

Table of Contents• Why Passwords?• Weak Passwords• Strong Passwords• Attacking Passwords• Password management• Password tips• Self-test• References

Recent Major Security Breaches• Lulz Security hacks Sony Pictures website

– Releases 50,00 users’ information

• Rouge members of hacker-collective Anonymous hack Playstation Network and Quiriocity– All user information made available

• LulzSec strikes Sony again with and exploit of the PSN password reset solution URL– Prevents owner of account from fixing prior hack

LulzSec logo

Important!

• Anything involving the internet is inherently more risky then anything not leaving your computer.

• Passwords are the front line of defense.• Most people’s are not strong enough to

withstand a brute-force database attack; today we are going to look at how best to strengthen our passwords

Concern!

This is true… but only IF the password is weak.

It’s too easy to hack a password

For Example:

• City Hall defaults to using “clermont” as the password for any accounts made.

• If this is left unchanged for too long the security of the account would be compromised.

• This password only contains lowercase letters; introducing a variety of characters, such as “Clermont,” or, even better, “CLeRmOnT,” increases the password strength considerably.

Is it possible…

• ABSOLUTELY• Viruses can check your browsers saved passwords,

log keystrokes, or send your data to places other then where you think you are sending them.

• Firewalls prevent people from accessing your computer remotely, and using encrypted internet access prevents data sniffing to discover your information.

…for passwords to be stolen if your computer is infected with a virus or does not have a firewall?

The accounts I have…

• These accounts are tied to your email- which you probably use for a very long time to come.

• Many people reuse passwords across sites; a breach in one site could then lead to total loss of security across all sites.

• Those passwords could be, or could at least lead, a hacker to your password for your bank account later in life.

• Preparing now with good habits and solid defenses that will be effective in the future when your life and livelihood are shielded by a password will help prevent crippling identity theft and related troubles later in life.

…behind passwords are unimportant; why should I care?

Quick Quiz

A. based on common dictionary wordsB. based on common namesC. based on user/account nameD. is short (under 6 characters)E. none of the above

(choose/click one)

Which of the following best describes the reason your password is easy to remember:

Your Identity and Privacyare at risk

Unfortunately,– the characteristic you have selected also makes

your password vulnerable to attack thus putting your Identity and Privacy at risk

– you are not alone

Lets take a look at a few more characteristics and practices that make a password vulnerable to attack …

Your Identity and Privacy may still be at risk

There may be other characteristics of your password and its use that put your identity at risk

Lets take a quick look at a few more characteristics and practices that make a password vulnerable to attack …

Characteristics of weak passwords• Weak Passwords

– based on common dictionary words• Including dictionary words that have been altered:

– Reversed (e.g., “terces”)– Mixed case (e.g., SeCreT)– Character/Symbol replacement (e.g., “$ecret”)– Words with vowels removed (e.g., “scrt”)

– based on common names– based on user/account identifier– short (under 6 characters)– based on keyboard patterns (e.g., “qwerty”)– composed of single symbol type (e.g., all characters)– resemble license plate values– are difficult for you to remember

Weak password practices

• Weak Password practices– recycling passwords– recording (writing down) passwords– use of previously recorded passwords

(combination of above practices)– use of password on two or more systems/contexts

• Especially risky when passwords are reused in low-trust systems (e.g., online gaming) since increased exposure

Factoid: “The key element in password security is the crackability of a password combination… inadequate knowledge of password procedures, content, and cracking lies at the root of user’s “insecure” behaviours.”6

Common mistakes in creating passwords

Risk Evaluation of common mistakes

Mistake Example Risk Evaluation

Using a Common Password.123456789passwordqwerty

Too risky. These are most criminal’s first guesses, so don’t use them.

Using a Password that is based on personal data

Gladiator“Bobby”“Jenny”“Scruffy”

Too risky: anyone who knows you can easily guess this information. Basing a password on your social security number, nicknames, family members’ names, the names of your favorite books or movies or football team are all bad ideas.

Using a Short Password John12Jim2345

The shorter a password, the more opportunities for observing, guessing, and cracking it.

Using the same password everywhere.

Using one password on every site or online service.

Too risky: it’s a single point of failure. If this password is compromised, or someone finds it, the rest of your accounts – including your sensitive information – are at risk.

