1. Password and Account
Management Strategies:
What You Need to Know!
RESOURCES FOR THE WORK PLACE AND FOR FAMILY AND FRIENDS

2. ISACA Victoria April 2019 Luncheon
– @Union Club of BC
 Kimberley Dray B. Ed, CISM (ISACA), CISSP (ISC2), CCSP (ISC2), GSEC (SANS)
 Sr. Information Security Analyst @UVic
 ISACA Victoria Communications Director
 Contact email: secaware@kimberdray.ca
 Twitter: @kimberdray
 https://about.me/kimberdray

3. A Quote from the ISECOM’s (Institute for
Security and Open Methodologies)
“Open Source Security Playbook”
http://www.isecom.org/research/playbook.html
“The cybersecurity field hasn’t matured enough to know what’s right all the time.
.…if our humbling experiences have told us anything, it’s that security isn’t a slogan or a
comforting phrase. It’s the toughest riddle you’ll ever have to solve before the Troll comes
out from under the bridge and eats you. … every riddle has a different answer every time.
It’s constantly changing based on the environment you’re in.
.…remember that the security community is a resource and not an answer,
…. What you get from it will rarely fit your needs as-is. You still need to figure out how to
answer your own riddle, and that takes knowing your environment, your employees, and
how it all works together …
You need to know where the interactions are, what resources are being used and from
where, as well as who has authorized access to what. And you need to do that constantly
because every second, the riddle changes a little bit. Or else before you know it, it’s
changed a lot and you’re not ready for what happens next.”

4. Topics of Discussion
 Social Media and Other High Profile Data Breaches
 Credential Stuffing and Password Spraying
 Password Usage and Complexity
 Password Managers
 Multi-Factor Authentication
 Account Monitoring
 Who? What? When? Where? How?
 Have I Been Pwned?
 Takeaways
Verizon 2017 Data Breach
Investigations Report:
81 % of hacking- related
breaches leveraged either
stolen and/or weak
credentials
Centrify 2019 Report:
74% of respondents who
organizations have been
breached acknowledge it
involved access to privileged
accounts.

5. Social Media and Other Data Breaches
 MySpace – 360 Million (June 2013)
 LinkedIn – 165 Million (June 2012)
 Tumblr – 66 Million (Early 2013)
 Dropbox – 69 Million (2012)
– Confirmed in August.
 Twitter – Accusations?
 Others? GoToMyPC, GitHub, etc.
Statistics date: November 2016
Statistics from
“Have I Been Pwned?
By, @troyhunt

6. Breach Statistics @troyhunt
December 2018
November 2018
**Dec/January: Starwood/Marriott and Quora

7. Social Media
Breaches
 Linked In My Space
Weak Passwords and
Password Reuse are problems
Commonly Used Passwords (According to @LeakedSource)
Linked In My Space

8. Credential Stuffing
 “Credential stuffing is the automated injection of breached username/password pairs in order
to fraudulently gain access to user accounts. This is a subset of the brute force attack category:
large numbers of spilled credentials are automatically entered into websites until they are
potentially matched to an existing account, which the attacker can then hijack for their own
purposes. “ – OWASP
https://www.owasp.org/index.php/Credential_stuffing
 “Password Spraying: Password spraying leverages the fact that users (and admins) persist in
selecting predictable passwords, following the letter of the law (length and “complexity”) but
missing the spirit. Password spraying also takes into account the target’s lockout policy and
throttles its logon attempts to a rate just slow enough to avoid triggering lockouts. This proves to
be a lethal combination. Especially when you feed the spraying tool a nice big list of known
passwords gleaned from mega-attacks you’ve heard about in the news.”
Anatomy of an Attack: How Password Spraying Exploits Weak Passwords So Effectively:
https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1499

10. Password Usage and Complexity
Length, as opposed to complexity
Standford’s Quick Guide:
https://uit.stanford.edu/service/accounts
/passwords/quickguide

11. Passphrase Usage and Complexity
- Protection Strategies:
An older @SecureTheHuman video recommended a passphrase with the
example :
 Where Is My C0ffee?
(Capital, small, number substitutions, spaces and unique characters).
However, these are dictionary words.
To make it a little more complex, instead of spelling out the words, use the starting
letters of the phrases, alternating capital and small letters:
Where Is My C0ffee? I need my Coffee = W1mC?1NmC
Old Reference, resource no longer available: http://securingthehuman.sans.org/resources/votm
A,lthough better than
the previous example,
this is no longer lengthy
enough.

