Password Policy John Hally John.hally@comcast.net Why This Policy? - PowerPoint PPT Presentation

Oct 25, 2023 •124 likes •202 views

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of security Can easily be the weakest link Set standards for: Creation of strong passwords Password protection Frequency of

Password Policy John Hally John.hally@comcast.net
Why This Policy? � Very important aspect of security � Can easily be the ‘ weakest link ’ � Set standards for: – Creation of strong passwords – Password protection – Frequency of change
Policy Applicability � All: – Users (local and remote) – Contractors – Vendors � Developers – Their own accounts – Their applications � Support individual user authentication. � No clear text password storage � Provide role management. � Support TACACS+ , RADIUS and/or X.509, LDAP security retrieval when possible.
Strong Password Construction Contain at least three of the five following character � classes: – Lower case characters – Upper case characters – Numbers – Punctuation – “ Special ” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc) Contain at least fifteen alphanumeric characters. � Are not words in any language, slang, dialect, jargon, � etc. Are not based on personal information, names of family, � etc.
What constitutes a ‘ weak ’ password? Contains less than fifteen characters � Is a word found in a dictionary (English or foreign) � Is a common usage word such as: � – Names of family, pets, friends, etc. – Computer terms and names, commands, sites, companies, hardware, software. – “ <Company Name> “ , locations or any derivation. – Personal information (birthdays, addresses phone numbers). – Word/number patterns - aaabbb, qwerty, zyxwvuts, 123321, etc. – Any of the above spelled backwards. Above preceded or followed by a digit (e.g., secret1, � 1secret)
Password Protection Different passwords for non-business accounts - personal ISP, etc. � Different passwords for various access needs when possible. � Do not share passwords with ANYONE. � Should never be written down/stored un-encrypted. � No passwords in electronic communication (email, chat). � Do not speak about a password in front of others. � No hints - "my family name “ . � Never on questionnaires or security forms. � Password demands - refer to this document and/or Information � Security Department. No ‘ Remember Password ’ feature of applications. �

Recommend

Manage password policy in OpenLDAP Clment OUDOT coudot@linagora.com First time you see me?

Manage password policy in OpenLDAP Clment OUDOT coudot@linagora.com First time you see me? Let's introduce! LDAPcoholic since many years Fake developer, real hacker Let's begin with the password policy draft (Behera draft) A draft? Is it

476 views • 26 slides

Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole

Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL Password Management How many passwords do you have? Are they all different? How different?

395 views • 37 slides

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $ ldapwhoami LemonLDAP::NG LDAP Tool Box LDAP Synchronization Connector FusionIAM WSweet Clment OUDOT KPTN Identity Solutions Manager

508 views • 24 slides

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides

Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Day 3 Steps in compiling: (Optional preprocessing) Lexical analysis

483 views • 17 slides

Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

1.88k views • 85 slides

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security CURRENT STATUS Problem Statement Stringent

286 views • 15 slides

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks Bauhaus-Universitt Weimar www.webis.de NDSS 2017, February 27 th 2017 Mnemonic Password Creation Password: Show password Random

684 views • 17 slides

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides

The Password Doesnt Fall Far: How Service Influences Password Choice Miranda Wei, The

The Password Doesnt Fall Far: How Service Influences Password Choice Miranda Wei, The University of Chicago Maximilian Golla, Ruhr University Bochum Blase Ur, The University of Chicago Baltimore, USA | August 12, 2018

474 views • 25 slides

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides

Welcome! Wifi: TUPConference Password: 20Conf19 Please go to slido.com & enter code #bccdum

Welcome! Wifi: TUPConference Password: 20Conf19 Please go to slido.com & enter code #bccdum Twitter - #BigClimateConversation The Big Climate Conversation Susie Townend Head of Climate Policy Unit, Scottish Government Scotland has

852 views • 70 slides

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a

420 views • 18 slides

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides

[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database]

[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database] Connection = mysql://USER:PASSWORD@HOST/TABLE !{SECRET: container_ref : key_name } !{ENV: env_var }

430 views • 16 slides

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides