Passwords

Goals
- Understand the importance of a good password
- Understand different ways someone might attempt to gain access to your password.
- Understand what makes a good password.
- Know how to reset your password at Edinboro.
Currently your username and your password provide complete identity
So what?
- According to this report from the Bureau of Justice Statistics.
- 17.6 million US residents were victims of identity theft in 2015
- This includes
  - Credit card theft.
  - Bank account theft
  - Theft of personal information.
- 2/3 reported financial loss.
  - About $15 Billion total
  - About 1/2 more than $100
  - 14% more than $1000
- About 1/2 spent a day resolving the problem
  - 9% spent more than a month.
- In general the habits you form today will impact you.
What is the impact of passwords in the University Environment?
- In general:
  - On line shopping
  - Government Interaction
    - FASFA
    - IRS
    - Social Security
  - On line and in person banking
- At school
  - Right now the big issue would be scheduling
  - Access to your grades/homework
  - Access to your email.
What can you do?
- Create a good password and keep it safe.
Forms of password attack
- Trying the default password.
- Trying a known password (password reuse)
- Social Engineering
- Dictionary Attacks
- Brute Force Attacks.
Social Engineering
- Phishing
  - Various bad emails.
  - Web sites
- In person
  - Dad and his password list.
  - A "network support contractor"
  - Just a chat.
- NEVER:
  - Give your password to anyone.
    - Not even your sister, mother, boyfriend, girlfriend,...
    - System people have access, they do not need your password.
    - And if they do, they should allow you to type it in WITHOUT WATCHING YOU DO SO
  - Don't write your passwords down.
    - In your wallet
    - On your keyboard
    - Anywhere.
Other attacks
- Other attacks occur when an entity breaks into a service and takes the password file.
  - Twitter
  - Google and Yahoo
  - Pandora
  - Just try this search
- My machine can "try" 350,000 passwords in a second
  - Using 1 processor (I have 4 cores, so 1.4 Billion in a second)
  - 1.5 GHz processor.
  - Memory doesn't matter in this case.
  - This is not quite a fair test, as I was not "computing" new words, just re-encrypting the same one.
  - That would cut the speed by 1/2 or more.
- The Oxford English Dictionary reports approximately 200,000 words.
  - But we could easily double or triple this : hot dog, hotdog, hot-dog, hotdogs, hot-dogs, hot dogs
- Under reasonable assumptions, I should be able to try all 1 million dictionary words with my machine in a few minutes.
- Any dictionary word is subject a brute force attack.
Why does EUP require?
Combinations and Permutations (Math 104)
- How many lower case letters are there?
- How many one letter passwords can I form?
- How long will it take for me to "try" all of these?
- With one letter, can I make this harder?
  - upper case
  - digits
  - special symbols
- How about two letter passwords?
- How about three letter passwords?
What makes a bad password?
- The default
- Any word in any language
- Non-words with meaning (rotfl, ncc1701, r2d2)
- A word with a number on the end. (fred1)
- Anything you will have to write down to remember.
What makes a good password?
- Sufficient length
- Mix of letters, digits and special characters
- Something you can remember.
- Concatenate two words, with a symbol in the middle
  - w0rd4nOwFUN!
- The first letter of each word in a phrase
  - To be or not to be, that is the question.
  - 2BontB,TItq?
I generally keep three passwords
- My secure password, - EUP accounts
- My email password, -
- My other password - for everything else.
Build a spreadsheet.
- Remember, my machine can try 350,000 passwords in a second.
- The age of the universe is 13.82 billion years (estimate)
Resetting your password at Edinboro.
- Help Desk in Ross Hall.
  - You will need your student id.
- On line
  - here
  - But you will need some form of validation.