13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Part I: Making Good Online Choices
Password Cracking Lesson 10. Why crack passwords?
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Substitute FAQs SubFinder Overview. FAQs Do I have to have touch-tone service to use SubFinder? No, but you do need a telephone that can be switched from.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Internet Security Passwords.
Managing Large Classes with Group Work
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Strong Passwords How to make your passwords work for you…. Linda A. LeBlanc IT Security Support IS&T.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Information guide.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Password Management PA Turnpike Commission
PAGE 1 Company Proprietary and Confidential Internet Safety and Security Presented January 13, 2014.
Welcome to the wonderful world of……. . A Quick & Easy Guide.  What IS ?  A quick, easy and convenient way to send a letter to friends, family.
Staying Safe Online Keep your Information Secure.
Personal Safety Unit - Level 7. The Internet is not anonymous. Your address, screen name, and password serve as barriers between you and others.
CIS 450 – Network Security Chapter 8 – Password Security.
Adrian Ellison Assistant Director, IT Services Wednesday 23 November 2011.
Password Fundamentals. UMB-Dental School New Password Policy Passwords must be eight characters or longer. Password must contain characters from three.
Protecting Your Personal Information November 15, 2013.
Password Security Everything (well… a lot, anyway) you didn’t know, or want to, but really actually need to.
Session 7 LBSC 690 Information Technology Security.
P ROTECTING D ATA Threats to your privacy and the integrity of your computer’s data come from a number of sources. Understanding how to protect yourself.
PHYSICAL ITSECURITY scope. 1.What is password security?. 2.Why can't I tell anyone my password? 3.What about writing my password down 4.Social engineering.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
NIMS MIDDLE SCHOOL PASSWORD BRIEF. What is a Password?  It is a string of alphanumeric characters that can be used to allow access to multiple things.
Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst
Internet Safety. Phishing, Trojans, Spyware, Trolls, and Flame Wars—oh my! If the idea of these threats lurking around online makes you nervous, then.
Password Security. Overview What are passwords, why are they used? Different types of attacks Bad password practices to avoid Good password practices.
INTERNET SAFETY FOR KIDS
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Problems With Centralized Passwords Dartmouth College PKI Lab.
Passwords and Password Policies An Important Part of IT Control – by Craig Piercy.
By John Williams. Why Secure Passwords Matter Passwords protect everything about you online. Once those passwords are discovered and used by someone else.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
COLD READING UNIT. WHAT DO YOU THINK ABOUT WHEN YOU HEAR “COLD READING?”
Passwords Keep Your Information Secure. Online Lives need Good Locks “A password is like a toothbrush: Choose a good one and don’t share it.”
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
Confidentiality, Integrity, Awareness What Does It Mean To You.
ONLINE SECURITY Tips 1 Online Security Online Security Tips.
Digital Citizenship Unit 2 Lesson 1: Strong Passwords
Gmail Password Reset Process Do you want to Reset your Gmail account password because your Gmail account password is not secure or easy to guess or your.
Unit 4 Protecting Your Information Section C. Chapter 1, Slide 2Starting Out with Visual Basic 3 rd EditionIntroduction to ComputersUnit 4C – Protecting.
Internet Safety.
Ways to protect yourself against hackers
Password Management Limit login attempts Encrypt your passwords
How to build a good reputation online
Information Security 101 Richard Davis, Rob Laltrello.
Setting up an online account
Passwords.
Introduction to Computers
Lesson 2: Epic Security Considerations
Epic Introduction Basics
Epic Introduction Basics
Lesson 2: Epic Security Considerations
Account Recovery – Authentication's Dirty Secret?
Protecting Your Password
Epic Introduction Basics
Safe, secure and empowered
Presentation transcript:

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

The world around us is changing The threats presented by “insecure” Wireless LAN (WLAN) systems change with time. How good are your WLAN passwords? As computers become more powerful and the tools they use become faster we must review the way in which we implement effective security The use of “simple” passwords is no longer acceptable, since these can be obtained or broken by brute force tools

Test your passwords Answer the following 13 questions. At the end of the test you can review your answers and see where you could make improvements to your organisations Wireless LAN security.

Test your passwords 1. How long is your password? Less than 8 characters Between 8 and 15 characters Between 15 and 30 characters More than 31 characters

Test your passwords 2. What characters do you use in your password? All letters, all upper or all lower case, or all numbers only A mix of mostly letters - mixed case - and some numbers A mix of mostly letters, some numbers and punctuation A mix of totally random characters (including !ӣ$%^&* etc.)

