Strong : Do You Really Need Them? October 30, 2013

History of computer passwords – who dunnit first? Do you really need them? A user’s perspective A hacker’s perspective – the world of hackers, password crackers. It’s just ‘business’, ‘ hacktivism’ or ‘for fun’ Who’s winning? – Users or the hackers? Strong passwords are long passwords (phrases) Use two-factor authentication when available – example Google offers it as an option Make it ‘not worth the effort’ for the hacker When things go wrong Presentation Overview

Fernando Corbató at MIT in the 1960s. Was MIT's CTSS computer the first one to use passwords? Photo Courtesy : MIT Museum Who dunnit first?

Strong passwords – do you really need them ? You need passwords – That serve the purpose to keep your information safe – Keeps you at the end of the hackers’ list – Help keep your data secure – Help keep you safe – Phrases – Randomness – Nonsensical – Use words from a language other than English – Use unique passwords for different sites

What data should you be worried about protecting? Examples: Medical – diagnosis, prescriptions, insurance Financial – credit report, credit card, bank account information, payroll Personal – wills, inheritance, family heirloom data (historical letters) Informational – location, vacation itineraries Identity – SSN, Name Intellectual – innovations, research, creativity

You are the target ScamMitigate the Risk Brute forcing the passwordStrong password – keeps you at the end of the hack-able list Guessing attackStrong password – you are not the low hanging fruit Social engineeringThe ‘attacker’ can’t read your mind PhishingDo not give out your username and password to Anyone, no matter what the circumstances be Coding practicesOWASP, training Patch and updatePatches and updates fix bugs and remediate known vulnerabilities EncryptionUse password vaults – such as KeePass

Too many passwords Strong passwords are hard to remember I should not need to change my passwords Inconvenience Is there an easier way to handle this? It ( compromise) won’t happen to me A user’s perspective

Simple passwords are easy to crack Motivation - Am I doing this for money, ideology or just fun? Is this victim a one-time opportunity, persistent ‘home’ or resale-able goods? A hacker’s perspective

Mitigate risk with minimum inconvenience to the user What is at stake? – personal safety, reputation, revenue, fines Technology helps, but nothing beats user awareness A security professional’s perspective

How can you protect your data? People Process Technology

Be aware that data.. –Is interconnected –Identifies you –Impacts you and others –A strong password and being vigilant is your strongest line of defense

Who is winning?

Strong Passwords are Long Passwords Use passphrases and not simple, predictable passwords Use nonsensical combination of words, numbers and special characters NEVER share your username and password with anyone Learn to recognize phishing –Who sent it –What is being asked, –Hover the Links to verify legitimacy before clicking – Report to Use a password vault like KeePass, SplashID etc. – ( Mac OSX : Windows : ) Change your passwords – reasonable duration for the type of data that password protects Personal Safety First, Information Security a close second Use two-factor, two-step authentication when available Make it ‘not worth the effort for the hacker’ When things go wrong, report it to the IT Support Center or

Presented by: Noor Aarohi Senior Analyst - Risk and Compliance GWIT Information Security and Compliance Services