Password Security

April 10, 2015 (V1)

Table of Contents

Why Passwords?
Weak Passwords
Strong Passwords
Attacking Passwords
Password management
Password tips
Self-test
References

Recent Major
Security Breaches
Lulz Security hacks Sony Pictures
website
Releases 50,00 users information

Rouge members of hacker-collective

Anonymous hack Playstation Network
and Quiriocity
All user information made available

LulzSec strikes Sony again with and

exploit of the PSN password reset
solution URL
Prevents owner of account from fixing prior
hack

LulzSec
logo

Important!
Anything involving the internet is
inherently more risky then anything
not leaving your computer.
Passwords are the front line of defense.
Most peoples are not strong enough to
withstand a brute-force database
attack; today we are going to look at
how best to strengthen our passwords

Concern!
Its too easy to hack a password

This is true but only IF

the password is weak.

For Example:
City Hall defaults to using clermont as the
password for any accounts made.
If this is left unchanged for too long the
security of the account would be
compromised.
This password only contains lowercase letters;
introducing a variety of characters, such as
Clermont, or, even better, CLeRmOnT,
increases the password strength considerably.

Is it possible
for passwords to be stolen if your computer is
infected with a virus or does not have a firewall?

ABSOLUTELY
Viruses can check your browsers saved
passwords, log keystrokes, or send your data
to places other then where you think you are
sending them.
Firewalls prevent people from accessing your
computer remotely, and using encrypted
internet access prevents data sniffing to
discover your information.

The accounts I have

behind passwords are unimportant; why should I
care?

These accounts are tied to your email- which you

probably use for a very long time to come.
Many people reuse passwords across sites; a breach in
one site could then lead to total loss of security across
all sites.
Those passwords could be, or could at least lead, a
hacker to your password for your bank account later in
life.
Preparing now with good habits and solid defenses
that will be effective in the future when your life and
livelihood are shielded by a password will help prevent
crippling identity theft and related troubles later in life.

Quick Quiz
Which of the following best describes
the reason your password is easy to
remember:
A.
B.
C.
D.
E.

based on common dictionary words

based on common names
based on user/account name
is short (under 6 characters)
none of the above
(choose/click one)

Your Identity and Privacy

are at risk
Unfortunately,
the characteristic you have selected
also makes your password vulnerable to
attack thus putting your Identity and
Privacy at risk
you are not alone

Lets take a look at a few more

characteristics and practices that make
a password vulnerable to attack

Your Identity and Privacy

may still be at risk
There may be other characteristics of
your password and its use that put
your identity at risk
Lets take a quick look at a few more
characteristics and practices that
make a password vulnerable to
attack

Characteristics of
weak passwords
Weak Passwords
based on common dictionary words
Including dictionary words that have been altered:

Reversed (e.g., terces)

Mixed case (e.g., SeCreT)
Character/Symbol replacement (e.g., $ecret)
Words with vowels removed (e.g., scrt)

based on common names

based on user/account identifier
short (under 6 characters)
based on keyboard patterns (e.g., qwerty)
composed of single symbol type (e.g., all characters)
resemble license plate values
are difficult for you to remember

Weak password practices

Weak Password practices
recycling passwords
recording (writing down) passwords
use of previously recorded passwords
(combination of above practices)
use of password on two or more
systems/contexts
Especially risky when passwords are reused
in low-trust systems (e.g., online gaming)
since increased exposure
Factoid: The key element in password security is the crackability of a password
combination inadequate knowledge of password procedures, content, and cracking
lies at the root of users insecure behaviours. 6

Common
mistakes in
creating
passwords

Risk Evaluation
of common mistakes
Mistake

Example

123456789
Using a Common Password. password
qwerty

Risk Evaluation
Too risky. These are most criminals first
guesses, so dont use them.

Gladiator
Bobby
Jenny
Scruffy

Too risky: anyone who knows you can easily

guess this information. Basing a password on
your social security number, nicknames, family
members names, the names of your favorite
books or movies or football team are all bad
ideas.

Using a Short Password

John12
Jim2345

The shorter a password, the more opportunities

for observing, guessing, and cracking it.

Using the same password

everywhere.

Using one
password on every
site or online
service.

Too risky: its a single point of failure. If this

password is compromised, or someone finds it,
the rest of your accounts including your
sensitive information are at risk.