Writing your passwords down.Writing your password down on a postit note stuck to your monitor.

Very high risk, especially in corporate environments. Anyone who physically gets the piece of paper or sticky note that contains your password can log into your account.

Bad Passwords!

Characteristics of strong passwords• Strong Passwords

– contain at least one of each of the following:• digit (0..9)• letter (a..Z) (Both lower and upper case)• punctuation symbol (e.g., !)• control character (e.g., ^s, Ctrl-s)

– are based on a verse (e.g., passphrase) from an obscure work where the password is formed from the characters in the verse

• e.g., “ypyiyp” derived from the title of this module• sometimes referred to as a virtual password

– are easily remembered by you but very difficult (preferably impossible) for others to guess

– Most passwords using capital letters have them as the first character and last; mix this up and capitalize other letters instead

Strong password practices

• Strong Password Practices– never recycle passwords– never record a password anywhere

• exceptions include use of encrypted password “vaults”– use a different password for each system/context– be aware Trojan horse programs can masquerade as login prompts so always reset the

system as appropriate to obtain a trusted login prompt– check for keyboard buffer devices/software that intercept keystrokes (including

password capture)– change password occasionally– change your password immediately if you suspect it has been “stolen”– “passwords should be protected in a manner that is consistent with the damage that

could be caused by their compromise.”9

– monitor for possible eavesdroppers during entry of password– do not use the "Remember Password" feature of applications (e.g., Microsoft®

Internet Explorer®). – inquire about proactive password checking measures with your system administration

How long should my password be?

• According to recent studies performed at the Georgia Tech Research Institute, due to modern hardware power- specifically within the GPU- any password with less then 12 characters is far too weak, and should be changed as soon as possible.

1. Pick up a familiar phrase or quote, for example, “May the force be with you” and then abbreviate it by taking the first letter of each word, so it becomes “mtfbwy”

2. Add some special characters on either sides of the word to make it extra strong (like #mtfbwy!)

3. And then associate it with the website by adding a few characters from the website name into the original password as either a suffix or prefix. So the new password for Amazon could become #mtfbwy!AmZ, #mtfbwy!FbK for Facebook and so on.

*While this technique lets us reuse the phrase-generated part of the password on a number of different websites, it would still be a bad idea to use it on a site like a bank account which contains high-value information. Sites like that deserve their own password selection phrase.

Mozilla’s Safe Password Methodology

While generating a password you should follow two rules; Length and Complexity. Let’s start by using the following sentence: “May the force be with you”. Let’s turn this phrase into a password.

1. Take the first letter from each word: Mtfbwy.

2. Now increase its strength by adding symbols and numbers: !20Mtfbwy13!– The 20 and 13 refer to the year, 2013. – Secondly, I put a “!” symbol on each end of the password– Try using the name of your online account in the password

• !20Mtfbwy13!Gmail (for gmail)• fb!20Mtfbwy13! (for Facebook)

• That’s one password developing strategy. Let’s keep adding complexity, while also attempting to keep things possible to memorize. *you actually should not use a should not be a common phrase.

Using a passphrase to write a secure password

Testing your PasswordsUse these tools to test the strength of a password. As a precaution, you probably shouldn’t use these services to test your actual password. Instead, simply use it to learn what works and what doesn’t work. Just play with the strength checkers by constructing fake passwords and testing them.

• http://rumkin.com/tools/password/passchk.php • https://www.microsoft.com/security/pc-security/password-checker.as

px

• http://www.grc.com/haystack.htm • http://howsecureismypassword.net/

Password Attacks• Most successful attacks are based on:

– Dictionary attacks• “The guessing [often automated] of a password by

repeated trial and error.”1 – Social engineering

• “Social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.”2

Factoid: “…passwords are inherently risky, because they are susceptible to attack.”5

Dictionary Attacks• Most hackers utilize widely available password

cracking dictionaries to uncover weak passwords

• Ways to reduce Your risk:– Create and use strong passwords

Factoid: “The use of passwords is a major point of vulnerability in computer security, as passwords are often easy to guess by automated programs running dictionary attacks.”3

Social Engineering• Perhaps the most notorious social engineer Kevin

Mitnick once stated,

• Ways to reduce Your risk:– Remain vigilant and inquisitive– Be aware that your password keystrokes may be observed by

others– Confirm authorization and establish trust before releasing any

important information

“People are the weakest link. You can have the best technology … and somebody can call an unsuspecting employee. That’s all she wrote. They got everything.”7

Passwords in the Context of Your Identity and Privacy• What is a password?

