Create and Manage Strong Passwords

PASSWORD
MANAGEMENT:
Creating and managing
passwords to be as
secure as possible

1. The scale of consumer cyber crime
2. What is a password and facts about password security and
its importance
3. Tiered password system - review and categorize your
existing passwords
4. Writing secure passwords
 Characteristic of strong and weak passwords
 Tips and techniques
 Testing the strength of a password
5. Password management techniques
6. Additional tips to secure your identity
TABLE OF CONTENTS

 A password is a string of characters that gives you access to a
computer or an online account.
WHAT’S A PASSWORD?

Password cracking is the process of breaking passwords in
order to gain unauthorized access to a computer or account.
Guessing:
Method of gaining access
to an account by
attempting to authenticate
using
computers, dictionaries, or
large word lists.
 Brute force – uses every
possible combination of
characters to retrieve a
password
 Dictionary attack – uses
every word in a dictionary
of common words to
identify the password
Social Engineering/Phishing:
Deceiving users into revealing
their username and
password. (easier than
technical hacking)
 Usually by pretending to be
an IT help desk agent or a
legitimate organization
such as a bank.
 DO NOT EVER SHARE YOUR
PASSWORDS, sensitive
data, or confidential
banking details on sites
accessed through links in
emails.
COMMON THREATS AGAINST
YOUR PASSWORD

Banking and
Business
services
HOW MANY PASSWORDS DO YOU HAVE?
Personal
Emails
Social media
& news
Work
related
accounts

DON’T FORGET YOUR COMPUTER AND
PHONE LOGINS!

Tiered password systems involve having different levels of
passwords for different types of websites, where the complexity of
the password depends on what the consequences would be if that
password is compromised/obtained.
 Low security: for signing up for a forum, newsletter, or
downloading a trial version for a certain program.
 Medium security: for social networking sites, webmail and
instant messaging services.
 High security: for anything where your personal finance is
involved such as banking and credit card accounts. If these are
compromised it could drastically and adversely affect your life.
This may also include your computer login credentials.
Keep in mind that this categorization should be based on how
critical each type of website is to you. What goes in which category
will vary from person to person.
TIERED PASSWORD SYSTEMS

1. Categorize your passwords into 3 categories:
high, medium, or low. Categorization should be based on
how critical each type of website is to you. Take 5 minutes
to categorize some of your online accounts.
2. Your high security passwords are the most important. Keep
in mind:
 You should change any password that is weak.
 If you have used any of your passwords for more than 1 site, you
should change.
HANDS-ON PART 1: REVIEW AND
CATEGORIZE YOUR PASSWORDS

COMMON
MISTAKES IN
CREATING
PASSWORDS

RISK EVALUATION
OF COMMON MISTAKES
Mistake Example Risk Evaluation
Using a Common Password.
123456789
password
qwerty
Too risky. These are most criminal’s first guesses, so
don’t use them.
Using a Password that is based
on personal data
Gladiator
―Bobby‖
―Jenny‖
―Scruffy‖
Too risky: anyone who knows you can easily guess this
information. Basing a password on your social security
number, nicknames, family members’ names, the names
of your favorite books or movies or football team are all
bad ideas.
Using a Short Password
John12
Jim2345
The shorter a password, the more opportunities for
observing, guessing, and cracking it.
Using the same password
everywhere.
Using one password on
every site or online
service.
Too risky: it’s a single point of failure. If this password is
compromised, or someone finds it, the rest of your
accounts – including your sensitive information – are at
risk.
Writing your passwords down.
Writing your password
down on a postit note
stuck to your monitor.
Very high risk, especially in corporate environments.
Anyone who physically gets the piece of paper or sticky
note that contains your password can log into your
account.

 Strong passwords:
 are a minimum of 8 characters in length, it’s highly recommended
that it’s 12 characters or more
 contain special characters such as @#$%^& and/or numbers.
 use a variation of upper and lower case letters.
WHAT MAKES A PASSWORD SAFE?

It must not contain
easily guessed
information such
your birth
date, phone
number, spouse’s
name, pet’s
name, kid’s
name, login
name, etc.
It shouldn’t contain
words found in the
dictionary.
WHAT MAKES A PASSWORD SAFE?
(CONT.)