Writing your passwords

down.

Writing your
password down on
a postit note stuck
to your monitor.

Very high risk, especially in corporate

environments. Anyone who physically gets the
piece of paper or sticky note that contains your
password can log into your account.

Using a Password that is

based on personal data

Bad Passwords!

Characteristics of strong
passwords
Strong Passwords

contain at least one of each of the following:

digit (0..9)
letter (a..Z) (Both lower and upper case)
punctuation symbol (e.g., !)
control character (e.g., ^s, Ctrl-s)

are based on a verse (e.g., passphrase) from an

obscure work where the password is formed from
the characters in the verse
e.g., ypyiyp derived from the title of this module
sometimes referred to as a virtual password

are easily remembered by you but very difficult

(preferably impossible) for others to guess
Most passwords using capital letters have them as
the first character and last; mix this up and
capitalize other letters instead

Strong password practices

Strong Password Practices

never recycle passwords

never record a password anywhere
exceptions include use of encrypted password vaults
use a different password for each system/context
be aware Trojan horse programs can masquerade as login prompts so
always reset the system as appropriate to obtain a trusted login
prompt
check for keyboard buffer devices/software that intercept keystrokes
(including password capture)
change password occasionally
change your password immediately if you suspect it has been stolen
passwords should be protected in a manner that is consistent with the
damage that could be caused by their compromise. 9
monitor for possible eavesdroppers during entry of password
do not use the "Remember Password" feature of applications (e.g.,
Microsoft Internet Explorer).
inquire about proactive password checking measures with your system
administration

How long should my

password be?
According to recent studies
performed at the Georgia Tech
Research Institute, due to modern
hardware power- specifically within
the GPU- any password with less then
12 characters is far too weak, and
should be changed as soon as
possible.

Mozillas Safe
Password Methodology
1. Pick up a familiar phrase or quote, for example, May the force be
with you and then abbreviate it by taking the first letter of each
word, so it becomes mtfbwy
2. Add some special characters on either sides of the word to make it
extra strong (like #mtfbwy!)
3. And then associate it with the website by adding a few characters
from the website name into the original password as either a suffix or
prefix. So the new password for Amazon could become #mtfbwy!
AmZ, #mtfbwy!FbK for Facebook and so on.
*While this technique lets us reuse the phrase-generated part of the
password on a number of different websites, it would still be a bad idea
to use it on a site like a bank account which contains high-value
information. Sites like that deserve their own password selection phrase.

Using a passphrase to write a

secure password
While generating a password you should follow two rules; Length and
Complexity. Lets start by using the following sentence: May the force be
with you. Lets turn this phrase into a password.
1. Take the first letter from each word: Mtfbwy.
2. Now increase its strength by adding symbols and numbers: !
20Mtfbwy13!
The 20 and 13 refer to the year, 2013.
Secondly, I put a ! symbol on each end of the password
Try using the name of your online account in the password

!20Mtfbwy13!Gmail (for gmail)

fb!20Mtfbwy13! (for Facebook)

. Thats one password developing strategy. Lets keep adding complexity,

while also attempting to keep things possible to memorize. *you
actually should not use a should not be a common phrase.

Testing your Passwords

Use these tools to test the strength of a password. As a
precaution, you probably shouldnt use these services to test
your actual password. Instead, simply use it to learn what
works and what doesnt work. Just play with the strength
checkers by constructing fake passwords and testing them.

http://rumkin.com/tools/password/passchk.php
https://www.microsoft.com/security/pc-security/password-c
hecker.aspx
http://www.grc.com/haystack.htm
http://howsecureismypassword.net/

Password Attacks
Most successful attacks are based
on:
Dictionary attacks
The guessing [often automated] of a
password by repeated trial and error.1

Social engineering
Social engineering is the process of using
social skills to convince people to reveal
access credentials or other valuable
information to the attacker.2
Factoid: passwords are inherently risky, because they are
susceptible to attack.5

Dictionary Attacks
Most hackers utilize widely available
password cracking dictionaries to
uncover weak passwords
Ways to reduce Your risk:
Create and use strong passwords

Factoid: The use of passwords is a major point of vulnerability in computer

security, as passwords are often easy to guess by automated programs running
dictionary attacks.3

Social Engineering
Perhaps the most notorious social engineer
Kevin Mitnick once stated,
People are the weakest link. You can have the
best technology and somebody can call an
unsuspecting employee. Thats all she wrote.
They got everything.7

Ways to reduce Your risk:

Remain vigilant and inquisitive
Be aware that your password keystrokes may be
observed by others
Confirm authorization and establish trust before
releasing any important information

Passwords in the Context of

Your Identity and Privacy
What is a password?
A password is information associated with an
entity that confirms the entitys identity.1

Why are passwords needed?

Passwords are used for authentication
Authentication can be thought of as the act of linking
yourself to your electronic identity within the system
you are connecting to
Your password is used to verify to the system that you
are the legitimate owner of the user/account identifier

Commonly referred to as logging in

Factoid: Passwords remain the most widely used authentication method despite
their well-known security weaknesses.4

Passwords in the Context of

Your Identity and Privacy
Passwords/Identity/Privacy
Attackers who obtain your password can
authenticate themselves on various systems
and in turn
Access your personal information
(invade Your Privacy)
Impersonate you by acting on your behalf
(steal Your Identity)
Factoid: Password mechanisms and their users form a socio-technical system,
whose effectiveness relies strongly on the users willingness to make the extra
effort that security-conscious behavior requires.4

Password Facts worth

Remembering
Protection of Your Identity and Privacy in the
information age hinges on sound password
knowledge and practice
Those who do not use strong passwords and
password practices are often their own worst
enemy
If you feel you have too many passwords to
remember then consider using a password manager
(e.g., KeePass)
The risks are real, they affect you either directly or
indirectly and they can be diminished by using
strong passwords and password practices

Factoid: [Studies] have shown that current password mechanisms have largely
failed to consider usability, and that given the increasing number of system and
passwords most users cannot cope with the demands imposed on them.4

Password overload
Many people use a few passwords for
all of their major accounts.
The average Web user maintains 25
separate accounts but uses just 6.5
passwords to protect them.

Password Security
More than

60%

of people

use the same password

across multiple sites

If one of your accounts is hacked,

its likely that your other accounts
that used the same password will
quickly follow.

Password Management
1. Human memory is the safest database for storing all
your passwords
2. Writing passwords down on a piece of paper
3. Storing passwords on a computer in a Word
document or Excel file
4. Password Manager is software that allows you to
securely store all of your passwords and keep them
safe, typically using one master password. This kind
of software saves an encrypted password database,
which securely stores your passwords either on your
machine or on the Web.
You should not rely totally on any type of password manager
Your single master password must be unique and complex

Human Memory
Strength: safest database for storing all your
passwords
Weakness: Easy to forget

Writing on paper
Strength: ease of
access
Weaknesses:
You can lose the paper
Paper could be easily
stolen or viewed by
other people

Storing on computer
Strength: ease of access
Weaknesses:
Data is not encrypted, anyone who has
access to the computer that the file is
saved on can easily read your passwords
If your computer breaks, you could
possibly permanently lose the file

Password manager
Password Manager is software that allows you
to securely store all of your passwords and
keep them safe, typically using one master
password. This kind of software saves an
encrypted password database, which securely
stores your passwords either on your machine
or on the Web.
You should not rely totally on any type of password
manager
Your single master password must be unique and
complex

Which is the best?

Password management tools are really good solutions for reducing the
likelihood that passwords will be compromised, but dont rely on a single
source. Why? Because any computer or system is vulnerable to attack.
Relying on a password management tool creates a single point of potential
failure.
But before you turn to a password-management service based in the cloud or on your PC, it's best to
review the quality of the service, said Tim Armstrong, malware researcher at Kaspersky Lab. He pointed out
that you've got to ensure against data leakage or insecure database practices. "Users must be extra careful
in choosing a provider," Armstrong said. "Make sure they're a valid and reputable vendor.
Grant Brunner wrote a fascinating article at ExtremeTech about
Staying safe online: Using a password manager just isnt enough . In it, he wrote, using a password
manager for all of your accounts is a very sensible idea, but dont be lulled into a false sense of
security Youre not immune from cracking or downtime. Broadly speaking, password managers such
as LastPass are like any software: vulnerable to security breaches. For example,
LastPass experienced a security breach in 2011, but users with strong master passwords were not affected .

Disadvantage: If you forget the master password, all your other passwords
in the database are lost forever, and there is no way of recovering them.
Dont forget that password!