– “A password is information associated with an entity that confirms the entity’s identity.”1

• Why are passwords needed?– Passwords are used for authentication

• Authentication can be thought of as the act of linking yourself to your electronic identity within the system you are connecting to

– Your password is used to verify to the system that you are the legitimate owner of the user/account identifier

• Commonly referred to as “logging in”

Factoid: “Passwords remain the most widely used authentication method despite their well-known security weaknesses.”4

Passwords in the Context of Your Identity and Privacy• Passwords/Identity/Privacy

– Attackers who obtain your password can authenticate themselves on various systems and in turn …

Access your personal information (invade Your Privacy)

Impersonate you by acting on your behalf (steal Your Identity)

Factoid: “Password mechanisms and their users form a socio-technical system, whose effectiveness relies strongly on the users’ willingness to make the extra effort that security-conscious behavior requires.”4

Password Facts worth Remembering• Protection of Your Identity and Privacy in the information age

hinges on sound password knowledge and practice• Those who do not use strong passwords and password

practices are often their own worst enemy• If you feel you have too many passwords to remember then

consider using a password manager (e.g., KeePass)• The risks are real, they affect you either directly or indirectly

and they can be diminished by using strong passwords and password practices

Factoid: “[Studies] have shown that current password mechanisms have largely failed to consider usability, and that – given the increasing number of system and passwords – most users cannot cope with the demands imposed on them.”4

Password overload

• Many people use a few passwords for all of their major accounts.

• The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them.

Password Security

If one of your accounts is hacked, it’s likely that your other accounts that used the same

password will quickly follow.

–More than 60%of

people use the same password across multiple sites

Password Management

1. Human memory is the safest database for storing all your passwords

2. Writing passwords down on a piece of paper3. Storing passwords on a computer in a Word document or

Excel file4. Password Manager is software that allows you to securely

store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web.• You should not rely totally on any type of password manager• Your single master password must be unique and complex

Human Memory• Strength: safest database for storing all your passwords• Weakness: Easy to forget

Writing on paper

• Strength: ease of access • Weaknesses:

– You can lose the paper– Paper could be easily stolen

or viewed by other people

Storing on computer

• Strength: ease of access • Weaknesses:

– Data is not encrypted, anyone who has access to the computer that the file is saved on can easily read your passwords

– If your computer breaks, you could possibly permanently lose the file

Password manager

• Password Manager is software that allows you to securely store all of your passwords and keep them safe, typically using one master password. This kind of software saves an encrypted password database, which securely stores your passwords either on your machine or on the Web.– You should not rely totally on any type of password

manager– Your single master password must be unique and complex

Which is the best?• Password management tools are really good solutions for reducing the likelihood

that passwords will be compromised, but don’t rely on a single source. Why? Because any computer or system is vulnerable to attack. Relying on a password management tool creates a single point of potential failure.

– But before you turn to a password-management service based in the cloud or on your PC, it's best to review the quality of the service, said Tim Armstrong, malware researcher at Kaspersky Lab. He pointed out that you've got to ensure against data leakage or insecure database practices. "Users must be extra careful in choosing a provider," Armstrong said. "Make sure they're a valid and reputable vendor.“

– Grant Brunner wrote a fascinating article at ExtremeTech about Staying safe online: Using a password manager just isn’t enough. In it, he wrote, “using a password manager for all of your accounts is a very sensible idea, but don’t be lulled into a false sense of security You’re not immune from cracking or downtime.” Broadly speaking, password managers such as LastPass are like any software: vulnerable to security breaches. For example, LastPass experienced a security breach in 2011, but users with strong master passwords were not affected .

• Disadvantage: If you forget the master password, all your other passwords in the database are lost forever, and there is no way of recovering them. Don’t forget that password!