Test your passwords 3. Do you use a password reminder? No – I don’t need to Yes, it asks a question and the answer is my password Yes, it asks a question, to remind me of my password, but the answer is not my password Yes, the “question” is my password

Test your passwords 4. Does you password contain personal information? Yes Yes, but only known to my colleagues & friends Yes, but only known to my close family members No

Test your passwords 5. If you entered your password in a Web search engine, how many results would you get? Zero less than 10 less than or more

Test your passwords 6. Can you remember your password without having to look it up? Yes, always Mostly, sometimes I forget it after a holiday or soon after changing it Sometimes, I need to remind myself a few times each week No, I’m always forgetting it

Test your passwords 7. Where do you keep a record of your password? Nowhere – I don’t need to In the company fire safe In a sealed envelope in my locked desk drawer In a sealed envelope in my managers locked desk drawer

Test your passwords 8. How many pieces of random information does your password contain? Just the one Two Three More than three

Test your passwords 9. When did you last change your password? More than six months ago Less than six months ago Less than three months ago Less than one month ago

Test your passwords 10. Can you type your password without making mistakes? Yes Mostly Occasionally No

Test your passwords 11. Who else knows your password? My manager A work colleague The system administrator No one

Test your passwords 12. Where else do you use your password? On other work related systems On other non-company systems (personal etc.) On my eBanking account Nowhere else – all of my passwords are unique

Test your passwords 13. How long does it take you to produce a new password when asked? Less than 30 seconds Between 30 seconds and one minute Between one to five minutes More than five minutes

So how well did you do?

Test your passwords - Answers 1. How long is your password? Passwords that are less than 8 characters long, especially if they are a dictionary word are poor, as they can easily be determined using brute force tools and techniques. SCORE = 0 Passwords between 8 and 15 characters are better, but should still not be a single dictionary word. A pass-phrase should always be used where possible. SCORE = 1 Passwords between 15 and 30 characters tend to be pass-phrases due to their length and can offer a good level of security – but see the later questions to ensure this is the case. SCORE = 3 Passwords in excess of 30 characters can be very secure, but their complexity makes them harder to remember and this may compromise them in other ways. SCORE = 1

Test your passwords - Answers 2. What characters do you use in your password? Passwords containing only letters, or worse only numbers, are much more easily recovered using brute force techniques – especially if they are dictionary words and contain only upper or only lower case characters. SCORE = 0 Passwords containing a mixture of mixed case letters with some numbers are better, but avoid commonly known “number for letter” substitutions (e.g. I = 1, S = 5, O = 0, E = 3, A = 4 etc) or upper case letters only at the beginning of a word. SCORE = 2 Passwords containing a mixture of mixed case letters with some numbers and other characters etc.) are much stronger and are much more resistant to currently available brute force tools and techniques. SCORE = 3 Passwords containing totally random characters are very strong, but far more difficult to remember. SCORE = 1

Test your passwords - Answers 3. Do you use a password reminder? Not using a password reminder, where other secure methods are available, is acceptable but being unable to recover your password may be a greater problem. SCORE = 1 Take care – is the question and answer pairing obvious, either to a stranger or someone who knows something about you? Try to avoid personal information or anything relating to your job function or organisation. What does a Web search bring up in answer to your “question”? SCORE = 1 If the reminder works for you, but does not directly relate to the password itself, then well done! SCORE = 3 Not so much a reminder, more a major security flaw. SCORE = 0

Test your passwords - Answers 4. Does your password contain personal information? Personal information (favourite football team, pet names, children’s names, nick names etc) are a bad choice and can be easily predicted – not so much brute force as a good guess based on widely available knowledge. SCORE = 0 Your colleagues and friends may pass this information on to others - would you give them your bank card & PIN? SCORE = 0 You may think that only close family members know this information – how sure are you? SCORE = 1 A good password contains no clues or references to you as an individual, so is much harder to predict or guess. SCORE = 3

Test your passwords - Answers 5. If you entered your password in a Web search engine, how many results would you get? Zero results shows that this information is probably a good password, with a good degree of randomness SCORE = 3 (or maybe you need a better Web search engine?) A result of less than 10 shows a fair degree of randomness and/or unpredictability, but be careful that it is not something related to you, or your companies interests that may be guessed. SCORE = 2 A result of less than 1000 shows that randomness and unpredictability are reducing. Try making some simple changes to reduce the number of results found. SCORE = 1 More than 1000? Not a good choice. SCORE = 0

Test your passwords - Answers 6. Can you remember your password without having to look it up? If you can always remember your password you may have an excellent memory, so challenge it a little more and make your password slightly more complicated. SCORE = 2 Your ability to remember your password most of the time shows that it is reasonably complex – or at least offers the best mix of security and memorability for you the user. SCORE = 3 If you need to remind yourself several times a week, the password recovery process (paper or online) may become a potential weakness. SCORE = 1 Always forgetting? Try to generate strong but more memorable passwords. SCORE = 0