 “Treat your password like your
toothbrush. Don’t let anybody
else use it, and get a new one
every six months.” ~ Clifford
Stoll
 The stronger your password, the
more protected your account or
computer is from being
compromised or hacked. You
should make sure you have a
unique and strong password for
each of your accounts.
HOW TO MAKE A STRONG PASSWORD

1. Pick up a familiar phrase or quote, for example, ―May the force
be with you‖ and then abbreviate it by taking the first letter of
each word, so it becomes ―mtfbwy‖
2. Add some special characters on either sides of the word to
make it extra strong (like #mtfbwy!)
3. And then associate it with the website by adding a few
characters from the website name into the original password
as either a suffix or prefix. So the new password for Amazon
could become #mtfbwy!AmZ, #mtfbwy!FbK for Facebook and so
on.
*While this technique lets us reuse the phrase-generated part of
the password on a number of different websites, it would still be a
bad idea to use it on a site like a bank account which contains
high-value information. Sites like that deserve their own password
selection phrase.
MOZILLA’S SAFE
PASSWORD METHODOLOGY

While generating a password you should follow two rules; Length
and Complexity. Let’s start by using the following sentence: ―May
the force be with you‖. Let’s turn this phrase into a password.
1. Take the first letter from each word: Mtfbwy.
2. Now increase its strength by adding symbols and numbers:
!20Mtfbwy13!
 The 20 and 13 refer to the year, 2013.
 Secondly, I put a ―!‖ symbol on each end of the password
 Try using the name of your online account in the password
 !20Mtfbwy13!Gmail (for gmail)
 fb!20Mtfbwy13! (for Facebook)
 That’s one password developing strategy. Let’s keep adding
complexity, while also attempting to keep things possible to
memorize. *you actually should not use a should not be a
common phrase.
USING A PASSPHRASE TO WRITE A
SECURE PASSWORD

 Password Haystack is a methodology of making your password
extremely difficult to brute force by padding the password
with a pattern like (//////) before or/and after your
password.
HAYSTACKING YOUR PASSWORD:
A SIMPLE AND POWERFUL WAY OF SECURING YOUR PASSWORD
Here’s how it works:
1. Come up with a password, but try to make it as a mix of uppercase and
lowercase letters, numbers and symbols
2. Come up with a pattern/scheme you can remember, such as the first letter of
each word from an excerpt of your favorite song or a set of symbols like
(…../////)
3. Use this pattern and repeat using it several times (padding your password)
Let’s have an example of this:
Password:
!20Mtfbwy13!
By applying this approach, the password becomes a Haystacked Password:
…../////!20Mtfbwy13!…../////

Use these tools to test the strength of a password. As a
precaution, you probably shouldn’t use these services to test
your actual password. Instead, simply use it to learn what works
and what doesn’t work. Just play with the strength checkers by
constructing fake passwords and testing them.
 http://rumkin.com/tools/password/passchk.php
 https://www.microsoft.com/security/pc-security/password-
checker.aspx
 http://www.grc.com/haystack.htm
 http://howsecureismypassword.net/
HANDS-ON PART 2:
TESTING YOUR PASSWORDS

PASSWORD OVERLOAD: HOW CAN
ANYONE REMEMBER THEM ALL?
Many people use a few passwords for all of
their major accounts.
The average Web user maintains 25 separate
accounts but uses just 6.5 passwords to
protect them.

If one of your accounts is hacked, it’s likely that
your other accounts that used the same
password will quickly follow.
More than 60%of
people use the same
password across multiple
sites
PASSWORD SECURITY

 Human memory is the safest database for storing all your
passwords
 Writing passwords down on a piece of paper
 Storing passwords on a computer in a Word document or Excel
file
 Password Manager is software that allows you to securely
store all of your passwords and keep them safe, typically
using one master password. This kind of software saves an
encrypted password database, which securely stores your
passwords either on your machine or on the Web.
 You should not rely totally on any type of password manager
 Your single master password must be unique and complex
PASSWORD MANAGEMENT TECHNIQUES
(WAYS TO STORE YOU PASSWORDS)

HUMAN MEMORY
 Strength: safest database for storing all your passwords
 Weakness: Easy to forget

 Strength: ease of access
 Weaknesses:
 You can lose the paper
 Paper could be easily stolen or viewed by other people
WRITING PASSWORDS DOWN
ON A PIECE OF PAPER

 Strength: ease of access
 Weaknesses:
 Data is not encrypted, anyone who has access to the computer that
the file is saved on can easily read your passwords
 If your computer breaks, you could possibly permanently lose the file
STORING PASSWORDS ON A COMPUTER
IN A WORD DOCUMENT OR EXCEL FILE

 Password Manager is software that allows you to securely
store all of your passwords and keep them safe, typically
using one master password. This kind of software saves an
encrypted password database, which securely stores your
passwords either on your machine or on the Web.
 You should not rely totally on any type of password manager
 Your single master password must be unique and complex
PASSWORD MANAGER IS SOFTWARE

