4/18/2014 Passwords How to be more secure Passwords: How to be more secure
4/18/2014
Passwords
How to be more secure
Email, websites (including banks)
wireless networking
Pleasanton Senior Center
PC Users Group
24 April 2014
Presented by Ken Cook
Passwords: How to be more secure
When a password is compromised, the
first step is to regain control over the
account by changing passwords and
checking configuration settings to
make sure nothing has changed.
However, if the root problem (how
the passwords were successfully
stolen) is not fixed, then the accounts
will just get compromised again and
again.
Passwords: How to be more secure
1. Don’t make the password
easy to guess
Many users still make the mistake of
selecting simple passwords, such as
’123456′ or ‘password.’ If the
password is a common word that can
be found in the dictionary, or a
simple sequence of numbers and
letters, there are cracking tools that
can figure out the actual password.
Passwords: How to be more secure
• Preamble
You receive unfamiliar messages.
Passwords that no longer work.
These are just two of the many
clues that cybercriminals have
gotten a hold of your password
and broken into your email
account.
Passwords: How to be more secure
The most basic rules:
(for creating any password)
1. Don’t make the password easy
to guess
2. Make the password 8
characters or longer
3. Use different passwords on
different sites
Passwords: How to be more secure
Adobe data breach at year-end 2013:
Obviously, you shouldn’t use the five
most common passwords at Adobe:
“123456,” “123456789,” “password,”
“adobe123,” and “12345678” or
anything like them. The same goes for
special dates; names of spouses,
children, relatives or pets; or any
password using the full name of the
service you’re making the password for.
1
4/18/2014
Passwords: How to be more secure
1. It’s important to take your
passwords seriously and to
make sure they are strong.
The strongest password is one that
contains a random collection of
letters (uppercase and lowercase),
numbers and symbols. Of course,
that’s nearly impossible to
remember, but we’ll deal with that
soon.
Passwords: How to be more secure
2. Per Microsoft:
A strong password:
• Is at least eight characters long.
• Does not contain your user name,
real name, or company name.
• Does not contain a complete word.
• Is significantly different from
previous passwords.
[continued]
Passwords: How to be more secure
3. Use different passwords on
different sites
Most hackers don’t try to guess
your password. But if they get
one of your passwords in a
data breach – or from a virus
on your computer – they will
go after your other online
accounts.
Passwords: How to be more secure
2. Make the password 8 characters
or longer
The shorter passwords are easier
to crack and hackers go for
those first. As passwords get
longer, it takes longer – as
long as they aren’t obvious like
“123456789″. Hackers scan for
the obvious ones first a
different way.
Passwords: How to be more secure
• Contains characters from each
of the following four categories:
Character category Examples
• Uppercase letters
A, B, C
• Lowercase letters
a, b, c
• Numbers
0, 1, 2, 3, 4, 5, 6, 7, 8, 9
• Symbols found on the keyboard (all keyboard
characters not defined as letters or numerals) and
spaces
`~!@#$%^&*()_+={}[]\|:;"'<>,.?/
Passwords: How to be more secure
That’s why you want a different
password for every account –
especially your critical financial
accounts. If the password they
have doesn’t work right away,
they’ll usually move on to
someone else’s that does.
2
4/18/2014
Passwords: How to be more secure
First off, let’s look at how to
create a “safe” or “strong”
password scheme, so that we
can probably remember them.
Passwords: How to be more secure
How about some longer alternates
for some of those colors?
