View
219
Download
0
Category
Tags:
Preview:
Citation preview
ITSS 2015
Password Security Review
Your password is the last line of defense. Keep your data safe with good password practices.
Mikio OlinKevin Matteson
ITSS 2015
Overview• Ohio University Policy (91.004)• Your Credentials are Important• Password Best Practices• Ohio University Credential Complexity Standards• Two factor Authentication Demo
ITSS 2015
Ohio University Policy (91.004)University Credentials
https://www.ohio.edu/policy/91-004.html
• Policy SectionsA. OverviewB. IndividualsC. Credentials
• Data Stewards (93.001 Data Classification)• Authentication Credentials Complexity Standard
D. Information system ownersE. Authentication servers
ITSS 2015
Umm no, I was not in Nigeria last week…
91.004 A (Overview)Credentials… are often the first line of attack, and the last line of defense, in the protection of these resources. Because of this, they must be used with care, and adequately protected.
Your password is confirmation of your identity• Attackers can impersonate you• View/Change your personal information• View/Change others personal information
One password leads to another• Access to an account or device opens a door to other accounts.
ITSS 2015
OU Policy says…
91.004 B (Individual’s responsibilities)• Keep your credentials, secret questions, and their answers private
and known only to you. • Use unique credentials (username and password combination) for
Ohio university that are different from any other service or website. • Your credentials are for your personal authentication to university
resources, and should not be used as a means to provision services to other users. • If you suspect that your credentials have been compromised,
change your credentials and questions immediately and inform the information security office by e-mail to security@ohio.edu.
ITSS 2015
Keep it hidden… Keep it safe…
Even Strong passwords become weak if they are written on a Post-it® under your keyboard.
Password Habits to Avoid• Writing passwords down or storing in a document• Reusing an old password • Using your password on an insecure device
Good Password Habits• Store passwords encrypted in Keepass• Change your password annually• Be mindful of the situation
ITSS 2015
What’s your Risk Level?
91.004 C (Risk and Credential Level)• Not all University accounts carry the same level of risk. • Risk is measured by the type of data an individual can view/change
with their credentials.• (93.001 Data Classification) - University Data Stewards are
responsible for rating and classifying their data. Data is labeled as a High, Medium, or Low Level based on potential impact to the university.• University Data Stewards also are responsible for reviewing the
Authentication Credentials Complexity Standard annually• Authentication Credential Complexity Standards
ITSS 2015
Authentication and Credential Complexity Standard
Risk Level = Credential LevelRisk Levels
1. Low Risk – Access to only their own information or information classified as “Low” (Students, Guests)
2. Medium Risk – Access to University information classified as “Medium or High” (Faculty, Staff, Contract Employee)
3. Medium Risk with higher Credential Level – Same Risk as Medium Level4. High Risk – Privileged access to “Medium or High” (System Administrators, DBA, Bursar, Registrar,
Admissions Staff, etc)
Credential Levels
Level Character Classes Length Expiration MultiFactor Enrolled
Level 1 2 or more 8 minimum 5 years Not required
Level 2 3 or more 8 minimum 6 months Not required
Level 3 3 or more 10 minimum 1 year Not required
Level 4 3 or more 10 minimum 1 year Required
ITSS 2015
What is a weak Password?
Weak password are easy to guess or easy to break.• Contains a name or dictionary word
(Including the following simple alterations of password)• Modifying capitalization (PasSWorD)• Reversing word order (drowssap)• Character substitutions (pa55w0rd)• Removing vowels (psswrd)
• Uses keys adjacent on the keyboard (1234asdf)• Contains a single character type (18042010)• Contains less than 8 characters (pwd123)
ITSS 2015
What are STRONG Passwords?
Strong passwords are difficult to guess and break• Contains more than 8 characters• Contains multiple character types
• UPPERCASE LETTERS• lower case letters• Numbers• Special Characters ($%^&*!@#)
• Means something to you but no one else.!dnlg3aH$Ia ! do not like green 3ggs and Ham $am I am
How to choose a strong password
ITSS 2015
Under Construction
• Password expiration (Notification and Enforcement)• Password Meter
• MultiFactor Authentication (MFA)• DUO (Phone Factor Voice, Text, App Push)• Azure (Phone factor)• YubiKey (Generated Token)• Other?
ITSS 2015
Multifactor Authentication
• Knowledge Factors – (What you know)• Passwords• Security Pins• Secret questions
• Possession Factors - (What you have)• Physical Key• Security Token
• Transmitted to or from a device you possess
• Inherence Factors – (What you are)• Biometrics
• Fingerprint scanner• Retina scanners• Face recognition• Voice recognition
ITSS 2015
Multifactor Demo
Recommended