4. TODAY’S AGENDA
• Creating strong passwords
• Monitoring your passwords
• Remembering your passwords
• Recovering from a stolen password
• More information
5. ARE YOU USING STRONG
PASSWORDS?
• How secure is my password? (sponsored by Dashlane)
• The Password Meter
8. SOME TIPS:
Do
• Start with:
• Sentence (abbreviated)
• Passphrase
• Misspelled longer words
• Unrelated words string
• Add upper and lower case
• Add some numbers
• Add some symbols
Don’t
• Repeat part of your user
name
• Use something others know
about You
• Use real words only
• Only replace letters with
symbols to make common
words more “secure”
• Write down your passwords
(use a password manager)
9. EXAMPLES
Starting Points
• Abbreviated sentence:
• The first President was George Washington TfPwGeoWash
• Passphrase:
• President Barack Obama attended Columbia and Harvard Law
• BarackObamaColumbiaHarvardLaw
15. USE A PASSWORD MANAGER
See: Use a Password Manager on the class page for links to these products.
16. PASSWORD MANAGER KEY FEATURES
• Operating systems
• Browser integration/Form Filling
• Mobile Platforms
• Secure sharing
• Password generation
• Price: Free, Freemium, Paid, Educational discounts
• BONUS! Security Alerts
• BONUS! Two factor authentication
17. “Lastpass, a company that offers users a
way to centrally manage all of their
passwords online with a single master
password, disclosed Monday that intruders
had broken into its databases and made off
with user email addresses and password
reminders, among other data.” – Posted
June 16, 2015
Source: http://krebsonsecurity.com/2015/06/password-manager-lastpass-warns-
of-breach/
BUT KEEP IN MIND…
18. HOW ELSE CAN YOU PROTECT
YOURSELF?
• Don’t share passwords with anyone!
• Don’t reuse passwords on important sites.
• If you do share a password, share WISELY via email.
• Monitor your email addresses.
• Use multi-factor authentication, when available.
• Add password recovery features to your accounts.
24. FACTOR: WHO YOU ARE
Source: http://en.wikipedia.org/wiki/Multi-factor_authentication#Background
25. ADD PASSWORD RECOVERY
FEATURES
• Choose your reminders and questions wisely!
• Safe
• Stable
• Memorable
• Simple
• Many
• Choose questions that satisfy one or more of these criteria.
Source: http://goodsecurityquestions.com/examples
26. RECOVERING FROM A STOLEN
PASSWORD
• Change the password
• Assess & repair the damage
• Scan & protect your systems for vulnerabilities
27. ASSESS & REPAIR THE DAMAGE:
EMAIL & SOCIAL MEDIA
• Facebook: Hacked Accounts
• Twitter: My Account has been hacked
• Instagram: Hacked account
• Snapchat: My account is hacked
• Google: You think someone else is using your account
• RWU Email: 401-254-6363 (Media•Tech Support Center)
28. ASIDE: SOCIAL MEDIA SAVVY
• Know and use the security features of your social media
sites.
• Be careful who “friends”, “follows”, or “links” to you.
• Keep your personal information private.
• Review regularly “apps” and other tools that link to your
social media accounts!
29. ASSESS THE DAMAGE: FINANCES
• Check your credit report: annualcreditreport.com
• Monitor your accounts
• Know the difference between your options: fraud alert, lock,
security freeze
• Federal Trade Commission: Place a Fraud Alert
• Contact the credit bureaus:
• Equifax, Experian, Transunion
31. PROTECT YOUR SYSTEMS!
• IoT/”Smart” devices (e.g. Amazon Echo, Fitbit, Webcams)*
• Change default passwords
• Update the “firmware” regularly
• Use encryption
• Set up a private network for the devices
• Limit connections to “updates only”
• BitDefender Box
* See How To Protect Your IoT Devices
32. IMAGE CREDITS
• Think big: “Magic 8 Ball” by “Christian Heldt”.
• Change your passwords often: “All four seasons – Outside
my window” by Sundar M licensed under CC by SA 2.0
33. IMAGE CREDITS
• Avoid Using the Same Password Repeatedly: “MoneyCash”
by 2bgr8STOCK , licensed under CC by 3.0; “Instagram and
other Social Media Apps” by Jason Howie, licensed under CC
by 2.0. Other images courtesy of RWULaw, Microsoft.
• I changed all my passwords to “incorrect”: “You’ll never
forget your password ever again” by Meme Binge, licensed
under CC by 2.0.