12. Popular cartoon depicting the problem:
http://imgs.xkcd.com/comics/password_strength.png
**Remember this
example when
we talk about the
breach
databases. Check
“HaveIBeenPwne
d”

13. Sample requirements
Your password was not accepted. Please try
again after correcting the errors below:
Mandatory:
X Cannot be shorter than 8 characters
X Requires a minimum of 3 letters
X Requires small and capital letters
OK Cannot be larger then 21 characters
2015 Tweet

14. Password
Usage and
Complexity
RELATED RESOURCES: SITES LIE TO
YOU ABOUT WHAT MAKES A GOOD
PASSWORD:
HTTPS://GLOG.GLENNF.COM/BLOG
/2017/9/27/SITES-LIE-TO-YOU-
ABOUT-WHAT-MAKES-A-GOOD-
PASSWORD
Randomness
Do not use words that can be identified in a
dictionary. Even swapping numbers for letters will
not likely prevent dictionary attacks
Character Use: (random and unique)
-Use combination of small, capital letters, numbers
and special characters. *Not necessary if
extending the length. See slide 10.
Uniqueness /No Reuse
- Ensure you do not use the same passphrase for
any two services and most especially make sure
you are not using your work email and password
for any non-work service.
- Different for all services
(work, personal, financial, public)

15. Type: 123456 Type: welcome
Type:
welcometo
Type:
welcometomy
Type:
welcometomyworld
How Secure Is Your Password
https://howsecureismypassword.net/

16. Why the minimum length suggestions?
Full thread:
https://twitter.com/jepaynemsft/status/8583
43346162384896?s=21
Recommendation: Turn off LANMAN
Optimal: 21+

17. NIST Digital Identity Guidelines
Toward Better Passwords:
https://www.slideshare.net/jim_fenton/toward-better-password-requirements

18. NIST Digital Identity Guidelines (Cont’d)
 List of “Don’ts”
1. No composition rules.
2. No password hints.
3. Knowledge-based authentication (KBA) is out.
4. No more expiration without a reason.
 Article 2: Naked Security: NIST’s new password rules
– what you need to know:
https://nakedsecurity.Sophos.com/2016/08/18/nists-
new-password-rules-what-you-need-to-know/
 Gomzin identified three main changes NIST proposed:
1. No periodic password changes.
2. No imposed password complexity.
3. **Mandatory validation of newly created passwords.
 Article 1: https://venturebeat-
com.cdn.ampproject.org/c/s/venturebeat.com/2017
/04/18/new-password-guidelines-say-everything-we-
thought-about-passwords-is-wrong/amp/
Starting to see this built into
Password Managers, password
requirements and even
checked by Firefox browser

19. @NakedSecurity samples of
Password Hints from Adobe Breach (2013)

20. Why is randomness, uniqueness
& complexity a problem?
 We forget them.
 Need better strategy for keeping them random, unique and complex.
 Base recommendation is: Lengthy Passphrases best (minimum 15-21+ characters)
Without a way to manage, they have to be something we remember. With users owning
an average of 30+ account, keeping them lengthy and not reusing them will require the
use of a Password Manager of some sort
 Otherwise, solution is:
 Digital Password Managers
 Log book, locked away in a vault (not practical)

21. When to Use Password Managers
Many accounts, different passphrases, can’t remember them.
You are writing them on slips of paper, sticky notes or storing them in plain
text on your devices.

22. Password
Managers
 Purpose is to keep passwords safe and encrypted.
 Learning how they work and integrate since each
application different from others.
 Can use local on one device or share/sync on all
device through the cloud. *Risk consideration*
 Some allow one click password changes on websites,
login to websites for you, etc.
*There are some interesting arguments to use the cloud:
https://nakedsecurity.sophos.com/2017/11/24/cloud-
password-managers-would-you-use-one/
Consideration: Although Password Manager content is not
necessarily Personally Identified Information (PII), those
passphrases are used to protect such data and some of
your notes may expose information you hadn’t
considered.
Considerations

23. Common Password Managers
KeePass – open source, offline but can be sync’d through cloud services; Option to sync but fully
functioning on your local device. Free.
1Password – primarily offline desktop application originally created for Macs; now Windows and Android as
well. Cost to include additional features
LastPass – Has a security audit feature to test pwd quality and allow changes on the fly; Primarily a browser
extension but has application version for Windows and Mac; Typically considered an online pwd mgmt.
system. Does work offline. Premium subscription.
Dashlane
Others? Password Manager, Norton Identity Safe; PasswdSafe; Roboform; KeePass2Android; etc.
Enterprise Solutions:
Many new vendors breaking the market. Some may include Multi-Factor Authentication or Privileged
Access Management solution or a combination of both.
Feature sets,
capabilities and
options change as
these solutions
evolve

24. Password Managers – Considerations (Cont’d)
 Single Point of Failure or Access
 One lock/key = your 1 password. If you forget it, lose it you will not get back in your
account or if that one password is compromised all of your accounts are
compromised. Look for product with additional 2 or Multi-Factor Authentication
options.
Research and test your product.
Watch for patches and vulnerability notifications related to the product you have
chosen.
Carefully balance your workflow needs with a security mindset.