KeePass
KeePassis a popular open-source, cross-platform, desktop-based
password manager. It is available for Windows, Linux and Mac OS X
as well as mobile operating systems like iOS and Android. It stores
all your passwords in a single database (or a single file) that is
protected and locked with one master key. The KeePass database is
mainly one single file which can be easily transferred to (or stored
on) any computer. Go to the download pageto get your copy.
KeePass is a local program, but you can make it cloud-based by
syncing the database file using Dropbox, or another service like it.
Check out Justin Pots article,
Achieve Encrypted Cross-Platform Password Syncing With KeePass
&
Dropbox.
Make sure you always hit save after making a new entry to the
database!

Password Safe
Many computer users today have to keep track
of dozens of passwords: for network accounts,
online services, premium web sites.8
With Password Safe, a free Windows 9x/2000
utility from Counterpane Labs, users can keep
their passwords securely encrypted on their
computers. A single Safe Combination--just one
thing to remember--unlocks them all.8
Password Safe features a simple, intuitive
interface that lets users set up their password
database in minutes.8
Best of all, Password Safe is completely free: no
license requirements, shareware fees, or other
strings attached.8
You can learn more about this product by visiting

tiered password systems

Tiered password systems involve having different levels of passwords
for different types of websites, where the complexity of the password
depends on what the consequences would be if that password is
compromised/obtained.
Low security: for signing up for a forum, newsletter, or
downloading a trial version for a certain program.
Medium security: for social networking sites, webmail and instant
messaging services.
High security: for anything where your personal finance is
involved such as banking and credit card accounts. If these are
compromised it could drastically and adversely affect your life. This
may also include your computer login credentials.
Keep in mind that this categorization should be based on how
critical each type of website is to you. What goes in which
category will vary from person to person.

Review and categorize your

passwords
1.Categorize your passwords into 3
categories: high, medium, or low.
Categorization should be based on how
critical each type of website is to you.
Take 5 minutes to categorize some of your
online accounts.
2.Your high security passwords are the most
important. Keep in mind:
You should change any password that is weak.
If you have used any of your passwords for more
than 1 site, you should change.

Things to NOT do!

You should never record or write your password down on a post-it note.
Never share your password with anyone, even your colleagues.
You have to be very careful when using your passwords on public PCs like
schools, universities and librariesetc. Why? Because theres a chance
these machines are infected with keyloggers (orkeystroke logging
methods) or password-stealing trojan horses.
Do not use any password-saving features such as Google Chromes Auto
Fill feature or Microsofts Auto Complete feature, especially on public PCs.
Do not fill any form on the Web with your personal information unless you
know you can trust it. Nowadays, the Internet is full of fraudulent
websites, so you have to be aware of phishing attempts.
Use a trusted and secure browser such as Mozilla Firefox. Firefox patches
hundreds of security updates and makes significant improvements just to
protect you from malware, phishing attempts, other security threats, and
to keep you safe as you browse the Web.

Additional safety tips

Open Wi-fi connection can be easily hacked using a free

packet sniffer software
Always enable HTTPS (also called secure HTTP) settings in
all online services that support it this includes Twitter,
Google, Facebook and more.
Spoofed Website

Internet Crime Prevention

Tips
Internet crime schemes that steal millions of dollars each year from victims continue to plague the
Internet through various methods. Following are preventative measures that will assist you in being
informed prior to entering into transactions over the Internet:

Auction Fraud
Counterfeit Cashier's Check
Credit Card Fraud
Debt Elimination
DHL/UPS
Employment/Business Opportunities
Escrow Services Fraud
Identity Theft
Internet Extortion
Investment Fraud
Lotteries
Nigerian Letter or "419"
Phishing/Spoofing
Ponzi/Pyramid
Reshipping
Spam
Third Party Receiver of Funds

Online crime prevention

If the opportunity appears too good to be true, it probably is.
Auction Fraud
Before you bid, contact the seller with
any questions you have.
Review the seller's feedback.
Be cautious when dealing with
individuals outside of your own
country.
Ensure you understand refund, return,
and warranty policies.
Determine the shipping charges
before you buy.
Be wary if the seller only accepts wire
transfers or cash.
If an escrow service is used, ensure it
is legitimate.
Consider insuring your item.
Be cautious of unsolicited offers.