Test your passwords - Answers 7. Where do you keep a record of your password? Not keeping a password record, if suitable secure methods are available, risks you being unable to recover your password if forgotten. Whilst secure this method has other risks. SCORE = 1 Keeping a record in the company fire safe leaves all credentials in a common location - and security will depend on the physical access controls to the fire safe. SCORE = 0 Keeping a sealed envelope in your own locked desk drawer distributes the risk, provided access to your drawer is restricted, and allows you to periodically check on the integrity of the envelope – any problems or evidence of tampering should require an immediate password change. SCORE = 3 A sealed envelope in your managers drawer may be an issue if they have many staff – will they notice if yours is opened/goes missing? Also a problem as many credentials can be compromised at once – as with the fire safe. SCORE = 1

Test your passwords - Answers 8. How many pieces of random information does your password contain? Just one, or a common theme, can make the password much easier to break. SCORE = 1 Using two or more separate elements greatly improves security – so long as they are unrelated. SCORE = 2 Using three unrelated elements adds a high level of security, and should not be too overly complex for the password owner to remember. SCORE = 3 Using more than three unrelated random elements continues to increase the security of your password, but memorability may become an issue – both for normal use and for any password recovery process. SCORE = 1

Test your passwords - Answers 9. When did you last change your password? Time is the enemy – if you have not changed your password for at least six months the probability of it being broken by brute force methods is much greater. SCORE = 0 A password that has been in use for between 3 – 6 months must be considered weaker. Even for low risk systems, such as personal or chat rooms, six months would be the absolute maximum period for any password before renewal. SCORE = 1 Three months is a sensible limit for any “user” level passwords. Admin or “superuser” passwords should be changed more often to maintain adequate security. SCORE = 2 Monthly changes to your passwords add considerably to the security of your systems and should be considered mandatory for Admin and “superuser” accounts. SCORE = 3

Test your passwords - Answers 10. Can you type your password without making mistakes? Your ability to quickly type your password makes it less likely that someone will be able to observe, or “shoulder surf”, your password as you type it. SCORE = 3 Your poor typing skills may cause you to occasionally mistype you password – take care not to slow too much or people may observe you when typing your password. SCORE = 2 Your password may be overly complex, and for all but the most sensitive systems a balance needs to be made between usability and security. Repeated typing makes it easier for someone observing you to see your password. SCORE = 1 Maybe you need to learn to type, or get a better password? It may be too complex, too long, or just not practical. SCORE = 0

Test your passwords - Answers 11. Who else knows your password? Your manager may need to access any systems you use, but should have their own log-on credentials to do so. SCORE = 0 Never share your passwords with colleagues – they should have their own unique account and password if they need access to a system. Even if you have a job share, you should never share passwords. SCORE = 0 The system administrator should be able to reset your password, but you should change this to something only you know if possible. Avoid common “system” passwords if possible and administer systems at an individual user level. SCORE = 1 If you are the only person who knows your password, and it is held in a secure and encrypted format on the system to which it provides access – well done! SCORE = 3

Test your passwords - Answers 12. Where else do you use your password? Using your password across multiple separate systems, where each systems requires authentication to access it, can lead to a risk of exposure if using a common password. SCORE = 1 Using a work related password on non-work related systems should be avoided at all costs – especially if you also supply a work address as your identity! SCORE = 0 Sensitive accounts, such as eBanking, should always have their own unique and strong passwords. Never share passwords between systems with different security requirements. SCORE = 0 Well done. By using unique passwords you limit the exposure between the various systems you use. Should one be compromised only that system is at risk, and you only have to change the password on that one system. SCORE = 3

Test your passwords - Answers 13. How long does it take you to produce a new password when asked? Less than 30 seconds – you probably used the first thing that came into your head, or tried modifying your old password somehow. How easily could this be guessed, or brute force techniques be used to recover it? SCORE = 0 30 seconds to a minute. Maybe you are a slow thinker, or maybe you did spend a little more time and effort and did not use the first thing that came into your head? SCORE = 2 Between one to five minutes – probably an excellent idea if you are changing an Admin or “superuser” password. Spend a few minutes looking at some basic techniques to make your passwords stronger before choosing a new one. SCORE = 3 More than five minutes may be excessive – especially if you have multiple passwords to change regularly. SCORE = 1

Test your passwords - Scores What was your overall score? 30+ Well done. Review your answers to see if there are any further simple improvements that you can make A good result, but some key elements may need to be reassessed Some areas addressed, but others leave some exposure that leads to greater risk in the longer term A poor result – needs immediate attention to mitigate considerable risk exposure. 9 or lessA formal review of security techniques and methods is required urgently.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.