KeePass• KeePass is a popular open-source, cross-platform, desktop-based

password manager. It is available for Windows, Linux and Mac OS X as well as mobile operating systems like iOS and Android. It stores all your passwords in a single database (or a single file) that is protected and locked with one master key. The KeePass database is mainly one single file which can be easily transferred to (or stored on) any computer. Go to the download page to get your copy.

• KeePass is a local program, but you can make it cloud-based by syncing the database file using Dropbox, or another service like it. Check out Justin Pot’s article, Achieve Encrypted Cross-Platform Password Syncing With KeePass & Dropbox.

• Make sure you always hit save after making a new entry to the database!

Password Safe• “Many computer users today have to keep track of dozens of

passwords: for network accounts, online services, premium web sites.”8

• “With Password Safe, a free Windows 9x/2000 utility from Counterpane Labs, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all.”8

• “Password Safe features a simple, intuitive interface that lets users set up their password database in minutes.”8

• “Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.”8

• You can learn more about this product by visiting …

http://www.counterpane.com/passsafe.html

Tiered password systems involve having different levels of passwords for different types of websites, where the complexity of the password depends on what the consequences would be if that password is compromised/obtained. • Low security: for signing up for a forum, newsletter, or downloading a trial

version for a certain program.• Medium security: for social networking sites, webmail and instant messaging

services.• High security: for anything where your personal finance is involved such as

banking and credit card accounts. If these are compromised it could drastically and adversely affect your life. This may also include your computer login credentials.

Keep in mind that this categorization should be based on how critical each type of website is to you. What goes in which category will vary from person to person.

tiered password systems

1. Categorize your passwords into 3 categories: high, medium, or low. Categorization should be based on how critical each type of website is to you. Take 5 minutes to categorize some of your online accounts.

2. Your high security passwords are the most important. Keep in mind:

– You should change any password that is weak.– If you have used any of your passwords for more than 1

site, you should change.

Review and categorize your passwords

Things to NOT do!• You should never record or write your password down on a post-it note.• Never share your password with anyone, even your colleagues.• You have to be very careful when using your passwords on public PCs like schools,

universities and libraries…etc. Why? Because there’s a chance these machines are infected with keyloggers (or keystroke logging methods) or password-stealing trojan horses.

• Do not use any password-saving features such as Google Chrome’s Auto Fill feature or Microsoft’s Auto Complete feature, especially on public PCs.

• Do not fill any form on the Web with your personal information unless you know you can trust it. Nowadays, the Internet is full of fraudulent websites, so you have to be aware of phishing attempts.

• Use a trusted and secure browser such as Mozilla Firefox. Firefox patches hundreds of security updates and makes significant improvements just to protect you from malware, phishing attempts, other security threats, and to keep you safe as you browse the Web.

Additional safety tips• Open Wi-fi connection can be easily hacked using a free packet sniffer

software• Always enable “HTTPS” (also called secure HTTP) settings in all online

services that support it – this includes Twitter, Google, Facebook and more.• Spoofed Website

Internet Crime Prevention Tips

Internet crime schemes that steal millions of dollars each year from victims continue to plague the Internet through various methods. Following are preventative measures that will assist you in being informed prior to entering into transactions over the Internet:

• Auction Fraud• Counterfeit Cashier's Check• Credit Card Fraud• Debt Elimination• DHL/UPS• Employment/Business Opportunities• Escrow Services Fraud• Identity Theft• Internet Extortion• Investment Fraud• Lotteries• Nigerian Letter or "419"• Phishing/Spoofing• Ponzi/Pyramid• Reshipping• Spam• Third Party Receiver of Funds

Online crime preventionIf the “opportunity” appears too good to be true, it probably is.Auction Fraud • Before you bid, contact the seller with any

questions you have.• Review the seller's feedback.• Be cautious when dealing with individuals

outside of your own country.• Ensure you understand refund, return, and

warranty policies.• Determine the shipping charges before

you buy.• Be wary if the seller only accepts wire

transfers or cash.• If an escrow service is used, ensure it is

legitimate.• Consider insuring your item.• Be cautious of unsolicited offers.