 Password management tools are really good solutions for reducing the
likelihood that passwords will be compromised, but don’t rely on a single
source. Why? Because any computer or system is vulnerable to attack.
Relying on a password management tool creates a single point of potential
failure.
 But before you turn to a password-management service based in the cloud or on your
PC, it's best to review the quality of the service, said Tim Armstrong, malware
researcher at Kaspersky Lab. He pointed out that you've got to ensure against data
leakage or insecure database practices. "Users must be extra careful in choosing a
provider," Armstrong said. "Make sure they're a valid and reputable vendor.―
 Grant Brunner wrote a fascinating article at ExtremeTech about Staying safe online:
Using a password manager just isn’t enough. In it, he wrote, “using a password
manager for all of your accounts is a very sensible idea, but don’t be lulled into a false
sense of security You’re not immune from cracking or downtime.” Broadly
speaking, password managers such as LastPass are like any software: vulnerable to
security breaches. For example, LastPass experienced a security breach in 2011, but
users with strong master passwords were not affected.
 Disadvantage: If you forget the master password, all your other passwords
in the database are lost forever, and there is no way of recovering them.
Don’t forget that password!
SO WHICH ONE IS THE BEST?

 KeePass is a popular open-source, cross-platform, desktop-
based password manager. It is available for Windows, Linux
and Mac OS X as well as mobile operating systems like iOS
and Android. It stores all your passwords in a single database
(or a single file) that is protected and locked with one master
key. The KeePass database is mainly one single file which can
be easily transferred to (or stored on) any computer. Go to the
download page to get your copy.
 KeePass is a local program, but you can make it cloud-based
by syncing the database file using Dropbox, or another service
like it. Check out Justin Pot’s article, Achieve Encrypted Cross-
Platform Password Syncing With KeePass & Dropbox.
 Make sure you always hit save after making a new entry to the
database!
KEEPASS

MOZILLA FIREFOX’S
PASSWORD MANAGER

 You should never record or write your password down on a post-it note.
 Never share your password with anyone, even your colleagues.
 You have to be very careful when using your passwords on public PCs
like schools, universities and libraries…etc. Why? Because there’s a
chance these machines are infected with keyloggers (or keystroke
logging methods) or password-stealing trojan horses.
 Do not use any password-saving features such as Google Chrome’s Auto
Fill feature or Microsoft’s Auto Complete feature, especially on public
PCs.
 Do not fill any form on the Web with your personal information unless
you know you can trust it. Nowadays, the Internet is full of fraudulent
websites, so you have to be aware of phishing attempts.
 Use a trusted and secure browser such as Mozilla Firefox. Firefox
patches hundreds of security updates and makes significant
improvements just to protect you from malware, phishing
attempts, other security threats, and to keep you safe as you browse
the Web.
DO NOT PUT ALL YOUR
EGGS IN ONE BASKET.

 This free tool helps users
figure out if their account
credentials have been
hacked. If you go to the
website of the service, you
will see up-to-date statistics
of the number of leaked
credentials, passwords and
email addresses.
 PwnedList keeps
monitoring (or crawling) the
Web in order to find stolen
data posted by hackers on
the public sites and then
indexes all the login
information it finds.
PWNEDLIST

 ALWAYS use a mix of uppercase and lowercase letters along
with numbers and special characters.
 Have a different strong password for each
site, account, computer etc., and DO NOT have any personal
information like your name or birth details in your password.
 DO NOT share any of your passwords or your sensitive data
with anyone – even your colleagues or the helpdesk agent in
your company. In addition, use your passwords
carefully, especially in public PCs. Don’t be a victim
of shoulder surfing.
 Last recommendation that we strongly encourage is for you to
start evaluating your passwords, building your tiered password
system, alternating your ways of creating passwords and
storing them using password managers.
POINTS TO REMEMBER

1. Decide which methods you plan to store each password.
2. Download and practice using KeePass
3. Check your primary emails on PwnedList.com/
HANDS-ON PART 3:
MANAGING YOUR PASSWORDS

 Open Wi-fi connection can be easily hacked using a free
packet sniffer software
 Always enable ―HTTPS‖ (also called secure HTTP) settings in
all online services that support it – this includes
Twitter, Google, Facebook and more.
 Spoofed Website
ADDITIONAL TIPS TO
SECURE YOUR IDENTITY

