End User Security Awareness
End User Security Awareness Overview
In this episode, Daniel and Don examine the characteristics that make up a high quality password. They identify weaknesses found in many passwords and demonstrate how attackers can take advantage of weak passwords. They then help the viewers by suggesting a few methods to easily create memorable, yet secure, passwords.
0h 35m
You're watching ITProTV.
I'm your host, Don Pezet.
[CROSSTALK]
[MUSIC]
You're watching ITProTV.
All right, good morning,
good afternoon, and good evening, and
welcome back to another
episode of ITProTV.
I'm your host, Don Pezet,
here again with another episode of
security awareness training, right?
We wanna make sure
everybody is prepared and
understands their responsibility of
providing good IT security practices.
That's what we're gonna take a look at.
And here in the studio to help me is Mr.
Daniel Lowrie.
Daniel, thanks for joining us.
Thank you so much for
having me, Mr. Pezet.
I'm glad to be over here in this driver's
seat to teach you guys a little bit about
some end user security today.
And today we're specifically
going to talk about passwords.
Yes, I know, you're probably going,
not this, not passwords, I hate passwords,
they're the bane of my existence.
And yes, I have heard that many, many
times from many, many users because we
understand that there are logins for
just about everything nowadays.
And you have to create a secure
password and I can never remember it.
And what's a good password?
I'll just use my mom's maiden name and
that'll be great and
we're off to the races.
So we need to talk today about
what does make up a good password.
Something that you can use that will
be easy for you to remember and
work with, and
maybe even work across the board.
It will work with this sign
on as well as this sign on.
I know that a lot of different vendors
will give you a lot of different criteria
for passwords, so we're gonna
talk about that subject as well.
But we're just gonna start
off with the basics.
I like to call it, Don,
the good, the bad, and the ugly.
And unfortunately,
we're not going to start with the good.
We're gonna start with the bad and
then we're going to move to the ugly.
And then we'll get to the good.
Because we have to understand what a bad
password is first before we can understand
what a good password looks like.
So that's where we're
going to start today.
Now, Daniel, you mentioned like
people dread learning about passwords.
What's such a big deal about passwords?
The big deal is,
is that typically in my experience,
a lot of people hate having to come up
with something that meets the criteria for
their environment,
their organization, right?
They've said,
it's gotta be x amount of characters long.
You've gotta add this.
It's gotta have a number.
It's gotta have that.
It's gotta have this.
And coming up with that can be an area
of consternation for a lot of people.
And then, after x amount of days,
40, 50 days.
Maybe 30 days.
They tell you you gotta do
it all over again, right?
So this can be the hair pulling,
the teeth biting or
the nail biting of passwords, right?
So we're gonna try to help you be able to,
every time you need to create a password
or update a password, create something
that's gonna work for you and be easy to
remember and work with, as well as meet
the criteria for your organization.
And I understand that.
If I gotta meet these criteria,
it's gonna be a pain.
So if the companies know that
I'm not gonna like that,
why do they make us do that anyway?
Yeah, that's a great question.
The answer to that is security, right?
People are actively trying to get at data.
These are the hackers,
the bad actors, the threat actors,
whatever you want to call
them in the security world.
Basically the bad guys out there that go,
you know what?
It'd be nice to have
Don Pezet's user name and
password to gain access into the system.
And if I get access to the system, maybe
I can find something interesting that'd
be worth either money to me or prestige.
So this is the whole purpose
of keeping that data secure.
We have information inside of, regardless
of what organization you work for,
there is information in there
that could be valuable or
potentially dangerous in the hands of
some threat out there, some bad guy.
So we wanna keep those out of their hands
and passwords are typically that first
guard, that first gate that we run
into as gaining access into a system.
So if they can get past that,
they at least have some form of
access if not quite a bit of access.
So we have to keep our passwords secure,
and
we have to keep them out of
the hands of those bad guys.
So doing that means coming
up with strong passwords.
You have to worry about crackers, and
that is basically like trying to work your
way through a set of predefined words or
passwords that they have lists of that
might give you access to the system.
Or just what we call a brute
force where they just okay,
start with 0, okay, 0 didn't work, 00.
Okay, 000 and then just go through,
and computers do this,
we don't do this, right?
I mean, you could.
It wouldn't be a whole lot of fun for
the bad guy out there, but
there are tools that they have at their
ready that will allow them to basically
hammer at the door and hopefully find
a weak password that allows them entrance.
So this is what we have to worry about.
This is why we need to work with
passwords to make them secure.