• Crimson, scarlet, vermillion
• Sunshine, dandelion, sunflower
• Asparagus, camouflage,
shamrock, emerald, jungle
• Cornflower, periwinkle,
sapphire, ultramarine
Passwords: How to be more secure
Numbers before and/or after a
letter combination, or at a
syllable break
• 72$c@rLet27
My hint would be my alma mater, which is Rutgers,
whose mascot it the Scarlet Knights; I graduated
in 1972, and reversed the year at the end
• 1wh3el93barR0w2
Wheelbarrow, with 1932 imbedded fore, middle
and aft, with number substitution and
uppercase letters
Passwords: How to be more secure
Let’s start with the colors of the
rainbow:
Red
Orange
Yellow
Green
Blue
Indigo
Violet
Passwords: How to be more secure
Letter substitution
• 0 (zero) for o,O
• 1 for l,L
• 3 for e, E
• $ for s,S
• 4 for h, H
• @ for a,A
• ! for I,i
Passwords: How to be more secure
Some other themes for passwords:
• Flavors
Chocolate -> ch0c01@T3
Vanilla -> 8v@Ni11@
Strawberry -> $TR@wb3rry
• Places
Stockholm -> $T0ck401m
Adelaide -> @d31A!de
3
4/18/2014
Passwords: How to be more secure
More ideas for password sources:
• “Foreign” languages – combine two or
three short words in other languages:
einunoone, deuxdoszwei, hauscasa,
nyetnaooxi, atamakichwa, etc.
• Deliberate misspellings
• Flowers
Daffodil -> D@ff0d!L
Clematis -> cl3M@T!$
Passwords: How to be more secure
Kim Komando Bonus tip:
Setting up consistent symbol
replacement and capitalization
rules for all your passwords
helps keep things from
becoming too complex.
Passwords: How to be more secure
Passwords: How to be more secure
The ZoneAlarm article says “make sure
your passwords are all unique,
complex, and long” and have “a
unique password for every account
and service”. We’re also commonly
advised not to write them down or
share them. Then all we have to do is
remember them, which may not
seem too complex to someone of 25.
However as you get older and
accumulate more passwords and PINs
(and e-mail addresses and phone
numbers) it is difficult to do.
Yes, there are software tools to
use which both generate
random passwords, and keep
them “securely” for you. But
you need a strong password to
unlock and/or decrypt your list.
Thumb drives can be lost, or
even fail. Face recognition is still
in its infancy, and pricey. Twofactor authentication is coming.
Passwords: How to be more secure
Passwords: How to be more secure
So what to do?
In my experience, almost
everyone over the age of 40 has
some scheme for recording their
passwords and the related
website. My suggestion is that
rather than recording (on paper
or electronically) the actual
password, use a hint.
I keep my list of sites and
password hints in a spreadsheet
with a disguising word, and
have a single page printout I
keep handy.
I’ve written a key sheet for my
executor, so he can translate
these hints, should it be
necessary.
4
4/18/2014
Passwords: How to be more secure
A pair of examples:
72$c@rLet27 yields to a hint of
Rutgers
If I used several colors, with
different leading/trailing
numbers, the hint might be
related to the number:
1crims0n5 becomes color 1
2Fu$h!a56 becomes Color 2
Passwords: How to be more secure
From my Patch blog on dealing with a
hacked email account:
Passwords: How to be more secure
Admission:
I reuse passwords. Financial sites
get their own unique password,
subject to their rules. (Some
banks accept letters and
numbers only, and only 8
characters.)
Passwords: How to be more secure
Heartbleed:
1: change your email password to something more
complex - letters and numbers, no dictionary
words.
2: change your challenge questions and answers
3: put your own email address(es) into your contacts
list.
4: print off or export to a CSV file your contacts list some versions of this virus will delete your entire
address book after sending out spam in your
name.
5: don't update this email address/password with any
of your other social networking sites - they are
very prone to hacking, and raid email accounts
where this information is provided.
A website-based vulnerability
(OpenSSL) about 2 years old, where
hackers can break in and collect
presumed secure data.
Many sites have been fixed, many did
not implement the “opening”, but you
should be safer if the site advises you
to change your password, that you do
so with a strong password.
Passwords: How to be more secure
Passwords: How to be more secure
Several sites will check URLs for the
Heartbleed OpenSSL bug
• https://lastpass.com/heartbleed
• https://filippo.io/Heartbleed/
LastPass Heartbleed checker:
Software that claims to detect the presence of
OpenSSL's Heartbleed bug in servers, PCs and
other gear may falsely report a system to be safe
when users are actually in danger, according to a
security consultancy. [The Register, 17 April 2014]
Worried about the websites you’re surfing? There’s a
free add-on for the Firefox browser to check a
site’s vulnerability and provide color-codes flags.
