Password Management Ideas

To view this page ensure that Adobe Flash Player version 9.0.124 or greater is installed.

Please login or register to make a comment!

Password Management Ideas Joel Anderson 5/10/2007 Where were you on the night of Wednesday, November 2, 1988? I was driving to Odegaard's Bookstore in Minneapolis to get an autographed copy of this book: ... but, then 3I wasn't a sysadmin.

If you were a sysadmin, you 9d probably remember that the OTHER thing happening that night was Robert Morris's cWorm dspreading across the Internet. Taking advantage of flaws in sendmail and fingerd, the Worm spread by managing to crack many, many passwords. The Internet Worm tried to crack passwords by working through a whole series of word lists.

First, it built a customized dictionary of words containing the user name, the person's name (both taken from the Unix password file), and five permutations of them. If those failed, it used an internal dictionary of 432 common, Internet-oriented jargon words. If those failed, it used the Unix on-line dictionary of 24,474 words.

The worm also checked for the "null" password. Some sites reported as many as 50% of their passwords were successfully cracked using this strategy. http://www.smat.us/sanity/pwdilemma.html This is one of the reasons why having a good password matters.

Define GOOD. cA good password is one that cannot be easily guessed. d (Bearing in mind ... more. less.

that cguessing dmay involve high powered computer attacks.see Password Attack Discussion & Benchmarks by Alan Amesbury, http://www1.umn.edu/oit/security/passwordattackdiscussion.html ) In Password Memorabilityand Security: Empirical Results the authors did an experiment that tested password creation, strength and retention with three groups of students. 1. Naïve password choices (control) 2. Totally random choice 3. cMnemonic phrase dpassword (they also compared their subjects to a random sample of student accounts.) This study confirmed users have difficulty remembering random passwords passwords based on mnemonic phrases are harder to guess than naïvely selected passwords. http://homepages.cs.ncl.ac.uk/jeff.yan/jyan_ieee_pwd.pdf debunked random passwords are better than passwords based on mnemonic phrases. In fact, each appeared to be as strong as the other. passwords based on mnemonic phrases are harder to remember than naively selected passwords. In fact, each type is as easy to remember as the other. And unfortunately , it debunked we can significantly improve security by educating users to select random or mnemonic passwords In fact, both types of passwords suffered from a noncompliance rate of about 10 percent (including too-short passwords and passwords chosen contrary to the instructions). Although this is better than the approximately 35 percent of users who choose bad passwords with only cursory instruction, it 9s not a huge improvement*. The attacker might have to work three times harder, but without password policy enforcement mechanisms, we can 9t make the attacker work a thousand times harder. * This is why it is good the internet and Enterprise passwords are subject to complexity requirements. results from Jeff Yan, et al http://homepages.cs.ncl.ac.uk/jeff.yan/jyan_ieee_pwd.pdf Create a strong, memorable password in 6 steps Use these steps to develop a strong password: 1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My son Aidenis three years old. c 2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so. 3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: "msaityo". 4. Add complexity by mixing uppercase and lowercase letters and numbers. ... This might yield a password like "MsAy3yo". 5. Finally, substitute some special characters. You can use symbolsthat look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0". 6. Test your password with a password checker. http://www.microsoft.com/athome/security/privacy/password.mspx Offline test (requires javascript ) : http://www.microsoft.com/athome/security/privacy/password_checker.msp x Online (php based ) test: http://www.securitystats.com/tools/password.php NOTE This online password-tester DOES introduce risk. You should NOT use it for testing REAL passwords, but use it to test password complexity of sample passwords, and then use the results to gauge how complex your real passwords are. Using this page means that the people running the password-test application will be given clues about password choice strategies within your network. ONCE you have the password, now what? Memorize it! http://en.wikipedia.org/wiki/Mnemonic Write it down! http://www.schneier.com/blog/archives/2005/06/write_down_your.html Use a tool! Tool tips What should you look for in a password keeper? Based on strong cryptography Does it securely store your information? Open Source Benefit from active development community; no secrets, no snakeoil Portable Can you use it easily on more than one computer? Can it run from a flash drive? Three tools for Password Keeping Password Safe (and friends) Truecrypt Locknote Password Safe - http://passwordsafe.sourceforge.net/ Password access To multiple accounts: Multiple useful features Easy to install on a USB drive: Other Developments Pwsafe 3command line version for multiple OS 9s Pwsafe- http://nsd.dyndns.org/pwsafe/ Password Gorilla - http://www.fpx.de/fp/Software/Gorilla/ TrueCrypt Truecrypt- http://www.truecrypt.org/ TrueCrypt Lets you use a text file with encryption Portable file 3again, it fits on a USB, along with the encrypted file. Truecryptlets you put your csecrets dfile on a USB drive, and access it: NOTE If you do use a program like notepad.exeto save an encrypted file using a filesystemlike TrueCrypt, there is always the chance that you may leave behind ctracks din your UN-encrypted filesystem. This should NOT be used on a shared system, or one where you cannot reliably say you are the only user. Locknote Locknote- http://locknote.steganos.com/ http://sourceforge.net/projects/locknote As easy (and simple) as NOTEPAD (just be sure you remember the passphrase! ) Locknote- http://locknote.steganos.com/ Choices for the Mac Mac Password Keepers http://nirlog.com/2006/07/19/password-managers-for-os-x/ http://www.takecontrolbooks.com/passwords-macosx.html References: Password Attack Discussion & Benchmarks by Alan Amesbury, http://www1.umn.edu/oit/security/passwordattackdiscussion.html Password Memorability and Security: Empirical Results http://homepages.cs.ncl.ac.uk/jeff.yan/jyan_ieee_pwd.pdf Strong Passwords: How to create and use them http://www.microsoft.com/athome/security/privacy/password.mspx Password Strength Tests: http://www.securitystats.com/tools/password.php http://www.microsoft.com/athome/security/privacy/password_checker.mspx The Strong Password Dilemma http://www.smat.us/sanity/pwdilemma.html Tools: Password Safe - http://passwordsafe.sourceforge.net/ Pwsafe- http://nsd.dyndns.org/pwsafe/ Password Gorilla - http://www.fpx.de/fp/Software/Gorilla/ Truecrypt- http://www.truecrypt.org/ Locknote- http://locknote.steganos.com/ http://sourceforge.net/projects/locknote Mac Password Keepers - http://nirlog.com/2006/07/19/password-managers-for-os-x/ http://www.takecontrolbooks.com/passwords-macosx.html

less