34. IMAGE CREDITS
• Use Multi-Factor Authentication when Available: “Step 1:
Ready your ATM card” by Colin McCloskey, licensed under
CC by NC-SA 2.0.
• Factor: What you Know: “ATM keypad 2/4” by redspotted,
licensed under CC by 2.0.
35. IMAGE CREDITS
• Factor: What You Have:
• ATM card: “PHOTO365 DAY 4” by Allan Donque, licensed
under CC by 2.0
• Security keys: “RSA Tokens” by Edwin Sarmiento, licensed
under CC by SA 2.0
• Mobile phone: “Sony Experia Neo MT15i Mobile Phone” by
Matt Kleffer, licensed under CC by SA 2.0
36. IMAGE CREDITS
• Factor: Who You Are:
• Fingerprint: “Fingerprint” by Jose Luis Agapito, licensed under
CC by ND 2.0
• Eye Scan: iRobot Eye v2.o, by Tc Morgan, licensed under CC by
NC SA 2.0
• Face recognition: “MyHeritage.com Face Recognition” by
MyHeritage.com
37. QUESTIONS?
• Let us know!
lawlibraryhelp@rwu.edu
or
401-254-4547
• Class Webpage:
http://lawguides.rwu.edu/appyhour/passwords
Editor's Notes
Redsox = Instantly
Redsox2004 = 6 years
Thebostonredsoxrule = 3 quadrillionyears
Th3B@st0nr3ds@Ru13 = 71 Quadrillion years
Note that while some systems will require symbols, sometimes the symbols you may use are restricted. Follow these basic principles with whatever you are allowed to use.
Select a sentence, phrase, or words that are meaningful to you. History buff? Use a historical fact as a base sentence. Creating a login for a school page? Use multiple facts about yourself as the passphrase.
Bio major? Use terms from your field as a starting point. String a few favorite things of unrelated things: town, animal, color, snack
Use “systems” to add to your base password. In the first two examples, since I already had some upper case where it would normally be used, I added it at the end of words, consistently. For the last example, I used uppercase for each syllable.
If possible, use related numbers to add to your password, but use them unexpectedly.
For example, while many may remember that George Washington was president from 1789 to 1797, it might be harder for some to guess that he died in 1799.
For Barack Obama, the years would normally appear after the related fact, but here we put the years of birth and graduations before the names.
For misspelled words that don’t have a number easily associated with them, you can use common replacement symbols for letters.
Misspelled longer words are unlikely to be in a hacker dictionary.
Use a system, however. Here, the first o and e that are not the first letter of the syllable were replaced with zero and three, respectively.
Add symbols unexpectedly. Many people use an exclamation mark at the end of a password. Add it to replace ones, ells, or eyes. The @ symbol is frequently used for the letter a, so that is an easy substitution as long as you have changed enough other characters
---The three passwords created here passed “How Secure is My Password” with flying colors, and would take trillions or more years to be cracked by a computer.
But use some common sense. Hackers want your personal/financial/health info, not your research (at least while you’re in law school). All of my passwords for research related sites are the same or a variation of a word that I use, if the site requires a more secure password. Hackers will not be trying to hack my HeinOnline or EBSCO password, they want my American Express password! As a rule of thumb, if a site has financial, health or personal information about you that could be used to hack your other accounts, then you need a unique password for that site.
While some systems will force you to change passwords every semester or every x number of days, many will not. Schedule password changes for sensitive accounts according to the seasons, at least once a year. You don’t have to change all of them at once. For example, you could change school related ones in the fall, money related ones in the spring, passwords for fun things in the summer, and work related ones in the winter.
If you are using longer and complex passwords, writing them down may defeat the purpose of creating them! A password manager can help!
The moral here is that even password managers are vulnerable. So use something memorable that only you and a trusted relative will know. Pick reminder questions that others can't answer by using Google or Facebook. Use an intricate fact as your passphrase. For example, something from your childhood or something memorable from a TV show or movie that you like. It could be something like “My brother’s sport in high school was track and field” or “Dexter called his brother Biney when he was a kid” (both true). My passphrase for my password manager is a favorite childhood memory that is not on social media or the web and very few people know.
I've aor easy discussed the first three, now let's look at others.
BUT SEE LASTPASS BREACH
Fraud alert: A fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. Placing a fraud alert is free. The initial fraud alert stays on your credit report for 90 days. Be sure the credit reporting companies have your current contact information so they can get in touch with you.
Lock: Ability to lock and unlock your credit report. Free to $24.99 per month.
Freeze: The credit bureau restricts access to your credit report, to prevent open new accounts in your name. There may be a fee, depending on state law.