 Internet crime schemes that steal millions of dollars each year from victims
continue to plague the Internet through various methods. Following are preventative
measures that will assist you in being informed prior to entering into transactions
over the Internet:
 Auction Fraud
 Counterfeit Cashier's Check
 Credit Card Fraud
 Debt Elimination
 DHL/UPS
 Employment/Business Opportunities
 Escrow Services Fraud
 Identity Theft
 Internet Extortion
 Investment Fraud
 Lotteries
 Nigerian Letter or "419"
 Phishing/Spoofing
 Ponzi/Pyramid
 Reshipping
 Spam
 Third Party Receiver of Funds
INTERNET CRIME PREVENTION TIPS
F R O M T H E I N T E R N E T C R I M E C O M P L A I N T C E N T E R ( I C 3 ) . I C 3 I S A P A R T N E R S H I P B E T W E E N T H E F E D E R A L
B U R E A U O F I N V E S T I G A T I O N A N D T H E N A T I O N A L W H I T E C O L L A R C R I M E C E N T E R .

Auction Fraud
 Before you bid, contact the seller
with any questions you have.
 Review the seller's feedback.
 Be cautious when dealing with
individuals outside of your own
country.
 Ensure you understand
refund, return, and warranty
policies.
 Determine the shipping charges
before you buy.
 Be wary if the seller only accepts
wire transfers or cash.
 If an escrow service is used, ensure
it is legitimate.
 Consider insuring your item.
 Be cautious of unsolicited offers.
Counterfeit Cashier's Check
 Inspect the cashier's check.
 Ensure the amount of the check
matches in figures and words.
 Check to see that the account
number is not shiny in appearance.
 Be watchful that the drawer's
signature is not traced.
 Official checks are generally
perforated on at least one side.
 Inspect the check for
additions, deletions, or other
alterations.
 Contact the financial institution on
which the check was drawn to
ensure legitimacy.
 Obtain the bank's telephone
number from a reliable source, not
from the check itself.
individuals outside of your own
country.
ONLINE CRIME PREVENTION
IF THE "OPPORTUNIT Y" APPEARS TOO GOOD TO BE TRUE, IT PROBABLY IS .

Credit Card Fraud
 Ensure a site is secure and reputable
before providing your credit card
number online.
 Don't trust a site just because it claims
to be secure.
 If purchasing merchandise, ensure it is
from a reputable source.
 Promptly reconcile credit card
statements to avoid unauthorized
charges.
 Do your research to ensure legitimacy
of the individual or company.
 Beware of providing credit card
information when requested through
unsolicited emails.
Debt Elimination
 Know who you are doing business with
— do your research.
 Obtain the name, address, and
telephone number of the individual or
company.
 Research the individual or company to
ensure they are authentic.
 Contact the Better Business Bureau to
determine the legitimacy of the
company.
individuals outside of your own country.
 Ensure you understand all terms and
conditions of any agreement.
 Be wary of businesses that operate
from P.O. boxes or maildrops.
 Ask for names of other customers of
the individual or company and contact
them.
 If it sounds too good to be true, it
probably is.
ONLINE CRIME PREVENTION (CONT.)

DHL/UPS
 Beware of individuals using the DHL or
UPS logo in any email communication.
 Be suspicious when payment is
requested by money transfer before the
goods will be delivered.
 Remember that DHL and UPS do not
generally get involved in directly
collecting payment from customers.
 Fees associated with DHL or UPS
transactions are only for shipping costs
and never for other costs associated
with online transactions.
 Contact DHL or UPS to confirm the
authenticity of email communications
received.
Employment/Business Opportunities
 Be wary of inflated claims of product
effectiveness.
 Be cautious of exaggerated claims of
possible earnings or profits.
 Beware when money is required up front
for instructions or products.
 Be leery when the job posting claims
"no experience necessary".
 Do not give your social security number
when first interacting with your
prospective employer.
 Be wary when replying to unsolicited
emails for work-at-home employment.
 Research the company to ensure they
are authentic.
company.

Escrow Services Fraud
 Always type in the website address
yourself rather than clicking on a link
provided.
 A legitimate website will be unique and
will not duplicate the work of other
companies.
 Be cautious when a site requests
payment to an "agent", instead of a
corporate entity.
 Be leery of escrow sites that only
accept wire transfers or e-currency.
 Be watchful of spelling errors, grammar
problems, or inconsistent information.
 Beware of sites that have escrow fees
that are unreasonably low.
Identity Theft
 Ensure websites are secure prior to
submitting your credit card number.
 Do your homework to ensure the
business or website is legitimate.
 Attempt to obtain a physical
address, rather than a P.O. box or
maildrop.
 Never throw away credit card or bank
statements in usable form.
 Be aware of missed bills which could
indicate your account has been taken
over.
 Be cautious of scams requiring you to
provide your personal information.
 Never give your credit card number over
the phone unless you make the call.
 Monitor your credit statements monthly
for any fraudulent activity.
 Report unauthorized transactions to
your bank or credit card company as
soon as possible.
 Review a copy of your credit report at
least once a year.

