Scribd
Upload
12 views26 pages

Protect Passwords

The document discusses the importance of password security and the use of password managers and multi-factor authentication (MFA) to protect digital identities. It highlights the prevalence of cybercrime related to password theft and emphasizes the need for unique passwords and different email accounts for various purposes. The author provides practical steps for improving password security and encourages proactive measures to safeguard personal and family accounts.

Uploaded by

ddhouser
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
12 views26 pages

Protect Passwords

The document discusses the importance of password security and the use of password managers and multi-factor authentication (MFA) to protect digital identities. It highlights the prevalence of cybercrime related to password theft and emphasizes the need for unique passwords and different email accounts for various purposes. The author provides practical steps for improving password security and encourages proactive measures to safeguard personal and family accounts.

Uploaded by

ddhouser
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Password Vaults:

Protecting Yourself
Online & In Real Life

Dan Houser, CISSP-ISSAP-ISSMP CISM CGEIT CSSLP CCFP-US CISA


InfoSec Leader & Architect
Dan.houser@gmail.com
Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved
@SecWonk #CPE4Free / #CPEs4Free
Keeping your digital identity SAFE

Armoring Up

Installing Password Manager

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


4000 year old technology
Most predominant
authentication method
– Halt! Who Goes There?
[Identification]
– What is the password?
[Authentication]
Most common form of
authentication used
No end in sight
Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved
3
But does it work?

...ish
Copyright © 2020 Trogdor Heavy
Copyright Industries
(c) 2019, – All Rights
Trogdor HeavyReserved
Industries, All Rights Reserved bit.ly/2019InfoSecSummit
CyberCrime & Passwords

2018 CyberCrime Losses: $3.3 TRILLION


#1 Corporate Vector: email Phishing -> stealing passwords
#1 Consumer vector: Stolen passwords
Jan 2019: Collection 1-6
– Collection 1: 773Million passwords, emails, login IDs
– Collections 2,3,4,5,6: Total 3.3 BILLION passwords & emails
– Cost to download: $2

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved 5


Why this talk?
Wizards Bank
Ministry Transfers Galleons to Muggle Sign In

“Only amateurs attack machines; professionals target people.”


-Bruce Schneier

“Cryptographic systems are only as strong as the underlying


implementations…. Even though the [cryptographic] protocol itself is
believed to be solid, a ‘lock’ icon is hardly of much significance when
displayed by a bug-riddled browser running on a spyware-infested
computer talking to a compromised Web server. “
Flue powder chat with a
- Paul Kocher personal banker now

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


MFA: A Field of Fail
Broken authenticators: Human Factor
SMS & Caller ID spoof,
easy Smishing

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


Why passwords fail
Bad passwords
– The top 10 most common passwords used in 2018 are as
follows:
o 123456 (Unchanged) o 111111 (New)
o password (Unchanged) o 1234567 (Up 1)
o 123456789 (Up 3) o sunshine (New)
o 12345678 (Down 1) o qwerty (Down 5)
o 12345 (Unchanged) o iloveyou (Unchanged)

Using passwords multiple places

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved 8


Armoring Up
Use a password manager
Use Multi-Factored Authentication
Protect your accounts, don’t share!
Split your accounts:
• Use different accounts for different persons
• Use multiple emails:
• One email for banking/financials
• One email for social media
• One email for online purchases
• One for everything else
Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved
Multi-Factored Authentication
Combines:
– Something you know PIN, password, demographics, challenge-
response
– Something you have OTP token, phone, employee access card, key
fob, RFID
– Something you are fingerprint, voice print, photograph, facial recognition

– Fourth factor: Somewhere you are


o Does transactional activity indicate this logically is the same person?
o Is Alice currently in Singapore?

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


MFA: Multi-Factored Auth

Use MFA wherever it’s offered


– Banking / Finance
– Social media
– Email
– Medical records
– Centrify

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


Why Different email accounts?
Cascade Failure in Web of Trust

Compromise of one account often enables compromise of others:


Personal email -> social media -> banking credential reset -> corporate
credential reset -> phone carrier reset -> new SIM -> OTP token reset ->
cryptocoin wallet unlock…
The challenge here is that reset of a credential ALWAYS relies on other
credentials, and most are in-band
Password reset is the weakest link of all

FAIL MODES: Using same password for cat GIFs and banking

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


PROTECT PASSWORDS of those you love

Password Protection Methods & the reality


of non-technical family members

 Phishing exists because of this


dichotomy
 How to protect…
 Techno-Phobe?
 Grandma?
 Middle Schooler?
 Mentally Incompetent?
Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved
PROTECT PASSWORDS

Use a password manager:


• 1Password
• KeePass / KeePassXC
• LastPass
• BitWarden

Unique passwords for every site


No more stress about
“where else have I used this
password?”
Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved
LastPass Interactive Demo
Get on Guest Wifi
guest@place.org
HowNowBC?

Install LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


LastPass

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


Armoring Up
Use a password manager
Use Multi-Factored Authentication
Protect your accounts, don’t share!
Split your accounts:
• Use different accounts for different persons
• Use multiple emails:
• One email for banking/financials
• One email for social media
• One email for online purchases
• One for everything else
Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved
“Apply” Slide

Next week you should:


– START
Over the next 3 months you should:
– Inventory all credentials, paths, flows for establish & reset
– Normalize identity verification standards & scripts
Within 6 months you should:
– Instrument velocity checks on all authentication paths
– Create backup MFA plan / solution
– Migrate insecure credentials; consider NIST 800-63-3 as credential standard

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved 25


Q&A

Copyright © 2020 Trogdor Heavy Industries – All Rights Reserved


26
Copyright FarWorks & Gary Larson

You might also like