S7r0ng pas5wrdS Strong Passwords at - PowerPoint PPT Presentation

1 / 18

About This Presentation

Title:

S7r0ng pas5wrdS Strong Passwords at

Description:

Number of Views:63

Avg rating:3.0/5.0

Slides: 19

Provided by: itsuppor3

Category:

Tags: cougars | pas5wrds | passwords | s7r0ng | strong

Transcript and Presenter's Notes

Title: S7r0ng pas5wrdS Strong Passwords at

1
S7r0ng pas5wrdS _at_(Strong Passwords at)
February 2007
2
Universities in the news

In what appears to be one of the largest
computer security breaches ever at an American
university, one or more hackers have gained
access to a UCLA database containing personal
information on about 800,000 of the university's
current and former students, faculty and staff
members, among others. Los Angeles Times
(12/12/2006)
Western Illinois University is notifying more
than 180,000 people that their personal data is
at risk after hackers entered its networks.
ZDNet News (07/05/2006)

3
More News

4
Why are Universities Targets?

their need to maintain the free exchange of
ideas and information between faculty, students,
and researchers, both on campuses and between
universities. UH IT Newsletter (February 2006)
Universities have become attractive targets for
hackers who are taking advantage of the openness
of the schools' networks, their decentralized
security and the personal information they keep
on millions of young adults. RedmondMag.com
(12/18/2006)

5
Universities that Use Strong Passwords

6
How fast can a password be guessed?

There are computer programs that are designed
specifically for cracking passwords
The Class of Attack is dependent on the computer
resources available to the hacker. For example
Class A 10,000 Passwords/sec Using a typical
late 1990s Desktop (Pentium 100)
Class F 1,000,000,000 (1 Billion) Passwords/sec
Using a typical modern Supercomputer.
http//www.lockdown.co.uk/?pgcombisarticle
s

7
What Started This?

Texas Department of Information Resources (DIR)
Information Security and Risk Management Policy,
Standards, and Guidelines published in Texas
Administrative Code 202
Information resources residing in the various
institutions of higher education of state
government are strategic and vital assets
belonging to the people of Texas. These assets
must be available and protected commensurate
with the value of the assets. Measures shall be
taken to protect these assets against
unauthorized access, disclosure, modification or
destruction, whether accidental or deliberate,
as well as to assure the availability, integrity,
utility, authenticity, and confidentiality of
information.

8
(No Transcript)
9
Strong Password Standard for UH

Minimum Password Length 8 characters
Expire passwords every 90 days and prevent their
reuse for a year.
Require at least one character from each of the
following classes
- Alphabetic Upper or Lower case (a-z, A-Z)
- Numeric 0-9
- Special Characters ! ( ) _at_
Lockout After 5 consecutive failed login
attempts an account will be locked for 30
minutes.
Note Enforcement will be commensurate with the
risk level of the system.

10
Levels of Risk

3 UH mission-critical data. State and federal
security requirements apply. Data requires a high
degree of accuracy and completeness.
IMPACT Data loss can result in irreparable
damage to university information resources and
could result in legal repercussions and a
potential increase in regulatory attention. There
is also a strong risk to the university's
mission, functions, image, and reputation.
2 Department mission-critical data. Data
integrity and completeness is important.
IMPACT Data loss or corruption can cause severe
delays in research, instructional, or
departmental workflow.
1 Primarily personal email and other personal
files such as non-confidential classroom
instruction data. Importance of data to the owner
varies.
IMPACT Loss of data has minimal impact to
university mission, functions, image, and
reputation. Greatest impact on individuals rather
than departments.
0 Data has negligible effect on university's
mission, functions, image, and reputation.
Disclosure may be against policy, but would have
few if any external repercussions.
IMPACT Loss of data is regrettable but
insignificant. Probably little or no risk to
tangible asset or resource.

11
Systems and Current Password Settings
12
Systems and Proposed Password Settings
13
Example of Creating a Good Password

Step 1 Choose a Phrase Home of the University
of Houston Cougars.
Step 2 Write down the first character of each
word HotUoHC-s (To meet the 8 character minimum,
Cougars was hyphenated as C-s.)
Step 3 Substitute special characters and
numbers to increase complexity H0tUo_at_UU-s
Note choose substitutions that are meaningful to
you, this makes it easier to remember

14
Passwords Should NOT Be

based on personal information, such as names of
family, dates, addresses, phone numbers, pet
names, etc.
based on work information, such as room numbers,
building name, co-workers name, phone number,
etc.
made of a word or number patterns like, aaabbb,
qwerty, zyxwvuts, 123321, abcABC123, etc.
a word or combination of words found in any
dictionary in any language, slang, dialect,
jargon, etc.
based on your username, your real name, handle,
nickname, screen name, etc.

15
Password Resets are Already Strong

Starting October 2005, if you have had a
password reset by the IT Help Desk at 3-1411 or
from the Online Password Reset site
(www.uh.edu/infotech/password) you have received
strong passwords.

16
Online Password Reset with System Generated
Password
Online Password Reset Site (www.uh.edu/infotech/pa
ssword)
17
What is the plan?

Until March 15 Communicate and educate the
campus on strong passwords and the plan for
enforcement.
March 19 CougarNet will begin enforcement of
strong passwords. It will take effect next time
your password expires and needs to be changed.
Other changes to systems, including WebCT Vista,
will be phased in during the year.