Counterfeit Cashier's Check

Inspect the cashier's check.
Ensure the amount of the check matches in
figures and words.
Check to see that the account number is
not shiny in appearance.
Be watchful that the drawer's signature is
not traced.
Official checks are generally perforated on
at least one side.
Inspect the check for additions, deletions,
or other alterations.
Contact the financial institution on which
the check was drawn to ensure legitimacy.
Obtain the bank's telephone number from a
reliable source, not from the check itself.
Be cautious when dealing with individuals
outside of your own country.

Online crime prevention

(cont.)
Credit Card Fraud
Ensure a site is secure and reputable
before providing your credit card
number online.
Don't trust a site just because it
claims to be secure.
If purchasing merchandise, ensure it
is from a reputable source.
Promptly reconcile credit card
statements to avoid unauthorized
charges.
Do your research to ensure
legitimacy of the individual or
company.
Beware of providing credit card
information when requested through
unsolicited emails.

Debt Elimination
Know who you are doing business with
do your research.
Obtain the name, address, and telephone
number of the individual or company.
Research the individual or company to
ensure they are authentic.
Contact the Better Business Bureau to
determine the legitimacy of the company.
Be cautious when dealing with individuals
outside of your own country.
Ensure you understand all terms and
conditions of any agreement.
Be wary of businesses that operate from
P.O. boxes or maildrops.
Ask for names of other customers of the
individual or company and contact them.
If it sounds too good to be true, it probably
is.

Online crime prevention

(cont.)
DHL/UPS
Beware of individuals using the DHL
or UPS logo in any email
communication.
Be suspicious when payment is
requested by money transfer before
the goods will be delivered.
Remember that DHL and UPS do not
generally get involved in directly
collecting payment from customers.
Fees associated with DHL or UPS
transactions are only for shipping
costs and never for other costs
associated with online transactions.
Contact DHL or UPS to confirm the
authenticity of email
communications received.

Employment/Business Opportunities
Be wary of inflated claims of product
effectiveness.
Be cautious of exaggerated claims of
possible earnings or profits.
Beware when money is required up front for
instructions or products.
Be leery when the job posting claims "no
experience necessary".
Do not give your social security number
when first interacting with your prospective
employer.
Be cautious when dealing with individuals
outside of your own country.
Be wary when replying to unsolicited emails
for work-at-home employment.
Research the company to ensure they are
authentic.
Contact the Better Business Bureau to
determine the legitimacy of the company.

Online crime prevention

(cont.)
Escrow Services Fraud
Always type in the website address
yourself rather than clicking on a link
provided.
A legitimate website will be unique
and will not duplicate the work of
other companies.
Be cautious when a site requests
payment to an "agent", instead of a
corporate entity.
Be leery of escrow sites that only
accept wire transfers or e-currency.
Be watchful of spelling errors,
grammar problems, or inconsistent
information.
Beware of sites that have escrow
fees that are unreasonably low.

Identity Theft
Ensure websites are secure prior to submitting
your credit card number.
Do your homework to ensure the business or
website is legitimate.
Attempt to obtain a physical address, rather
than a P.O. box or maildrop.
Never throw away credit card or bank
statements in usable form.
Be aware of missed bills which could indicate
your account has been taken over.
Be cautious of scams requiring you to provide
your personal information.
Never give your credit card number over the
phone unless you make the call.
Monitor your credit statements monthly for any
fraudulent activity.
Report unauthorized transactions to your bank
or credit card company as soon as possible.
Review a copy of your credit report at least
once a year.

Online crime prevention

(cont.)
Internet Extortion
Security needs to be multilayered so that numerous
obstacles will be in the way of the
intruder.
Ensure security is installed at
every possible entry point.
Identify all machines connected to
the Internet and assess the
defense that's engaged.
Identify whether your servers are
utilizing any ports that have been
known to represent insecurities.
Ensure you are utilizing the most
up-to-date patches for your
software.

Investment Fraud
If the "opportunity" appears too good to be
true, it probably is.
Beware of promises to make fast profits.
Do not invest in anything unless you
understand the deal.
Don't assume a company is legitimate based
on "appearance" of the website.
Be leery when responding to invesment
offers received through unsolicited email.
Be wary of investments that offer high
returns at little or no risk.
Independently verify the terms of any
investment that you intend to make.
Research the parties involved and the nature
of the investment.
Be cautious when dealing with individuals
outside of your own country.
Contact the Better Business Bureau to
determine the legitimacy of the company.

