Western Governors University

LUT1

Presentation Outline

Vernon D. Cole

1/28/2010

--
Topic: Log in security for computers and Internet sites.

Research Question: Are there any safe solutions to the problems caused 
by the proliferation of password protected Internet sites?

Thesis: A combination of training users in safe practices, along with 
appropriate application of new technologies, has the potential of 
improving secure access to confidential Internet resources.
---

 

Introduction:

I have had 35 years of experience in the computer industry. When I selected my topic for this research presentation, I picked something that I use sure would be easy – because every old timer knows that to first principle of computer security is: “Never write down your password.” Then I did the actual research, and I discovered that...

  I was wrong. The advice I used to give is now obsolete. (Evers, 2006; Schiener, 2005; Johansen, 2008)

 

In the next few minutes, we'll discuss why we use passwords, some problems with passwords, and what we can do to protect ourselves from password thieves.

 

Outline:

 I.        Introduction.

 II.        Why we authenticate.

 A.        The various aspects of our lives dependent on authentication (identity theft).

        IAGO

Good name in man and woman, dear my lord,
Is the immediate jewel of their souls:
Who steals my purse steals trash; 'tis something, nothing;
'Twas mine, 'tis his, and has been slave to thousands:
But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed. (Shakespeare,
Othello, Act 3, Scene 3)

 B.        The three factors of identification. (Federal Financial Institutions Examination Council, n.d.)

 1.        Something we know.

 a)        Passwords

 b)        Little known facts.

 2.        Something we possess

 a)        Keys

 b)        Credit Cards

 c)        Smart Cards

 3.        Something we are.

 a)        Fingerprint scanners

 b)        Retinal scanners

 c)        Voice prints

 d)        Facial Recognition

 III.        Problems with Passwords.

 A.        Poor password choices: “So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage” (Brooks, Meeham & Graham, 1987)

 

 B.        The 'social economics' of authentication. (Beautement & Sasse, 2009)

 IV.        Ways of being more secure.

 A.        The 'other way' of coping with many passwords – write them down. (Mullins, 2008; Price, 2008)

 B.        How to 'encrypt' a written password. (Theodoropoulos, 2008)

 C.        Computer stored password databases, or “safes”.

 D.        Online password databases.

 E.        Future solutions: The fourth factor of authentication – some One you know. (Brainard, Rivest, Szydlo & Yung,2006)

 V.        Conclusion: As more and more of our lives become computerized, it becomes more and more important for us to prove to different computer systems that we are who we claim to be – so that someone else, claiming to be us, cannot rob us of our money or our reputation.  Our passwords, magnetic cards, 'PINs',  etc, guard both our economic and our social well being. We need to guard them as carefully as we guard our car keys and the keys to our homes. We must be aware of “safe” practices in the “virtual” world just as we are in our homes and parking lots. Computers, programs and electronic equipment can help us be safe in both places, if we will follow some simple rules. Learning and using good habits in both parts of our lives will make our lives easier, perhaps longer – and a lot less frightening.

 

Potential Audience Questions:

Q: If I use a password safe on my home or laptop computer, what happens if the disk drive on my computer blows up?

A: You loose anything you have not backed up, just the same as you loose any word processing documents or data files you have not backed up. That actually happened in a company where I used to work. We lost the password safe file because it was kept on a network drive which was not kept backed up. It cost a lot of time resetting all the passwords. You need to keep up-to-date copies of all important data – and they should be kept in a different building from where your computer is usually kept.  Of course, then there is the possibility of someone stealing your backup...

 

Q: If I loose my passwords, how can I retrieve my data?

A: That question has two answers.

  First – if you loose the password to your data safe, or any other encrypted file on your own computer, you may be out of luck.  Your only hope is to keep guessing passwords until your fingers wear out. That is why writing down those passwords could be very important.

  Second – most online web sites have methods of requesting to have your password reset.  They usually use “little known facts” as a method of authentication – so if anyone knows those facts about you – your mother's maiden name or where you met your spouse or whatever – they can steal your access to that site.  One of Sarah Palin's accounts was hacked during the presidential campaign using that trick.  Some people protect against that by supplying false answers to the 'little known facts' questions. Then you have to remember the correct false answer, though, if you ever do need the service.