Internet Extortion
 Security needs to be multi-layered so
that numerous obstacles will be in the
way of the intruder.
 Ensure security is installed at every
possible entry point.
 Identify all machines connected to the
Internet and assess the defense that's
engaged.
 Identify whether your servers are
utilizing any ports that have been
known to represent insecurities.
 Ensure you are utilizing the most up-to-
date patches for your software.
Investment Fraud
 If the "opportunity" appears too good to
be true, it probably is.
 Beware of promises to make fast
profits.
 Do not invest in anything unless you
understand the deal.
 Don't assume a company is legitimate
based on "appearance" of the website.
 Be leery when responding to invesment
offers received through unsolicited
email.
 Be wary of investments that offer high
returns at little or no risk.
 Independently verify the terms of any
investment that you intend to make.
 Research the parties involved and the
nature of the investment.
company.

Lotteries
 If the lottery winnings appear too good
to be true, they probably are.
 Be leery if you do not remember
entering a lottery or contest.
 Be cautious if you receive a telephone
call stating you are the winner in a
lottery.
 Beware of lotteries that charge a fee
prior to delivery of your prize.
 Be wary of demands to send additional
money to be eligible for future
winnings.
 It is a violation of federal law to play a
foreign lottery via mail or phone.
Nigerian Letter or "419―
 If the "opportunity" appears too good
to be true, it probably is.
 Do not reply to emails asking for
personal banking information.
 Be wary of individuals representing
themselves as foreign government
officials.
 Beware when asked to assist in placing
large sums of money in overseas bank
accounts.
 Do not believe the promise of large
sums of money for your cooperation.
 Guard your account information
carefully.
 Be cautious when additional fees are
requested to further the transaction.

Phishing/Spoofing
 Be suspicious of any unsolicited
email requesting personal
information.
 Avoid filling out forms in email
messages that ask for personal
information.
 Always compare the link in the
email to the link that you are
actually directed to.
 Log on to the official
website, instead of "linking" to it
from an unsolicited email.
 Contact the actual business that
supposedly sent the email to verify
if the email is genuine.
Ponzi/Pyramid
 If the "opportunity" appears too
good to be true, it probably is.
 Beware of promises to make fast
profits.
 Exercise diligence in selecting
investments.
 Be vigilant in researching with
whom you choose to invest.
 Make sure you fully understand the
investment prior to investing.
 Be wary when you are required to
bring in subsequent investors.
 Independently verify the legitimacy
of any investment.
 Beware of references given by the
promoter.

Reshipping
 Be cautious if you are asked to ship
packages to an "overseas home office."
 Be leery if the individual states that his
country will not allow direct business
shipments from the United States.
 Be wary if the "ship to" address is yours
but the name on the package is not.
 Never provide your personal information
to strangers in a chatroom.
 Don't accept packages that you didn't
order.
 If you receive packages that you didn't
order, either refuse them upon delivery
or contact the company where the
package is from.
Spam
 Don't open spam. Delete it unread.
 Never respond to spam as this will
confirm to the sender that it is a "live"
email address.
 Have a primary and secondary email
address - one for people you know and
one for all other purposes.
 Avoid giving out your email address
unless you know how it will be used.
 Never purchase anything advertised
through an unsolicited email.
Third Party Receiver of Funds
 Do not agree to accept and wire
payments for auctions that you did not
post.
 Be leery if the individual states that his
country makes receiving these type of
funds difficult.
 Be cautious when the job posting
claims "no experience necessary".

 Al-Marhoon, M. (n.d.). Password Management Guide.
MakeUseOf. Retrieved April 10, 2013, from
http://www.makeuseof.com/pages/the-password-
management-guide-fulltext
 http://www.slideshare.net/NortonOnline/2012-norton-
cybercrime-report-14207489
 http://www.ic3.gov/media/annualreports.aspx
REFERENCES

Create and Manage Strong Passwords

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (19)

Semelhante a Create and Manage Strong Passwords

Semelhante a Create and Manage Strong Passwords (20)

Mais de Wilmington University

Mais de Wilmington University (12)

Último

Último (20)

Create and Manage Strong Passwords

Notas do Editor