Improving Password Management. Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL

Similar documents
Password Management. Eugene Davis UAH Information Security Club January 10, 2013

Keeping Important Data Safe and Secure Online. Norm Kaufman

How Cyber-Criminals Steal and Profit from your Data

LastPass Enterprise Recommended Policies Guide

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

Pass, No Record: An Android Password Manager

Version: 4.0. Quatrix Data Sheet. January 2018 Author: Maytech

Secret-in.me. A pentester design of password secret manager

HPE 3PAR Storage - Hewlett Packard Enterprise

PASSWORD POLICIES: RECENT DEVELOPMENTS AND POSSIBLE APPRAISE

Protecting and Archiving usernames & passwords

How NOT To Get Hacked

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

System Security Features

Holistic Database Security

Reliable access to data: We endeavor to ensure you can manage and view your passwords whenever and wherever you need to, offline and online.

1Password for Mac. by Marcia Bolsinga for AshMUG 1/12/2019

WHITE PAPER. Authentication and Encryption Design

Reliable access to data: We endeavor to ensure you can manage and view your passwords whenever and wherever you need to, offline and online.

Data Management for Non-Profits. The Cloud, Security, and Other Useful Things You Should Know About IT

Dashlane Security Whitepaper

ipasssafe User Guide 1. Getting started Setup your first password

Codebook. Codebook for OS X Introduction and Usage

The Security Behind Sticky Password

KeePass Keep your passwords SAFE. John Steele. August 2015 Copyright John Steele

Storage and File Hierarchy

COS 318: Operating Systems

COMPUTING FUNDAMENTALS I

OneLogin SCIM. Table of Contents. Summary... 2 System Requirements... 2 Installation & Setup... 2 Contact Us... 6

Tips for Passing an Audit or Assessment

Seamless Upgrades for Credential Security in Apache Tomcat

CNT4406/5412 Network Security

Andrew Sinclair Solaris Certified Network Engineer and Systems Adminstrator. Getting your head into the Cloud

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Intruders, Human Identification and Authentication, Web Authentication

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

A team-oriented open source password manager with a focus on transparency, usability and security.

AP Computer Science Principles: Problem Set 1

msis Security Policy and Protocol

Information Security Policy

Breaking FIDO Yubico. Are Exploits in There?

Client-Server Architecture PlusUltra beyond the Blockchain

Protecting Your Data With Encryption

Office 365 Account Transition Resources. How-to: Create a Backup. Sync Library Folder in OneDrive for. Business

Acrobat file of these slides and notes can be found at:

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Take Control of Your Passwords

Salesforce1 Mobile Security White Paper. Revised: April 2014

SECURE DATA EXCHANGE

Dashlane Security White Paper July 2018

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

Security Specification

KeePass Password Safe: Password Manager

Welcome. ScrogginsGrear clients. to Cybersecurity Education Series. Password Management & Public Wi-Fi Security

SHA-1 to SHA-2. Migration Guide

Dashlane Security White Paper

Google Identity Services for work

ISEC7 Mobile Exchange Delegate

Nigori: Storing Secrets in the Cloud. Ben Laurie

Welcome. Password Management & Public Wi-Fi Security. Hosted by: Content by:

Software Vulnerability Assessment & Secure Storage

Cyber Security Hardening Guide

Hybrid Identity de paraplu in de cloud

Are You Avoiding These Top 10 File Transfer Risks?

Securing Your Cryptocurrency vs.1.0

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Cyber Security Basics. Presented by Darrel Karbginsky

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Password Managers. Victor (Vic) Daniel. Handout Page 1/38

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Sentry Power Manager (SPM) Software Security

Cyber security tips and self-assessment for business

Product Brief. Circles of Trust.

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

Authentication Methods

Clouds in the Forecast. Factors to Consider for In-House vs. Cloud-Based Systems and Services

Tokenisation for PCI-DSS Compliance

Single Sign-On Showdown

QuickBooks Online Security White Paper July 2017

Identity & Access Management

Data Security and Privacy. Topic 14: Authentication and Key Establishment

PCI DSS and VNC Connect

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

Step 1 - Set Up Essentials for Office 365

BEST PRACTICES FOR PERSONAL Security

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Enpass User Manual - ios

Authentication Security

Azure Multi-Factor Authentication: Who do you think you are?

Information Security CS 526

CS 161 Computer Security

MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017

Congratulations! You just ordered IdentaMaster software package featuring Biometric login, File/Folder Encryption and Entire Drive Encryption.

