Information Security in Education/Authentication
“Passwords are often the first (and possibly only) defense against intrusion.” MacGregor (2002)[1]
Introduction
[edit | edit source]Many institutions and businesses invest large sums of money to create and ensure a secure computer system for all its stakeholders. Outlays of monies bring together hardware, software, policies, procedures, physical parameters, and training to construct a fortress of protection for its data, network, and, ultimately, its mission. Without the sense and assumption of a secure computer network, revenues would be lost, data compromised, and secrets unfolded.
But every system relies on identification and authentication of the user. The system would not have been built if not for the intention of users to access and use the system, whatever that system may offer to the users. Almost always is a user accessing the system from a remote area away from the system’s administrators. They need to have a way to identify each user and authenticate that the user’s digital identity matches the physical user sitting in front of the computer or server is mandatory. Add to this drama that the user is human. This very nature is what may bring down and create the weakest link in the strongest fortress. As Schneier (2000)[2] stated, "Think of security… as a chain. The security of the entire system is only as strong as the weakest link." That weakest link is many times the user of the system; unlike the human in the food chain, where man takes a prominent stand, in the access and security of computer networks, the human is many times the weak prey or entry point to what is secure with the assumption that the right users are identified and authenticated.
Username/Password Combinations for Identification & Authentication
[edit | edit source]A common way to authenticate users is to assign each authorized user of a specific system a unique username/password combination. The username identifies the user and the password authenticates him; in other words, a human user proves his/her identity is true to the nonhuman system. A password is “a word, a phrase, or combination of miscellaneous characters that authenticates the identity of the user” (Granger, 2002)[3]. However, the only matter that is sure is that the username and password combination agrees with a username/password combination in the system’s database of valid and authorized users. If the user logs into the system remotely, the only element that the system is sure of is the combination entered matches a stored combination for a user of the system.
Rubens (2008)[4] emphasized that the Gartner research house reported 94% of businesses only require a username/password combination to log into their respective computer systems. That popularity and reliance illustrates a lot of commercial trust in the simple philosophy of identification and authentication of access. Passwords are a simpler and cheaper security measure compared to other security hardware and software. Passwords can protect users’ personal information such as private documents, financial data, identity data, or social security numbers. Passwords can also protect professional data, which could mean intellectual property, trade secrets, financial data, human resource records, or customer information. The access or loss of any of this data in the hands of the wrong party could be detrimental and disabling to the person, the profession, or the proprietor.
As Schneier (2008)[5] cautioned, “The problem with passwords is that they’re too easy to lose control of. People give them to other people. People write them down, and other people read them. People send them in email, and that email is intercepted. People use them to log into remote servers, and their communications are on. They’re easy to guess. And once that happens, the password no longer works as an authentication token because you can’t be sure of who is typing that password in” (240)[5].
The commonality in all of these passwords flukes is “people”—humans with that imperfect human nature that corporations trust their most valuable asset to in the security framework.
The popularity of username/password combinations reveals the reliance corporations and institutions have on people keeping their passwords private. Considering the unpredictable and imperfect human nature of people, the key to security with username/password combinations is educating and training the users to exercise a regimen that safeguards and secures accurate identification and authentication of the user.
How Can Passwords be Uncovered
[edit | edit source]Passwords can be found out by guessing or uncovering passwords to gain unauthorized access to computers or the information on those computers. This process is referred to as password cracking. Granger (2002)[3] stated the most popular ways people crack passwords are:
- Using a word list or dictionary attack software
- Using password crackers (one example is Packetstormor Top Ten Password Crackers)
- Password sniffers – looking at data as it travels through a network or internet with the existence of vulnerabilities, and since passwords are only as strong as their human creators and users, people must be educated to practice habits to keep passwords strong, private, and secure.
- Social engineering – human element where one person cons another to give up personal information such as usernames and passwords
- Reckless password behavior by user
Securing Passwords with Secure Practices
[edit | edit source]Some secure password practices are built on commonsense where others take on a more systematic framework. Schneier (2009)[6] encourages the following password advice:
- Most important advice? Use a password manager which is an application that keeps track of and manages a user’s passwords.
- Change passwords frequently.
- Do not reuse old passwords.
- Have a scheduled date to change passwords. Password managers can assign expiration dates to passwords and send reminders when to change them.
- Always keep passwords secret. Users should not document their passwords manually or digitally. Trust no one with a username/password combination.
- Do not use passwords that consist of dictionary words, birthdays, common series such as sequential numbers or repeated characters.
- Do not use the same username/password combination for more than one site.
- Do not allow a computer to log on or boot up automatically or allow applications to have stored passwords where the user is logged in for a specified amount of time.
- Do not log into user accounts on another person’s computer in case there is a key logger installed.
- Do not access web sites that require a log in over wireless Internet connection unless the https protocol is used.
- Do not log into an account via a link in an email in case it is a case of phishing. Enter the normal URL, Uniform Resource Locator, in the web browser to check the identity of the party asking for information.
Password Tips for BlackBerry Users
[edit | edit source]The BlackBerry devices have been touted to perform with the most secure mobile platform (Sacco, 2010)[7]. RIM, the company that manufactures Blackberry devices, has invested time and monies to equip their products with secure and strong infrastructure, software and security certificates. However, as Sacco (2010)[7] stated, this does not cover the security or lack thereof practiced by the Blackberry user. In the occurrence of a stolen or lost BlackBerry device, the security of the devince and data on the machine depends upon the security practice of the human owner of the phone.
Sacco (2010)[8] encouraged five guidelines, two of which deal with passwords, for mobile owners to use when safeguarding their BlackBerry and its information.
- Enable password-protection on a BlackBerry, if the corporation has not done so before assigning the corporate phone in your possession and use:
- Open Blackberry Options menu, scroll down to and click the word Password
- Select Password field and then enable option with pop-up box
- Click on Blackberry Escape key, save changes, and enter password (minimum of four characters for Blackberry phones)
- Confirm new password by typing it again
- Blackberry phone is now locked
- Type password to unlock BlackBerry after password-protection has been enabled
- Additional password security features are available on Blackberry phones such as:
- Specify number of password attempts
- Choose a security timeout period
- Mandate use of password when downloading new applications
- Use the Password Keeper application on Blackberry mobile devices which stores all user passwords by entering a password to open this application:
- Open Password Keeper application on BlackBerry
- Create a password to protect all your other passwords
- Choose a password that is difficult to guess since this password safeguards all the user passwords
- To enter and log each user password:
- Click on Blackberry Menu key, choose New to log a password
- Type information for Title, Username, Password, Website, Notes for each password to be saved
- After all passwords have been saved, the user opens the Password Keeper app and enters the master password to access passwords stored on the device
Password Management Tips for iPad & iPhone
[edit | edit source]Wagner (2010)[9] placed on top of his list of new applications available for iPads, the newest of the Apple computer devices, 1Password. This application, developed by Agile Web solutions, is password management software. This software is also available on iPhones.
Without this specific application, an iPad owner may still password-protect applications by designating password entry prior to using applications (Brandon, 2010)[10].
- This password protection can be activated on the iPad:
- Settings > General > Restrictions
- Press Enable Restrictions
- Type a difficult to guess four-digit number password (never use birthdates, street address phone numbers, social security digits, or phone numbers.
- Turn on restrictions for applications that the user would like protected
- If the application needs a password to use it, such as iTunes, the user will have to type in two passwords (Password protection's password and specific application's password).
Password Protection Feature in Firefox Web Browser
[edit | edit source]Firefox, a web browser, provides the user with a password-protection feature called Primary Password. When a user opens Firefox for the first time, the web browser prompts the user for a password. With the awareness of phishing, a fraudulent conspiracy to contrive a user’s sensitive information, unbeknown to the user, has made many people wary of pop-up windows asking for our passwords, usernames, etc. Horowitz (2010)[11] advises to use a [1] FreeOTFE or TrueCrypt container. These are open source encryption software programs that works on all platforms by creating a virtual encrypted disk to protect a user’s information.
Facebook and Passwords
[edit | edit source]Facebook, a social networking site that to date has over 400 million users, provides their members quality and strong security information (“Statistics”, Facebook, 2010)[12]. What is beneficial of Facebook purporting secure measures and practices of their users is that many of this social network site’s users are young adults, which supports many of the same security guidelines concerning passwords students learn in high schools and colleges.
- Some of these guidelines include:
- Use different passwords for different online websites
- Be cautious of where a user enters his password. Pay attention to the URL of a website. Additionally, copy and paste that URL into a new web browser window to check the requester's digital source.
- Do not share passwords with anyone; no one should ever ask for a password if the organization practices good security principles
- Use difficult passwords that would be hard to guess; make sure a password is not contrived with obvious information about user.
- Create passwords that have a combination of lower and uppercase alpha characters, numeric characters, and symbols (“Facebook Security”, Facebook, 2010)[13]
Microsoft Online Safety Password Advice
[edit | edit source]Password strength is determined by a combination of different types of characters, the length of a password, and if it does not make a dictionary match (Microsoft, 2010)[14].
- Microsoft, one of the top the international computer technology corporations, offers users recommendations for creating strong passwords:
- Use passwords with 14 characters or more
- Use variety in characters (alpha, numeric, symbols)
- Use the entire keyboarding; do not only use characters that are often utilized
- Another key element is to create a password using the above guidelines, which a user can remember and not write down due to its difficulty.
- Microsoft)[14]. Microsoft offers the following advice to remember long passwords:
What To Do: Suggestion: Example: 1. Start with a sentence or two (about 10 words total). Think of something meaningful to you. Long and complex passwords are safest. I keep mine secret. (10 words) 2. Turn your sentences into a row of letters. Use the first letter of each word. lacpasikms (10 characters) 3. Add length with numbers. Put two numbers that are meaningful to you between the two sentences. lACpAsIKMs (10 characters) 4. Add complexity. Make only the letters in the first half of the alphabet uppercase. lACpAs56IKMs (12 characters) 5. Add length with punctuation. Put a punctuation mark at the beginning. ?lACpAs56IKMs (13 characters) 6. Add length with symbols. Put a symbol at the end. ?lACpAs56IKMs" (14 characters) Microsoft Create a Strong Password that You Can Remember Table)[14].
After the user constructs a password with the above steps, the user can check the password’s strength and, thus, its safety, by using a Password Checker application offered by Microsoft[14]. It should be pointed out that the password examples users enter is not stored on this site maintained by Microsoft. Each password is checked on the person’s computer and not the Password Checker by Microsoft[14].
After a user creates a strong password, the security of the data the password protects will not be ensured if the user does not put into practice and habit ways to keep that password safe and private.
- Five tips Microsoft (2010)[14] advices to safeguard a strong password are:
- Never provide a password to a request made digitally, by email or in pop-up windows.
- Do not type in a personal password on a computer that is owned by another person or is a public use computer. Other computers can have key loggers installed to capture guest user passwords.
- Never tell another person your password face-to-face or over the phone. Be cautious of social engineering; people who pose as professionals asking for your password to troubleshoot possible problems in your account (Schneier, 2000)[5].
- Protect recorded passwords in a safe and secure place. Never store passwords on a computer that one owns.
- Use more than one password on different web sites.
Enabling Firmware Password Protection in MAC OS X
[edit | edit source]Open firmware password protection is turned off by default, but provides password protection on MAC computers that have MAC OS X version 10.1 or later operating system installed. This software only allows a computer to be started from the volume that the user with the correct password designates as the startup volume. For the firmware password to work securely, there must be strong effort by the user to create a safe and strong password as a physical security measure (apple, 2010)[15].
Full instructions and features of this password protection application can be found at the apple site.
A list of firmware updates is available.
Open Firmware Password 1.0.2 download is available.
How to Protect Unattended Computer
[edit | edit source]How does a user protect his computer after he logged on to his computer and walks away, that someone does not sit down to use his/her computer? One way is to set a screen saver password on a Windows or GNU/Linux PC or laptop.
- The directions to do this on Windows are:
-
- Right-click the desktop > choose Properties > click on Screen Saver
- Click on Password-protected > Change
- Enter a secure password > click OK > click Apply > click OK
The best way to keep a computer safe is to shut it down when one walks away from his/her computer.
Better Password Practices
[edit | edit source]Granger (2002)[3] stated that the simplest security of all is in the control of the weakest link in the computer network, humans. If humans practice better, more private password habits, the infrastructure that is planned, constructed, and implemented has a better chance to be secured.
- Granger proposed the following best practices for securing passwords:
- Do not use proper nouns, dictionary words, or foreign words, either in its spelling order or typed backwards
- Do not use personal information such as first, last, or middle names of self or family or friends, pets’ names, street address, phone number, or any other data that is uniquely the user’s information
- Create a password that has length, width and depth. Length represents the number of characters used in a password. Granger (2002) recommended six to nine characters. Width pertains to the combination of different kinds of characters, meaning alpha, numeric, upper case, lower case, symbols. It is recommended to have at least one of the following types of characters:
- upper case letters
- lower case letters
- numbers
- special characters such as symbol and punctuation
- alt characters such as µ, £, Æ
- Depth in a password means to have a password that has meaning, but hard to guess. This can be done when the user thinks about phrases and mnemonics instead of words.
One example of this can be found on the University of Michigan’s (2009)[16] Information and Technology Services web site:
- Make a strong and memorable password by using the first letter of the words in a phrase, in combination with the other stated criteria. For example, "Four score and seven years ago our fathers brought forth" becomes 4S&7yaofb4th.
- Use different passwords for different web sites
- If able, find ways to add encryption or a one-time password capability to log-in passwords. The latter requires a user have a password generator, a password list, or a secure card.
- Password generator
- Switching to a Smart Card (password) directions
- Encryption (PGP)
- Never disclose passwords to any other party by email, phone, or face-to-face interaction.
- Never write down a password. Commit it to memory. If one must write something down to remember a password, write a hint to the password, and not the password itself.
- Change passwords at a regular interval. The more sensitive the information the password protects, the more often the frequency of change or shorter the interval
- Do not let anyone watch or stand behind the user when typing a password
Dr. Tim Tyson, an educational consultant and retired middle school principal, offers this advice in his Practical Practice blog: Spring Cleaning: Password Security and Organization.
Teaching Students Better Password Practices
[edit | edit source]It is mandatory when teaching students about their responsibilities on the school network, in conjunction with the district's acceptable user policy, that we as educators teach and emphasize good password practices. This begins in the K12 level and continues into higher education. The following colleges and universities have specific password protocols, procedures, and education pages teaching students to practice better password guidelines.
- Stanford University SRP Password Generator
- Duke University Password Protocols
- College of New Jersey Security Password Guidelines
- Yale University Password Change Web Site
- Yale University Guide to Selecting Good Passwords
At the K12 level, teachers can teach better password practices to students as part of the curriculum and security measure of the district's Acceptable User Policy.
Password Practices to Ponder
Any password can be "cracked". Create a password that is hard to guess.
Media:Electronic_lock_yl88_operation.ogg
References
[edit | edit source]- ↑ MacGregor, T. (2001, May 13) “Password Auditing and Password Filtering to Improve Network Security”. SANS Institute. Retrieved April 13, 2010 from http://rr.sans.org/authentic/improve.php
- ↑ Schneier, B. (2000). Secrets and lies: Digital security in a networked world. Indianapolis, ID: Wiley Publishing, Inc.
- ↑ a b c Granger, S. (2002, January 17). “The simplest security: A guide to better password practices”. Symantec Security. Retrieved April 9, 2010, from http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices Invalid
<ref>
tag; name "Granger" defined multiple times with different content - ↑ Rubens, P. (June 2008). User authentication beyond the password. QuinStreet, Inc. Retrieved April 1, 2010 at http://www.enterprisenetworkingplanet.com/netsecur/article.php/3756206
- ↑ a b c Schneier, B. (2008). Schneier on security. Indianapolis, ID: Wiley Publishing, Inc. Invalid
<ref>
tag; name "Schneier" defined multiple times with different content - ↑ Scheier, B. (2009, August 10). Schneier on security [Msg 1]. Message posted to http://www.schneier.com/blog/archives/2009/08/password_advice.html
- ↑ a b Sacco, A. (2010, March 2). Five tips to keep your Blackberry safe. Computer World. Retrieved March 30, 2010 from, http://www.computerworld.com/s/article/print/9165238/Five_tips_to_keep_your_Blackberry_safe?taxonomyName=Security&taxonomyId=17 Invalid
<ref>
tag; name "Sacco" defined multiple times with different content - ↑ Sacco, A. (2010, March 2). Five tips to keep your BlackBerry safe. Computer World. Retrieved March 30, 2010 from, http://www.computerworld.com/s/article/print/9165238/Five_tips_to_keep_your_Blackberry_safe?taxonomyName=Security&taxonomyId=17
- ↑ Wagner, M. (2010, March 23). Apple’s Ipad: Developers discuss their plans for apps. [Msg 1]. Computer World Blogs. Message posted to http://blogs.computerworld.com/15800/ipad_apps
- ↑ Brandon, J. (2010, April 9). 50 really useful iPad tips and tricks. Apple News. Retrieved April 11, 2010 at http://www.techradar.com/news/computing/apple/50-really-useful-ipad-tips-and-tricks-682306
- ↑ Horowitz, M. (2010, March 3). Trust no one and how it applies to Firefox passwords. [Msg 1]. Computer World Nlogs. Message posted to http://blogs.computerworld.com/15687/trust_no_one_and_how_it_applies_to_firefox_passwords
- ↑ “Statistics”. (2010). Facebook. Retrieved on April 13, 2010 from, http://www.facebook.com/press/info.php?statistics
- ↑ “Facebook Security”. (2010). Facebook. Retrieved on April 10, 2010 from, http://www.facebook.com/security?v=app_4949752878#!/security?v=app_7146470109
- ↑ a b c d e f Microsoft. (2010). Microsoft online safety and privacy education. Retrieved April 14, 2010 from, http://www.microsoft.com/protect/ Invalid
<ref>
tag; name "Microsoft" defined multiple times with different content - ↑ Apple. (2010). “Setting up firmware password protection in MAC OS X”. Retrieved April 10, 2010 from http://support.apple.com/kb/HT1352
- ↑ Information and Technology Services. (2009, October). “ITSDocs: Choosing and changing a secure UMICH password”. University of Michigan. Retrieved April 16, 2010, from http://www.itd.umich.edu/itcsdocs/r1162/#protect