Passphrases and YOU

Mitch Parks, GSEC/GCWNITS Desktop Security Analyst

mitch@uidaho.edu

What is a Passphrase?

• ITS defines a passphrase as an easy to remember string of words, numbers and symbols

• A UI passphrase must be 15 characters or more

• SEE: APM 30.15 UI Password/Passphrase Policy (http://www.uihome.uidaho.edu/default.aspx?pid=97508)

Passphrase examples

• Passphrases should be long, yet memorable:– “EveryGOODboydoesfine#”– “Listen,Children!”– “Mymom#isbetter.”

• Passphrases should not be common phrases or repeats like:– “My voice is my password.”– “Strawberry fields forever.”– “Passwordpassword.”

Don’t Passphrases have a space?

• Passphrases are commonly used with a space

• Security vs. Usability requires balance

• UI passphrases or passwords mayno longer have a space! *

• Banner users have additional restrictions on spaces and numerous special characters

What other characters can’t be used?

• Disallowed characters as of October 14* include:o<space>o {o }o \o :o=

How many users have a passphrase?

• 3,049 users have switched to passphrase

• 14,751 password changes since August

21%

PassphraseSimple

Why a Passphrase?

• 400 instead of 90 day expiration (only when set on the ITS Support website)

• Easier to remember• Whole words can be used• More difficult to crack or guess

(easily available tools can crack short passwords)

Cracking vs. Guessing

• Cracking involves reversing the password hash captured off the wire or from the local disk

• Guessing, or brute force methods simply try many or common passwords against accounts

What is a “brute-force” attack?

• Hackers write programs to automatically attempt login to systems using common passwords

• A common ssh brute force attack will use a team of computers to perform the attack

But I don’t use ssh…

• UI accounts are exposed to the Internet on a number of fronts for the convenience of all users:– SSH/SFTP (unix.uidaho.edu)– https forms (mail.uidaho.edu / OWA)

• Both of these can be attacked from around the world

Do people really attack us?

• It is hard to tell the difference between user failed logins and break-in attempts

• 10,407 failures in last 7 days

Length vs. Complexity

• There are limited numbers of combinations to make up a short password

Password Examples

• 4-digit PIN is obvious:– 0000 to 9999 : 10,000 choices

• 10 * 10 * 10 * 10 = 10,000

Password complexity helps

• Basic alphabet (abcdefg…)– aaaa to zzzz ??

• 26 * 26 * 26 * 26 = 456,976

• UPPER, lower, numbers and symbols– AAAA to ++++ ???

• If only the 76 most common characters..• 76 * 76 * 76 * 76 = 33,362,176

Password Length Helps More

• 76 ^ 4 = 33,362,176• 76 ^ 8 = 1,113,034,787,454,976

• 76 ^ 15 = – 163,006,110,274,334,700,000,000,00

0,000

Functional Account Passphrases

• Accounts shared and used by applications and processes “Behind the Scenes”

• Must have 30+ character passphrase or longer up to the maximum allowed by system

Password Safety Still Applies!

• Passphrase shall not be written down or stored in your office

• Passphrase shall not be stored within an application’s “Remember Password” function

• UI password or passphrase shall not be the same as any non-UI accounts

Password Safety

• Passphrase shall not be shared with anyone – must be kept confidential

• ITS will never ask for your password!

• Any time you can “see” your password, sound the alarm!

How DO I store a Passphrase?

• Passwords can only be stored with adequate encryption, for example, programs like:– Keepass (http://keepass.info)– eWallet (

http://www.iliumsoft.com/site/ew/ewallet.php)

– Apple Keychain (Applications / Utilities / Keychain)

How do I generate a Passphrase?

• Many password tools like Keepass also have generators for long passwords

• Apple Keychain also has a passphrase generator

How do I generate a Passphrase?

• Poems and song lyrics are popular• Make sure and alter them to be

unique• “IdahoIdahoGoGoG0” is too simple

Thank YouQuestions?