25. Link: Password Managers do not have to be perfect. They just have to be better than not having one:@troyhunt
https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/

26. Sample captures of the KeePass app interface from http://keepass.info

27. Sample captures of the app interface from http://keepass.info

28. What is Multifactor Authentication?
 Use of at least two of the following:
 Knowledge – Something you know? Username/Password
 Credentials Possession - What you have? Token, Magnetic Strip Card, Smart Cards,
Mobile Phone;
 Inheritance – What you are? (Biometrics)
- Fingerprints, voice, retina, iris, signature, vein, hand geometry
Great detailed technical analysis to what these three components ACTUALLY mean:
https://apenwarr.ca/log/20190114
*Hardware Tokens may be are only truly secure second factor.
If compromised,
cannot be
replaced
Phone
numbers/
SMS no
longer
optimal

29. Multi-factor
Authentication
Mechanisms
 Passphrases
 Email Addresses
 Phone Numbers /SMS (texting)
*No Longer Optimal
 Application Codes
 Google /Other Authenticators
December 2018:
(Good blog post highlighting
next steps for individuals of
any/most breaches)
*Massive Starwood Hotels
Breach Hits 500 Million Guests:
https://krebsonsecurity.com/2
018/12/what-the-marriott-
breach-says-about-security/

30. Challenges with Multifactor Authentication
Not all services are offering this yet. Some of those that do, do not offer optimal
options. i.e. Still asking the KB questions, only SMS two factor available, etc.
Social media spaces are ahead of the game while many corporate entities and
public institutions may not have this is place yet.

31. Some resources identifying the various multi-factor
authentication setups and how-tos are available here:
•Stop|Think|Connect: Lock Down your Login:
https://www.lockdownyourlogin.org
•Turn it On: https://www.turnon2fa.com/tutorials/
•Passphrases:
https://securingthehuman.sans.org/newsletters/ouch/issues/
OUCH-201704_en.pdf
•Sites Supporting Two-Factor Authentication:
https://twofactorauth.org
•Google Two-Step Verification:
http://www.google.com/landing/2step/

32. Monitor your Account Activity
 Most social media accounts allow you to approve or monitor application or
device connections.
 Facebook Account Activity: https://www.facebook.com/notes/facebook-
security/forget-to-log-out-help-is-on-the-way/425136200765
 Twitter: Revoking Applications: https://support.twitter.com/articles/76052#
Great October 2016 Security Awareness Month Link re:
Locking Down your Login: https://www.lockdownyourlogin.com/

33. Who, What, When, Where and How?
 Considerations:
 Work or Personal
 Social Media or Financial
 Shared (Family iPad) or Public Device (Internet Café in hotel)
 Open or Secured Wireless networks
 *Shaw HotSpots are NOT secure
*Data Classification
 Unique to your workplace policies and other compliance references:
e.g. Restricted, Highly Confidential, Confidential, Internal, and Public.

34. Services to Check out at Home
Have You Been Pwned? Service: https://haveibeenpwned.com/
How Secure Is Your Password: https://howsecureismypassword.net/
Good reference articles on next steps or future considerations:
Massive Starwood Hotels Breach Hits 500 Million Guests:
https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-
about-security/
Great October 2016 Security Awareness Month Link re:
Locking Down your Login: https://www.lockdownyourlogin.com/
Factors in authentication: https://apenwarr.ca/log/20190114

35. Takeaways
 Use Passphrases And Focus On Length, As
Opposed to Complexity.
 Change Passphrases regularly.
*Debateable if Lengthy and NOT Re-USING
 Keep Work and Personal Accounts Separate.
USE Unique Passwords for Each Individual
Service you use
 Use Password Managers, RESEARCH.
 Use Multi-Factor Authentication, whenever it is
Offered. (Hardware tokens, best.)
 Careful Consideration of the
Who, what, When, where and how?

36. Questions and Discussion
CONTACT INFO:
EMAIL: SECAWARE@KIMBERDRAY.CA
TWITTER: @KIMBERDRAY
ABOUT ME: HTTPS://ABOUT.ME/KIMBERDRAY

37. Topics for Follow-up
INTERESTING DISCUSSION THEMES…
Banking Security
ConsiderationsWindows Hello
and Moving to
“Password-less”
options
Biometrics
Integrity and
Accuracy
Supply Chain
Considerations for
Federated IDAM
Solutions
Heightened
concerns
about security
and privacy:
FOIPPA, GDPR,