Green means go and red means stop.
https://addons.mozilla.org/en-US/firefox/addon/heartbleedchecker/
5
4/18/2014
Passwords: How to be more secure
LastPass Heartbleed checker –
testing https://yahoo.com
Passwords: How to be more secure
• Filippo.io Heartbleed result
Passwords: How to be more secure
Firefox with add-on & Avast monitor:
Passwords: How to be more secure
• Filippo.io tester for Heartbleed
Passwords: How to be more secure
Computerworld’s Jonny Evans – excerpt from 4/11/14 blog
Check your services
It is good that Apple’s platforms are not affected, but some
services used by Apple customers might be:
• Yahoo, Facebook and Tumblr services have been
impacted;
• Some Google and Yahoo services were left insecure by
the flaw, which existed for two years;
• Multiple BlackBerry products, including BBM for iOS and
Android and Amazon’s cloud services, are also
vulnerable.
(An astonishing number of Android phones remain
vulnerable. These devices run Android 4.1.1 Jelly Bean,
and while Google is working on a fix with hardware
makers, it may take time for Android users to feel
secure engaging in financial transactions on their
phones.)
Apple users must also ensure that the servers they use
when accessing sites and services are secure against the
problem.
Passwords: How to be more secure
• More on Heartbleed
Visit
http://mashable.com/2014/04/0
9/heartbleed-bug-websitesaffected/
Updated “hit list” of sites
6
4/18/2014
Passwords: How to be more secure
Passwords: How to be more secure
“I hear a lot of recommendations
for everyone to change their
passwords once the websites
have installed the fixes. Will this
really be necessary? If we
haven't been hacked during the
two years this problem existed,
do we really need to change our
passwords?”
Security gurus suggest regularly
changing your passwords, and
even your security questions/
answers frequently. This can be
monthly, quarterly, 180-day
cycles. So, use this newly
reported “bug” as motivation to
change your more valuable
passwords and website security
settings.
Passwords: How to be more secure
Passwords: How to be more secure
Email security
Of course, you should have a
strong password on your
primary email account(s). You
should review any “security
questions” and change if the
answers are too obvious.
Passwords: How to be more secure
Critical websites will begin offering a
two-factor authentication process:
• Strong, secure, unique password
requirement
• After entering your password, you
then confirm your identity via a code
or token delivered by text message,
phone call, or biometric criteria like a
fingerprint or recognition tool.
If offered, accept and USE!
Passwords: How to be more secure
Email security (continued)
Home wireless networking
Have your alternate email address(es)
in each account’s contact list/address
book.
If you have a defunct email address,
put it in too – the bounce will alert
you to a possible hack.
As a courtesy to your recipients of
“mass distributions”, put the bulk of
the email addresses in BCC – blind
courtesy/carbon copy
If you don’t need wireless, turn it
off or deactivate it.
If you use wireless, then be sure
to use WPA2 level security if
your router allows it.
7
4/18/2014
Passwords: How to be more secure
Passwords: How to be more secure
Wireless networking
Wireless networking
Wireless access keys should be
alphanumeric (hexadecimal for
WEP)
Xfinity and Uverse routers are
preconfigured with WPA2 and
seemingly random access keys
If you don’t expect to have
additional devices accessing
your network (laptops, tablets,
smartphones, readers, printers)
you can collect the MAC address
[00:11:22:aa:bb:cc] and
restrict access to only those
values. [media access control]
Passwords: How to be more secure
Using hotspots and open wireless
networks
• Never go to a financial site
• Consider changing your
password when you get home if
you check email or social sites
• Recognize that anyone on that
network could be “sniffing”
Passwords: How to be more secure
Discussion
Questions
8
© Copyright 2024