Online crime prevention

(cont.)
Lotteries
If the lottery winnings appear too good
to be true, they probably are.
Be cautious when dealing with
individuals outside of your own
country.
Be leery if you do not remember
entering a lottery or contest.
Be cautious if you receive a telephone
call stating you are the winner in a
lottery.
Beware of lotteries that charge a fee
prior to delivery of your prize.
Be wary of demands to send additional
money to be eligible for future
winnings.
It is a violation of federal law to play a
foreign lottery via mail or phone.

Nigerian Letter or "419

If the "opportunity" appears too good to
be true, it probably is.
Do not reply to emails asking for personal
banking information.
Be wary of individuals representing
themselves as foreign government
officials.
Be cautious when dealing with individuals
outside of your own country.
Beware when asked to assist in placing
large sums of money in overseas bank
accounts.
Do not believe the promise of large sums
of money for your cooperation.
Guard your account information carefully.
Be cautious when additional fees are
requested to further the transaction.

Online crime prevention

(cont.)
Phishing/Spoofing
Be suspicious of any unsolicited
email requesting personal
information.
Avoid filling out forms in email
messages that ask for personal
information.
Always compare the link in the
email to the link that you are
actually directed to.
Log on to the official website,
instead of "linking" to it from an
unsolicited email.
Contact the actual business that
supposedly sent the email to
verify if the email is genuine.

Ponzi/Pyramid
If the "opportunity" appears too
good to be true, it probably is.
Beware of promises to make fast
profits.
Exercise diligence in selecting
investments.
Be vigilant in researching with whom
you choose to invest.
Make sure you fully understand the
investment prior to investing.
Be wary when you are required to
bring in subsequent investors.
Independently verify the legitimacy
of any investment.
Beware of references given by the
promoter.

Online crime prevention

(cont.)
Reshipping
Be cautious if you are asked to ship
packages to an "overseas home office."
Be cautious when dealing with
individuals outside of your own country.
Be leery if the individual states that his
country will not allow direct business
shipments from the United States.
Be wary if the "ship to" address is yours
but the name on the package is not.
Never provide your personal
information to strangers in a chatroom.
Don't accept packages that you didn't
order.
If you receive packages that you didn't
order, either refuse them upon delivery
or contact the company where the
package is from.

Spam
Don't open spam. Delete it unread.
Never respond to spam as this will confirm to
the sender that it is a "live" email address.
Have a primary and secondary email address one for people you know and one for all other
purposes.
Avoid giving out your email address unless you
know how it will be used.
Never purchase anything advertised through
an unsolicited email.
Third Party Receiver of Funds
Do not agree to accept and wire payments for
auctions that you did not post.
Be leery if the individual states that his country
makes receiving these type of funds difficult.
Be cautious when the job posting claims "no
experience necessary".
Be cautious when dealing with individuals
outside of your own country.

Self-Test
Remember, better understanding leads to better
protection of

our Password
our Identity
our Privacy

Do not cheat Yourself

Question 1
Strong passwords and password practices
contribute to protection of identity and
privacy.

A. TRUE
B. FALSE
(choose/click one)

Correct!
Excellent,
strong passwords and password
practices do contribute to protection
of identity and privacy
Now lets move onto the next question

Question 2
Which pair contains both a weak and a
strong password?
A. cs101ra, ME11111
B. WYSIWYG, passwd
C. ig*hh4, f9%Wfh
D. kirk, on$7mur
(choose/click one)

Correct!
Excellent,
A. cs101ra, ME11111
(weak, common), (weak, license #)
B. WYSIWYG, passwd
(weak, common acronym), (weak, common)
C. ig*hh4, f9%Wfh
(strong), (strong)
D. kirk, on$7mur
(weak, common name), (strong)

Now lets move onto the next question

Question 3
What is the role of passwords in
authentication?