Counterfeit Cashier's Check• Inspect the cashier's check.• Ensure the amount of the check matches in

figures and words.• Check to see that the account number is not

shiny in appearance.• Be watchful that the drawer's signature is not

traced.• Official checks are generally perforated on at

least one side.• Inspect the check for additions, deletions, or

other alterations.• Contact the financial institution on which the

check was drawn to ensure legitimacy.• Obtain the bank's telephone number from a

reliable source, not from the check itself.• Be cautious when dealing with individuals

outside of your own country.

Online crime prevention (cont.)

Credit Card Fraud • Ensure a site is secure and reputable

before providing your credit card number online.

• Don't trust a site just because it claims to be secure.

• If purchasing merchandise, ensure it is from a reputable source.

• Promptly reconcile credit card statements to avoid unauthorized charges.

• Do your research to ensure legitimacy of the individual or company.

• Beware of providing credit card information when requested through unsolicited emails.

Debt Elimination• Know who you are doing business with — do

your research.• Obtain the name, address, and telephone

number of the individual or company.• Research the individual or company to ensure

they are authentic.• Contact the Better Business Bureau to determine

the legitimacy of the company.• Be cautious when dealing with individuals

outside of your own country.• Ensure you understand all terms and conditions

of any agreement.• Be wary of businesses that operate from P.O.

boxes or maildrops.• Ask for names of other customers of the

individual or company and contact them.• If it sounds too good to be true, it probably is.

Online crime prevention (cont.)

DHL/UPS• Beware of individuals using the DHL or

UPS logo in any email communication.• Be suspicious when payment is requested

by money transfer before the goods will be delivered.

• Remember that DHL and UPS do not generally get involved in directly collecting payment from customers.

• Fees associated with DHL or UPS transactions are only for shipping costs and never for other costs associated with online transactions.

• Contact DHL or UPS to confirm the authenticity of email communications received.

Employment/Business Opportunities • Be wary of inflated claims of product

effectiveness.• Be cautious of exaggerated claims of possible

earnings or profits.• Beware when money is required up front for

instructions or products.• Be leery when the job posting claims "no

experience necessary".• Do not give your social security number when

first interacting with your prospective employer.• Be cautious when dealing with individuals outside

of your own country.• Be wary when replying to unsolicited emails for

work-at-home employment. • Research the company to ensure they are

authentic.• Contact the Better Business Bureau to determine

the legitimacy of the company.

Online crime prevention (cont.)

Escrow Services Fraud• Always type in the website address

yourself rather than clicking on a link provided.

• A legitimate website will be unique and will not duplicate the work of other companies.

• Be cautious when a site requests payment to an "agent", instead of a corporate entity.

• Be leery of escrow sites that only accept wire transfers or e-currency.

• Be watchful of spelling errors, grammar problems, or inconsistent information.

• Beware of sites that have escrow fees that are unreasonably low.

Identity Theft • Ensure websites are secure prior to submitting your

credit card number.• Do your homework to ensure the business or website

is legitimate.• Attempt to obtain a physical address, rather than a

P.O. box or maildrop. • Never throw away credit card or bank statements in

usable form.• Be aware of missed bills which could indicate your

account has been taken over.• Be cautious of scams requiring you to provide your

personal information.• Never give your credit card number over the phone

unless you make the call.• Monitor your credit statements monthly for any

fraudulent activity.• Report unauthorized transactions to your bank or

credit card company as soon as possible.• Review a copy of your credit report at least once a

year.

Online crime prevention (cont.)

Internet Extortion• Security needs to be multi-layered

so that numerous obstacles will be in the way of the intruder.

• Ensure security is installed at every possible entry point.

• Identify all machines connected to the Internet and assess the defense that's engaged.

• Identify whether your servers are utilizing any ports that have been known to represent insecurities.

• Ensure you are utilizing the most up-to-date patches for your software.

Investment Fraud • If the "opportunity" appears too good to be true, it

probably is.• Beware of promises to make fast profits.• Do not invest in anything unless you understand the

deal.• Don't assume a company is legitimate based on

"appearance" of the website.• Be leery when responding to invesment offers

received through unsolicited email.• Be wary of investments that offer high returns at little

or no risk.• Independently verify the terms of any investment

that you intend to make.• Research the parties involved and the nature of the

investment.• Be cautious when dealing with individuals outside of

your own country.• Contact the Better Business Bureau to determine the

legitimacy of the company.

