Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Management Limit login attempts Encrypt your passwords

Published byReginald Lamb Modified over 6 years ago

Similar presentations

Presentation on theme: "Password Management Limit login attempts Encrypt your passwords"— Presentation transcript:

1 Password Management Limit login attempts Encrypt your passwords
Protecting the password file Forgotten passwords Generating new passwords Password transport

2 Limit Login Attempts Don’t allow dictionary attacks “over the wire”
After some reasonable number of failed login attempts, do something Lock account Slow down iPhone does this, Android doesn’t Watch more closely

3 Encrypt Your Passwords
Using the techniques we just covered One would think this advice isn’t necessary, but . . . Yahoo lost half a million unencrypted passwords in 2012 Encryption is more expensive and less convenient But a lot more secure

4 Protecting the Password File
So it’s OK to leave the encrypted version of the password file around? No, it isn’t Why make it easy for attackers? Dictionary attacks on single accounts still work And there are “popular” passwords, leading to easy dictionary attacks even with encryption Generally, don’t give access to the encrypted file, either

5 Other Issues for Proper Handling of Users’ Passwords
Sites should store unencrypted passwords as briefly as possible Partly issue of how they store the file Partly issue of good programming Don’t leave passwords in temp files or elsewhere Should not be possible to print or save someone’s unencrypted password Use encrypted network transport for passwords If your server is compromised, all of this might not help

6 Wireless Networks and Passwords
Wireless networks are often unencrypted Web sites used to request and transport passwords in the clear So eavesdroppers could hear passwords being transported Important to encrypt these messages

7 Handling Forgotten Passwords
Users frequently forget passwords How should your site deal with it? Bad idea: Store plaintext passwords and send them on request Better idea: Generate new passwords when old ones forgotten Example of common security theme: Security often at odds with usability

8 Generating New Passwords
Easy enough to generate a random one But you need to get it to the user If attacker intercepts it, authentication security compromised How do you get it to the user?

9 Transporting New Passwords
Engineering solution is usually to send it in To an address the user registered with you earlier Often fine for practical purposes But there are very serious vulnerabilities E.g., unencrypted wireless networks If you really care, use something else E.g., surface mail

10 User Issues With Passwords
Password proliferation Choosing passwords Password lifespan

11 Password Proliferation
Practically every web site you visit wants you to enter a password Should you use the same password for all of them? Or a different password for each?

12 Using the Same Password
Easier to remember Much less secure One password guesser gets all your authentication info Do you trust all the sites you visit equally? Compromise in one place compromises you everywhere Real attacks are based on this vulnerability

13 Using Different Passwords
Much more secure But how many passwords can you actually remember? And you might “solve” this problem by choosing crummy passwords

14 Other Options Use a few passwords
Maybe classified by type of site or degree of trust Write down your passwords Several disadvantages Could write down hints, instead Use algorithm customized to sites Password vaults

15 Choosing Passwords Typically a compromise between: Sufficient security
Remembering it Major issues: Length Complexity

16 How Long Should Passwords Be?
Generally a function of how easy it is for attackers to attack them Changes as speed of processors increase Nowadays, 15 character password are pretty safe If they aren’t guessable . . . Old sites may demand shorter ones

17 Some Password Choice Strategies
Use first letters from a phrase you remember Use several randomly chosen words Replace letters with numbers and symbols Helps, but less if you use common replacements (e.g., “0” for “o”) Also less useful if you limit it to 1st and last character of password

18 Password Lifespan How long should you use a given password?
Ideally, change it frequently Practically, will you remember the new one? Is a good, old password worse than a bad, new one? Many issues of crypto key reuse are relevant here

Download ppt "Password Management Limit login attempts Encrypt your passwords"

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Evaluating Web Server Log Analysis Tools David Strom SD’98 2/13/98.

Evaluating Web Server Log Analysis Tools David Strom SD’98 2/13/98.
How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.

How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
Fmdszqujpo! Encryption!. Encryption  Group Activity 1:  Take the message you were given, and create your own encryption.  You can encrypt it anyway.

Fmdszqujpo! Encryption!. Encryption  Group Activity 1:  Take the message you were given, and create your own encryption.  You can encrypt it anyway.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Welcome to the wonderful world of……. E-Mail. A Quick & Easy Guide.  What IS E-mail?  A quick, easy and convenient way to send a letter to friends, family.

Welcome to the wonderful world of……. . A Quick & Easy Guide.  What IS ?  A quick, easy and convenient way to send a letter to friends, family.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
ESCCO Data Security Training David Dixon September 2014.

ESCCO Data Security Training David Dixon September 2014.
Staying Safe Online Keep your Information Secure.

Staying Safe Online Keep your Information Secure.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Crimes of Negligence or Incompetence Presented By: Lisa R. Williams.

Crimes of Negligence or Incompetence Presented By: Lisa R. Williams.
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.

David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

Similar presentations

Ads by Google