A. to identify the user

B. to verify you are the legitimate
owner of the user/account identifier
C. to provide security
D. none of the above
(choose/click one)

Correct!
Excellent,
the role of passwords in authentication is
B. to verify you are the legitimate
owner of the user/account identifier
Now lets move onto the next question

Question 4
Which of the following best describes the
relationship between authentication and
both identity and privacy?
A. Successful authentication validates identity and
provides access to private information
B. Authentication is the validation of a users identity
C. Anyone who authenticates themselves on a system
using your credentials (user/account identifier,
password) assumes your identity and has access to
your personal information on that system
D. Identity theft and invasion of privacy are likely results
of weak passwords and/or password practices
(choose/click one)

Correct!
Excellent,
A. Successful authentication validates
identity and provides access to private
information
Note, the other choices are either simple definitions or facts
regarding the conditions or probable outcomes of fraudulent
authentication (likely attributable to password theft)

Now lets move onto the next question

Question 5
This is a tool helpful to those who have
many passwords to remember.

A. KeePass 2
B. Password Safe
C. Sphinx
D. TK8 Safe
(choose/click one)

Correct!
Excellent,
(actually, these are all tools helpful to those who have many
passwords to remember)
KeePass 2, learn more by visiting
http://keepass.info/
Password Safe, learn more by visiting
http://www.passwordsafe.com/
Sphinx (a hardware solution), learn more by visiting
http://www.securetech-corp.com/sphinx.html
TK8 Safe, learn more by visiting
http://www.tk8.com/safe.asp
Congratulations, you have answered all questions correctly

References
1.
2.
3.
4.
5.
6.
7.
8.
9.

Matt Bishop (2003) Computer Security. Pearson Education, Inc. ISBN: 0-20144099-7.
Michael Whitman & Herbert Mattord (2003) Principles of Information Security.
Course Technology, a division of Thomson Learning, Inc. ISBN: 0-619-06318-1.
Benny Pinkas & Tomas Sander (2002) Authentication and authorization: Securing
passwords against dictionary attacks. Proceedings of the 9th ACM conference on
Computer and communications security.
Dirk Weirich & Martina Angela Sasse (2001) Session 7: passwords revisited: Pretty
good persuasion: a first step towards effective password security in the real world.
Proceedings of the 2001 workshop on New security paradigms.
Peter G. Neumann (1994) Risks of passwords. Communications of the ACM,
Volume 37 Issue 4.
Anne Adams & Martina Angela Sasse (1999) Users are not the enemy.
Communications of the ACM, Volume 42 Issue 12.
Elinor Abreu (2000). Kevin Mitnick bares all. NetworkWorldFusion News Online (28
September 2000) [ Cited July 26, 2003 ] available from the World Wide Web
http://www.nwfusion.com/news/2000/0928mitnick.html
Counterpane Internet Security (2003). Password Safe software. [ Cited July 26,
2003 ] available from the World Wide Web
http://www.counterpane.com/passsafe.html
United States Department of Defense Computer Security Center (1985).
Department of Defense Password Management Guideline. CSC-STD-002-85 Library
No. S-226,994 [ Cited July 26, 2003 ] available from the World Wide Web
http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html

Of particular value to instructors is the following work:

10.
Dirk Weirich & Martina Angela Sasse (2001) Session 7: passwords revisited: Pretty
good persuasion: a first step towards effective password security in the real world.

More References
Al-Marhoon, M. (n.d.). Password Management Guide.
MakeUseOf. Retrieved April 10, 2013, from http://
www.makeuseof.com/pages/the-password-managemen
t-guide-fulltext
http://
www.slideshare.net/NortonOnline/2012-norton-cybe
rcrime-report-14207489
http://www.ic3.gov/media/annualreports.aspx

WWW Resources

http://web.mit.edu/net-security/www/pw.html
http://www.umich.edu/~policies/pw-security.html
http://www-cgi.cs.cmu.edu/~help/security/pass_sec.html
http://www.alw.nih.gov/Security/Docs/passwd.html
http://www.ucsc.edu/banner/01ePwdSecurity.html#Passwor
d%20Guidelines

http://ithelp.indstate.edu/info/secure-passwords.html#gener
al

http://www.lbl.gov/ITSD/Security/guidelines/password.html
#choose
http://tigger.cc.uic.edu/~mbird/password.html
http://psynch.com/docs/best_practices.html
http://www.p-synch.com/docs/strength.html

Incorrect
Perhaps a review may help, please select
one of the following:
Weak passwords practices
Strong passwords practices
Password attacks
Passwords in the Context of Your Identity and Privacy
Password Facts worth Remembering
Back to Test

Thank you.