Now, I know like physical safes.
Like a combination has three numbers And
if it's one through fifty, that's a lot.
But in theory, a human with enough time
on their hands could sit there and
turn that dial and eventually hit
the right number to open the safe.
It's the same with passwords, right?
But you said computers do it
because the longer a password is,
the harder it would be to to guess, right?
That's exactly right.
Don hit the nail on the head.
If the password is short enough, a human
could potentially just sit there and
guess over and over and over again, and it
probably wouldn't take them too much time.
So obviously a three digit password,
that's not gonna take you
much time to get through.
I think I actually did the, all the four
digit codes on my TV remote one time.
[LAUGH]
It took me about an hour to figure all
the codes that actually worked,
all right, and especially from IT.
So I was able to do that in one hour and
a four digit code.
That was a human pushing
buttons physically.
Imagine what your computer can do and
the power and the processor behind it.
So they have very,
very strong password crackers out there.
So we have to make sure that these
passwords are nice and strong.
Now we don't wanna go too crazy though.
right?
Cuz I could have a 100 character password.
[LAUGH]
And I'd be super secure, right?
So what's the kind of recommendation?
Yeah.
That's a great question.
Let's go ahead and jump on my computer.
Let's look at the bad and the ugly, right?
So here I've got a couple of examples of
different types of passwords you could run
in both links and complexities, right?
So you have a seven character
password with one upper case letter,
two digits, and one special character.
That's an exclamation point,
a hash tag, something like that.
So usually, you have to hit the Shift
to get one of these things.
Running that through
an average password cracker,
you're gonna crack the password at
0.24 minutes, that is not very long.
So that is not a good password.
But as Don suggested, the longer we make
that password, the more secure it becomes.
And you see that with an eight character
password with one upper character,
two digits, and
it's basically the same format.
We're just adding length to it.
That jumps to 1.11 hours.
All right, well,
that seems like a whole lot better.
Except, then an hour's not very long
in the grand scheme of things, so
that's really not enough time.
And then if you move to a 10 character
password, same criteria, 31.17 days.
Now that sounds strong.
That sounds like we
are actually getting somewhere.
And you know what?
It might be strong enough.
That might be a strong enough password
depending on your environment.
I think I see a pattern here.
So when my company asks me, and says,
Don, you need to change your
password every 30 days.
Yes.
I'm going to say, that's dumb.
I don't want to change
my password every month.
But, if it takes 31.17 days, right?
And somebody starts to try to break my
password, well, within 31.17 days I'll
change my password to something new so
that that protects me, right?
Is that the reasoning
behind password changes?
That is exactly right, so
when your company says, hey,
we need you to update your password.
You get a prompt on your computer
screen that says update your password.
It's that time.
Please enter a new password.
Yes, I know, it's a headache.
You gotta come up with something new.
We'll broach that in just a minute.
But this is the reason why, because these
modern password crackers are very fast,
they're very efficient,
and within 31 days.
So if we set the threshold for 30 days,
well, you should be pretty safe.
And obviously the longer you go,
the better that's going to be and
then maybe we can bother you less
if we make the 11 characters, well,
then you don't have to worry about it.
If we make that the standard,
it's gonna make it a whole lot harder for
those password crackers to nail it.
Alright, now let´s talk about the ugly,
right.
That's the bad, these are bad passwords,
ten characters,
it´s skirting the line, it could be good,
but it might be bad, right.
The ugly, just like what we got up here,
we got default passwords.
So if you are asked to install something,
and it´s got a username and
password field that you log into it,
maybe some new software on your computer.
Do not stick with the default
that it comes with,
you need to change that password.
Anybody can go to Google type in
default password for x software,
default password for this router,
default password for this access point.
And if you have left it the default, well
you basically just said, I'm gonna hang
the key outside of the door, and
anybody that wants to come in come on in.
So that's not a good idea,
change default passwords.
That's why I call it the ugly, because
you've done nothing to secure that system,
and you basically ask
people to enter into it.
And then we have words associated
with your person and or organization.
So this is kind of diving into what makes
a good password, obviously this does not.
We don't wanna use organizational
terms if, we're here at ITProTV,
I don't wanna make my password ITProTV.
I don't wanna make it shows rock.
[LAUGH]
Or
anything that has to do with what I do for
the company, or what the company does.
Yeah, I mean you could even think of
like geographic things that change this,
and we're in Gainesville, Florida.
Right.
Which is the home of the University
of Florida, and the Florida Gaters.