 

Q: How do I know whether some online password storage service might be hacked into or use my passwords themselves?

A: You don't.  You simply have to trust them.  You do not have the “fourth factor” authentication with an Internet company like you do with a local business.  You trust your hometown bank because you can see the bricks and the people inside.  An Internet site could be run out of a rented stall in Nigeria for all your computer knows.  If you could get a reference from a trusted human that would give you a better confidence factor.

 

Q: Is guessing of passwords a big problem?

A: It can be. Remember, though, that the most likely way for someone to get your password is not by guessing it, but, as has happened thousands of times, by tricking you into revealing it to them.  That is why you use a different password for every different situation. (Analyzing, 2006; Burnet, 2006; Hatchman, 2010; Ruska, 2009)

 

Works Cited:

Analyzing 20,000 MySpace passwords. (2006, September 16). Retrieved January 9, 2010, from http://www.cyber-knowledge.net/blog/2006/09/16/analyzing-20000-myspace-passwords

 

Beautement, A., & Sasse, A. (2009). The economics of user effort in information security. Computer Fraud & Security, 2009(10), 8-12. doi:10.1016/S1361-3723(09)70127-7.

 

Brainard, J., Jules, A., Rivest, R., Szydlo, M., & Yung, M. (2006, October 30). Fourth factor authentication: Somebody you know [Electronic version]. ACM CCS, 168-178. doi:1595935185/ 06/0010  Retrieved January 22, 2010, from  http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/fourth-factor/ccs084-juels.pdf

 

Brooks, M., Meeham, T., & Graham, R. (Writer). & Moranis, R. (Actor). (1987). Spaceballs [Video]. USA: MGM. Retrieved January 28, 2010, quotation retrieved from http://www.imdb.com/title/tt0094012/quotes

 

Burnet, M. (2006). Perfect passwords: Selection, protection, authentication. Rockland, MA: Syngress. Selection Retrieved January 10, 2010, from http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

 

Evers, J. (2006, February 14). Sun CSO: Write down your password. Retrieved January 9, 2010, from http://news.cnet.com/8301-10784_3-6039346-7.html

 

Federal Financial Institutions Examination Counc. (n.d.). Authentication in an internet banking environment. Retrieved January 10, 2010, from http://www.ffiec.gov/pdf/authentication_guidance.pdf

 

Hachman, M. (2010, January 21). RockYou hack reveals the worst 20 passwords. PC Magazine digital edition. Retrieved January 23, 2010, from http://www.pcmag.com/article2/0,2817,2358273,00.asp

 

Johansson, J. M. (2008, February 4). Write down your passwords. Retrieved January 9, 2010, from http://msinfluentials.com/blogs/jesper/archive/2008/02/04/write-down-your-passwords.aspx

 

Mullins, B. (2009, October 11). Be safe -- write down your passwords. Retrieved January 9, 2010, from http://billmullins.blogspot.com/2009/10/be-safe-write-down-your-passwords.html

 

Price, C. (2008, January 29). Write down passwords, for your own good. Retrieved January 9, 2010, from http://www.christopherprice.net/write-down-passwords-for-your-own-good-217.html

 

Ruska, J. (2009, February 28). Most common passwords list from three databases. Retrieved January 9, 2010, from http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php

 

Schneier, B. (2005, June 17). Schneier on security: Write down your password. Retrieved January 9, 2010, from http://www.schneier.com/blog/archives/2005/06/write_down_your.html

Shakespeare, W. (n.d.) Othello, Act 3, Scene 3. Retrieved January 28, 2010 from http://shakespeare.mit.edu/othello/othello.3.3.html

 

Theodoropoulos, P. (2008, November 3). Passwords on post-its? You bet!. Retrieved January 9, 2010, from http://klaatu.anastrophe.com/index.php/2007/01/12/passwords-on-post-its-you-bet