From IT Security For Libraries Wiki
Jump to: navigation, search


Password reuse is the WORST thing you can do

Make sure we're clear on that. Using the same password for everything is the worst thing you can do. This allows anyone who gets your password to try your it elsewhere to see if they unlock any of your other online accounts. When these big hacks happen the only thing saving you is that your password is only used on that ONE site and not everywhere else for that email address. If you're reusing passwords an attacker can easily use an automated program to check through thousands of accounts and search emails for passwords and other personal information that will lead elsewhere. At the very least, have one easy password for most websites, another one for email and facebook and other somewhat more important sites, and a good one for banks. If the passwords are stolen from some site, they'll be decrypted no matter what you choose.
There are entire classes of websites for which you should simply pretend that your password is already public. [examples?]
It's very easy for evil doers to get your email from one site, they pretend to be from that site to try more ways to get more information from you. After all, you have a business relationship all these sites - so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.

If you think about it, a password is really weak security
"There are very few situations where password strength really makes a difference," says Matt Weir, a co-author of the paper and security researcher, now with the MITRE Corporation.
We have interesting stats on passwords thanks to some major hacks.
In short, people choose bad passwords when we can analyze them
They're all lower case, not random, they're dictionary, not special characters, found in password dictionaries, reused from other sites.
Are complex passwords better?
People will fight you if you enforce crazy password restrictions.
Enforcing strong passwords means anticipating all kinds of key board sequences.
Even when forced to use good characters, they'll do something like choose all the left side of the keyboard.
How often do you change a password?
Should we even force users to change?
They will then tend to use EASY passwords and make it LESS secure. So it depends.
Network passwords should probably be changed often.
Your bank? Your money is gone if anyone gets it anyways. Will only need to be changed if it's taken along w/ your money
So in general: you don't need to regularly change the password to your computer or online financial accounts
if you break up with someone you've shared a computer with, change them all.
You have no idea how your passwords are stored or shared.
given enough time any captured password can be broken.
If you can remember your password it's probably a bad password
Or is complexity not the answer? Is it uniqueness?
Length is the most important thing in a password?
Websites should never allow brute force attacks.
Hard to remember passwords are actually less secure?
Phone passcodes are only 4 and all numbers, most people use 1234. (image)
what are the common threats to passwords? does password complexity defend from those threats?

HOW are people going to get your password?

1. Ask.
2. Guess.
3. Bruteforce.
4. Dictionary.
Do you always use unique passwords? Are those passwords always "strong"?
If you can't always answer yes you're password strategy ain't great.
If it's not strong it can be bruteforced/rainbowed/dictionaried
If it's not unique it can then be used to get more info on you.
A truly strong password is almost impossible to remember.
2 factor passwords like a passkey thingy
Should websites/orgs even allow dumb passwords?
"Providers, not users, are to blame for bad passwords."
People assume a level of competence with providers
In July hotmail stopped alowing bad passwords.

*Pratical Password Advice*
Choose NON obvious, NON dictionary passwords
They Check common passwords first, then they check a regular dictionary
They don't know it, so they start this way first
After that, the most important thing is length
Because there's no different between a simple long one as a complex long one as far as guessing goes.
So start with an easy to remember password, then pad it with something else easy to remember
So get your own password and pad it. But don't just use Password1 as this is easily guessed, don't

pad by easily guessed numbers.

the pass and pad shouldn't be easily or obvious
This defends against Brute Forcing. We get protection by adding more digits because they need to guess every length up to that length, each digit adds ALOT of time required.
If you use special characters and upper/lower case you add more because they know most passwords are all lower case numbers.
1 Uppercase
1 Lowercase
1 Digit
1 Something else
Don't put those numbers at the end
You should still use a different password on each site

XKCD on passwords