TPM v.s. Embedded Board. James Y

Keep Track of Your Passwords Easily

Transcription:

Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL

Password Management How many passwords do you have? Are they all different? How different? Summer2016 vs Autumn2016?

Picking a password can be difficult Multiple sites have different rules what may be acceptable on one site is unacceptable on another Biggest culprit: sites that don t accept special characters Very strong passwords generally aren t very memorable buz%vg9x#pac3s

Password Managers! Generate and store your passwords You don t even have to think up a new password!

Passwords are protected by a master password. This is the password you will have to remember (you can still have the manager generate it for you if you want) The master password is used to encrypt all of your other passwords Most are using AES256 with PBKDF2 (Password Based Key Derivation Function 2)

Master Passwords Select a very strong master password All managers support changing it should you want/need to New NIST Recommendations At least 8 characters Not in a dictionary Not in previously compromised account databases ISO s Recommendation Long (16+ character) phrase

http://xkcd.com/936/

DO NOT FORGET YOUR MASTER PASSWORD!

Storage Options Offline storage Online storage Both are secure with ISO recommendations, but your risk tolerance may differ! If you don t sync/store online BACKUP your file(s)!

Specific ISO Recommendations 1Password KeePass LastPass ISO evaluated design at a high level for security of passwords It s OK to store your Andrew password in these! CMU DOES NOT support these

1Password https://1password.com Both an online and a desktop/mobile application Both are secure! Not free $64.99 for the standalone version (upgrades have been less in the past usually ~$35 every 3-4 years) $2.99/mth billed annually ($35.88/yr) for online

1Password (cont) Standalone version offers syncing through Dropbox, icloud, file folder (including file shares) Syncing is not required! Standalone version is not compatible with Linux Online version supports offline caching (via applications), but is primarily online Browser integration with all major browsers

1Password (cont) Watchtower/ Security Audit Lets you know about password breaches like Yahoo s or compromised private server keys Points out weak or duplicate passwords

KeePass Offline storage only Plugins (not evaluated) for syncing capabilities: (Dropbox, Google Drive, OneDrive, SCP, SFTP, S3) Don t forget to BACKUP! Open Source Linux, OSX support via Mono, Windows support via.net. Ports (not evaluated) for mobile devices

KeePass (cont) Generates passwords Free! Browser integration only via plugins (not evaluated)

LastPass Online only Local password cache Supports 2-factor soft token authentication (including Duo!) for free 2-factor hard token authentication available with Premium subscription Free for most features. Premium features $12/year.

LastPass (cont) Native Browser integration for all major browsers Linux support Password Auditing Mobile applications

LastPass Features Create new, unique, strong passwords Access passwords to log in to web sites Store information in secure notes LastPass Security Challenge Identify compromised passwords Identify weak or duplicate passwords Automatically change some passwords

How LastPass Works Your machine Internet Transit LastPass PBKDF2-SHA256 TLS 1.2 Enter Master Password Enter Master password Access from multiple devices simultaneously Create Key* Encrypted vault stored locally *Use key to decrypt and access passwords in the local vault Login Hash Send login hash to LastPass *AES256 Send encrypted vault* back LastPass verifies hash, grants access to encrypted vault Enters password on web sites/apps

Is LastPass Secure? Password Managers are the worst way to store your passwords except for all the others.

LastPass Security Vulnerabilities (bugs) have been discovered All software has bugs No exploits found in the wild Would have been defeated by sound security practices (e.g. avoiding phishing attacks) Recognized for quick & effective responses

LastPass Security

How LastPass Works Your machine Internet Transit LastPass PBKDF2-SHA256 TLS 1.2 Enter Master Password Enter Master password Access from multiple devices simultaneously Create Key* Encrypted vault stored locally *Use key to decrypt and access passwords in the local vault Login Hash Send login hash to LastPass *AES256 Send encrypted vault* back LastPass verifies hash, grants access to encrypted vault Vulnerabilities Enters password on web sites/apps

Making LastPass more secure Enable MFA Disable offline access Restrict mobile access Disable access from TOR One IP at a time Disable auto fill Auto log-off when idle Access websites from your vault or bookmarks (and definitely not from a link you clicked) Manage your risk; consider keeping separate, strong passwords for: Primary Email Banking & Finance Work vs Personal?

LastPass Settings

LastPass MFA

LastPass Security Settings

LastPass Security Settings Click Enable

LastPass Security Settings

LastPass Security Settings

LastPass Security Settings

LastPass Security Settings

LastPass Features

LastPass Features

LastPass Features

LastPass Features

LastPass Features

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback