![Page 1: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/1.jpg)
Passwords and Password PoliciesAn Important Part of IT Control – by Craig Piercy
![Page 2: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/2.jpg)
Why Passwords?
Primary means for many systems for implementing authentication and authorization.
Authentication – verifying that you are who you say you are.
Authorization – allowing access to the parts of the system that you need and only those parts.
![Page 3: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/3.jpg)
Could this be you?
![Page 4: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/4.jpg)
Or This?
![Page 5: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/5.jpg)
How well do you follow good Password procedures? Do you use a name for your password? Do you use a real, “dictionary” word? Do you use the same password for all or most
of your accounts? Is you password short (< 6 digits)? Do you still use the default or provided
password? Do you keep your password forever? Is you password “password,” “default”, “123”?If you answered “yes” to any of the above, then
you are failing an important part of good use of passwords.
![Page 6: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/6.jpg)
Why do you do these things?
“weak” password – a password that is fairly easy to guess or “crack.”
“strong” password – a password that is difficult to guess or “crack.”
For most, there is a trade-off between having “strong” passwords and being able to remember them.
![Page 7: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/7.jpg)
Passwords as Business Control “Just saw that UGA has now implemented
strong password requirement controls. The password policy found on MyID.uga.edu is a good example of a policy which contains controls that have been implemented and are required to be followed. The verbiage and layout are similar to what I have seen at the clients I audit” – Jason Lannen, KPMG
UGA’s Password Policy Why do you think it is important that
organizations require their associates to follow good password policies?
![Page 8: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/8.jpg)
Characteristics of “strong” passwords DO NOT use a real word or name Long rather than short --- >=8 characters Use a mix of characters – text characters –
upper and lower case, numeric digits, punctuation
Use different passwords on different accounts
Change your password regularly. DO NOT write your passwords down.
(see TIES box on page 209 – Chapter 7)
![Page 9: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/9.jpg)
A two step Method for Making Strong Passwords that you can remember. 1. Come up with a “key” that you can
remember easily.2. Come up with as set of simple rules
for converting your key into a password
![Page 10: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/10.jpg)
Example - Key
1. Choose a key – my preference is a line of text – favorite song titles are good, could be a proverb, famous quotation, line from a poem, etc.
Example – “The leaves have fallen all around…”
![Page 11: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/11.jpg)
Key – Rule 1
2. Make up some rules2.1 - Take initials of key phrase.
The leaves have fallen all around tlhfaa
![Page 12: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/12.jpg)
Key – Rule 2
2. Make up some rules2.2 – Starting with second character
every other one upper case.
tlhfaa tLhFaA
![Page 13: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/13.jpg)
Key – Rule 3
2. Make up some rules2.3 – Add one or more special
characters in-between the letters.
tLhFaA t$L$h$F$a$A
![Page 14: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/14.jpg)
Notes: These are my rules. Make up your own! Make as many rules in your algorithm
that you can remember – rule of thumb 3 to 5 is probably good enough.
Make sure that your key is long enough to generate a long enough password.
Even though you have a stronger password, you still need to be aware of how you use it and when it might be compromised. What should you do if you think that your
password has been compromised?
![Page 15: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/15.jpg)
What about multiple accounts?Some come up with a code for each account
and then concatenate onto their password. Example:
Account Account Code
Password
My laptop plap t$L$h$F$a$A_plap
UGA account Uga t$L$h$F$a$A_uga
Gmail account Gm t$L$h$F$a$A_gm
![Page 16: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/16.jpg)
What about changing regularly?Change the key and apply the rules.Example: New key: “… Time I was on my way.” Apply rules:
1. Take initials of key phrase.2. Starting with second character every other one
upper case.3. Add one or more special characters in-between the
letters.
What’s the new password for the uga account?
t$I$w$O$m$W_uga
![Page 17: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/17.jpg)
Discussion
Are there any problems in my algorithm?
How could I improve it? Incidentally, I did a slightly dangerous
thing in choosing the second key: 1st key – 1st line of Ramble On by Led
Zeppelin 2nd key – 2nd line of Ramble On by Led
Zeppelin What would be a safer way of choosing
second key?
![Page 18: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/18.jpg)
How about PIN numbers?
Can’t make them as strong. Why? Should we try to keep our PIN numbers
strong? What characteristics should a strong
PIN number have?
![Page 19: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/19.jpg)
A PIN number example:1. Pick a key: 1492 (Columbus sailed the ocean blue)2. Rules:
1. Choose last for digits of credit card2. For cards: Add key to last for digits of card for PIN. For other
accounts find a “look-up-able” related number and add to key.
Account Last 4 or related PIN
MasterCard
3004 4496
AMEX 1206 2698
OASIS 3452 (last four of student ID)
4944
![Page 20: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/20.jpg)
Discussion
What’s good about the example PIN number algorithm?
What’s bad about it? How would you improve it?
![Page 21: Passwords and Password Policies An Important Part of IT Control – by Craig Piercy](https://reader036.vdocuments.net/reader036/viewer/2022062410/5697c0151a28abf838ccdc97/html5/thumbnails/21.jpg)
Call to Action
1. Come up with your key and password algorithm.
2. Use it to come up with your new UGA MyID.
3. Use it to adjust your other passwords.4. Start changing your password
frequently. About once every 3 months (policies may vary)