Online crime prevention (cont.)

Lotteries • If the lottery winnings appear too good to

be true, they probably are.• Be cautious when dealing with individuals

outside of your own country.• Be leery if you do not remember entering

a lottery or contest.• Be cautious if you receive a telephone call

stating you are the winner in a lottery.• Beware of lotteries that charge a fee prior

to delivery of your prize.• Be wary of demands to send additional

money to be eligible for future winnings.• It is a violation of federal law to play a

foreign lottery via mail or phone.

Nigerian Letter or "419“• If the "opportunity" appears too good to be

true, it probably is.• Do not reply to emails asking for personal

banking information.• Be wary of individuals representing

themselves as foreign government officials.• Be cautious when dealing with individuals

outside of your own country.• Beware when asked to assist in placing large

sums of money in overseas bank accounts.• Do not believe the promise of large sums of

money for your cooperation.• Guard your account information carefully.• Be cautious when additional fees are

requested to further the transaction.

Online crime prevention (cont.)

Phishing/Spoofing • Be suspicious of any unsolicited email

requesting personal information.• Avoid filling out forms in email

messages that ask for personal information.

• Always compare the link in the email to the link that you are actually directed to.

• Log on to the official website, instead of "linking" to it from an unsolicited email.

• Contact the actual business that supposedly sent the email to verify if the email is genuine.

Ponzi/Pyramid• If the "opportunity" appears too good to

be true, it probably is.• Beware of promises to make fast profits.• Exercise diligence in selecting

investments.• Be vigilant in researching with whom you

choose to invest.• Make sure you fully understand the

investment prior to investing.• Be wary when you are required to bring

in subsequent investors.• Independently verify the legitimacy of

any investment. • Beware of references given by the

promoter.

Online crime prevention (cont.)

Reshipping • Be cautious if you are asked to ship

packages to an "overseas home office."• Be cautious when dealing with individuals

outside of your own country.• Be leery if the individual states that his

country will not allow direct business shipments from the United States.

• Be wary if the "ship to" address is yours but the name on the package is not.

• Never provide your personal information to strangers in a chatroom.

• Don't accept packages that you didn't order.• If you receive packages that you didn't

order, either refuse them upon delivery or contact the company where the package is from.

Spam • Don't open spam. Delete it unread.• Never respond to spam as this will confirm to the

sender that it is a "live" email address.• Have a primary and secondary email address - one

for people you know and one for all other purposes.• Avoid giving out your email address unless you know

how it will be used.• Never purchase anything advertised through an

unsolicited email.

Third Party Receiver of Funds • Do not agree to accept and wire payments for

auctions that you did not post.• Be leery if the individual states that his country

makes receiving these type of funds difficult.• Be cautious when the job posting claims "no

experience necessary".• Be cautious when dealing with individuals outside of

your own country.

Self-TestRemember, better understanding leads to better protection of…

Do not cheat Yourself …

our Password our Identity our PrivacyY

Question 1

A. TRUEB. FALSE

(choose/click one)

Strong passwords and password practices contribute to protection of identity and privacy.

Correct!Excellent,

strong passwords and password practices do contribute to protection of identity and

privacy

Now let’s move onto the next question …

Question 2

A. cs101ra, ME11111B. WYSIWYG, passwdC. ig*hh4, f9%WfhD. kirk, on$7mur

(choose/click one)

Which pair contains both a weak and a strong password?

Correct!Excellent,

A. cs101ra, ME11111 (weak, common), (weak, license #)

B. WYSIWYG, passwd (weak, common acronym), (weak, common)

C. ig*hh4, f9%Wfh (strong), (strong)

D. kirk, on$7mur (weak, common name), (strong)

Now let’s move onto the next question …

Question 3

A. to identify the userB. to verify you are the legitimate owner of the u

ser/account identifier C. to provide securityD. none of the above

(choose/click one)

What is the role of passwords in authentication?

Correct!Excellent,

the role of passwords in authentication is

B. to verify you are the legitimate owner of the user/account identifier

Now let’s move onto the next question …

Question 4

A. Successful authentication validates identity and provides access to private information

B. Authentication is the validation of a user’s identityC. Anyone who authenticates themselves on a system using your crede

ntials (user/account identifier, password) assumes your identity and has access to your personal information on that system

D. Identity theft and invasion of privacy are likely results of weak passwords and/or password practices

(choose/click one)

Which of the following best describes the relationship between authentication and both identity and privacy?

Correct!Excellent,

A. Successful authentication validates identity and provides access to private information

Note, the other choices are either simple definitions or facts regarding the conditions or probable outcomes of fraudulent authentication (likely

attributable to password theft)

Now let’s move onto the next question …

Question 5

A. KeePass 2B. Password SafeC. SphinxD. TK8 Safe

(choose/click one)

This is a tool helpful to those who have many passwords to remember.

Correct!Excellent,

(actually, these are all tools helpful to those who have many passwords to remember)

KeePass 2, learn more by visiting …http://keepass.info/

Password Safe, learn more by visiting …http://www.passwordsafe.com/

Sphinx (a hardware solution), learn more by visiting …http://www.securetech-corp.com/sphinx.html

TK8 Safe, learn more by visiting …http://www.tk8.com/safe.asp

Congratulations, you have answered all questions correctly …

References1. Matt Bishop (2003) Computer Security. Pearson Education, Inc. ISBN: 0-201-44099-7.2. Michael Whitman & Herbert Mattord (2003) Principles of Information Security. Course Technology, a

division of Thomson Learning, Inc. ISBN: 0-619-06318-1.3. Benny Pinkas & Tomas Sander (2002) Authentication and authorization: Securing passwords against

dictionary attacks. Proceedings of the 9th ACM conference on Computer and communications security. 4. Dirk Weirich & Martina Angela Sasse (2001) Session 7: passwords revisited: Pretty good persuasion: a

first step towards effective password security in the real world. Proceedings of the 2001 workshop on New security paradigms.

5. Peter G. Neumann (1994) Risks of passwords. Communications of the ACM, Volume 37 Issue 4. 6. Anne Adams & Martina Angela Sasse (1999) Users are not the enemy. Communications of the ACM,

Volume 42 Issue 12. 7. Elinor Abreu (2000). Kevin Mitnick bares all. NetworkWorldFusion News Online (28 September 2000)

[ Cited July 26, 2003 ]’ available from the World Wide Web http://www.nwfusion.com/news/2000/0928mitnick.html

8. Counterpane Internet Security (2003). Password Safe software. [ Cited July 26, 2003 ] available from the World Wide Web http://www.counterpane.com/passsafe.html

9. United States Department of Defense Computer Security Center (1985). Department of Defense Password Management Guideline. CSC-STD-002-85 Library No. S-226,994 [ Cited July 26, 2003 ] available from the World Wide Web http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html

Of particular value to instructors is the following work:10. Dirk Weirich & Martina Angela Sasse (2001) Session 7: passwords revisited: Pretty good persuasion: a

first step towards effective password security in the real world. Proceedings of the 2001 workshop on New security paradigms.

More References• Al-Marhoon, M. (n.d.). Password Management Guide.

MakeUseOf. Retrieved April 10, 2013, from http://www.makeuseof.com/pages/the-password-management-guide-fulltext

• http://www.slideshare.net/NortonOnline/2012-norton-cybercrime-report-14207489

• http://www.ic3.gov/media/annualreports.aspx

WWW Resources

• http://web.mit.edu/net-security/www/pw.html • http://www.umich.edu/~policies/pw-security.html • http://www-cgi.cs.cmu.edu/~help/security/pass_sec.html • http://www.alw.nih.gov/Security/Docs/passwd.html • http://www.ucsc.edu/banner/01ePwdSecurity.html#Password%20Guideli

nes

• http://ithelp.indstate.edu/info/secure-passwords.html#general • http://www.lbl.gov/ITSD/Security/guidelines/password.html#choose• http://tigger.cc.uic.edu/~mbird/password.html • http://psynch.com/docs/best_practices.html • http://www.p-synch.com/docs/strength.html

IncorrectPerhaps a review may help, please select one of

the following:

Weak passwords practicesStrong passwords practices

Password attacksPasswords in the Context of Your Identity and Privacy

Password Facts worth Remembering

Back to Test

Thank you.