And so I can guarantee probably a third of
the population of this city has the word
gaters in their password, and it sounds
like an exaggeration but sadly it's true.
I've worked at an organization where
I saw this, Daniel you did too,
where there were tons of employees that
would just use various combinations
of the word gaters in their password.
And so
if you knew that somebody was from here,
that kinda would be your starting point,
and shrink the amount of passwords you had
to try before you could guess
somebody's password and get in.
That's right, that's exactly right.
So your IT people might make
that part of the policy,
where you can't use specific words
because they realize that right,
they're trying help you out,
make a good password.
And that can lend to
some of that frustration,
you're like I just want to use gators123.
Yeah, that's easy to remember,
but length is not great, and
it is too close to something that
somebody could easily guess.
We wanna keep that guessing ability out of
the picture as much as humanly possible.
So those are the bad and the ugly,
let's finally jump into the good.
Okay, well we've seen bad stuff,
what does a good password look like?
Well, let's take a look,
if you jump to my screen you'll see here
passwords that aren't easily guessed or
cracked.
That's basically what it comes down,
the opposite of what we just saw.
I know that seems a little facetious, but.
[LAUGH]
I like to a have
a little fun with the word play.
So I did jump up to that 11 character
password, with one uppercase,
two digits and
one special character, right.
And you'll notice that the amount of time
that it takes to crack that password went
from, how long was it, we had-
31.17.
Yeah, 31.71 days to 810.36 days.
At this point I could let you
have that password for the year.
Two years, four years, well not four,
I guess we're getting up there, right.
But couple of years,
I could allow you to keep that password,
if that's what we made the standard.
Is it more difficult to create a password
that's 11 characters, it can be.
I know that not everyone's awesome,
creative, right.
I don't run around like Picasso and create
amazing paintings every day of my life,
I'm not that creative.
But I do have to be creative
with a password to make it long,
and rememorable, right.
Something that meets the complexity
requirements, and that I can remember,
don't forget the remembering part.
Because I've always found that, Don,
I don't know if this is
your experience as well.
That when I get a user they call me up and
it's something to do with their password,
they typically are complaining about,
I can't remember this, and
that's where they really get upset.
Yeah where I usually saw it was,
let's say you had a 30 day password change
window, so every 30 days people
had to change the password.
They would change it, and the next day
support tickets would always go up,
because people would forget their
password the very next day.
After they had used it for a week of two
they'd kind of commit it to memory and
now they've got it.
But if they don't have
some kind of mnemonic,
some kind of way to remember what that
password is, it's easy to forget it,
especially on the first day, which means
you end up have to change it again.
And you kinda repeat the cycle,
people get really frustrated with that.
Yeah, and that's totally
understandable, I get that myself.
I have been just as frustrated as anybody
out there about having to come up with
passwords.
And especially, like I've talked
about before where you have
multiple different vectors
of authentication.
I've got this website that I log into,
which we do business with, it's not our
system, but I have to log into it
because we do business with them, right.
Their login credential, their
requirements aren't the same as ours.
So I have to come up with something for
them, then I have to come,
and then the times that they change their
passwords are different than ours, and
now I'm constantly changing and
trying to remember passwords.
So that's where we come in,
how do we make a good password?
A, length, length is great, we want to
make them all as long as we can remember.
But how do we remember that long password,
right.
That's the rub.
What do we do?
Well we use phrases instead of words.
Words can be easily forgotten, or they're
too short, that's typically the problem,
they're just too short.
So what we do, we make a phrase,
something that I can easily remember.
I don't know about you Don, but I can
remember the preamble to the Constitution,
we the people of the United States,
right, and so on and so forth.
That's something that we learned,
that's buried into our brains.
Maybe the Pledge of Allegiance,
something you do on regular basis.
The opening to Star Trek or.
[LAUGH]
Any set of words, or a phrase that is
going to spark your memory,
maybe you have a favorite lyric to a song.
These are great passwords, why?
Because they can be long, and
they're easy to remember.
So that gives us our length, and our
mnemonic to make them easy to remember,
that's the big important one.
If you look at my screen really quickly
you'll see that Wethepeopleofthe, and
I put a 01, and then the US and
then an exclamation point,
that meets all my complexity requirements.
I see that I have a capital W, right,
there's one complexity requirement.
I have plenty of length when
it comes to this password.
We also have 2 digits, 0 and 1.
And then I have an exclamation point at
the end, which is my special character.
This is a great password to remember,
I'll never forget this, it'll always be
stuck in my head, and I can fiddle with
this the next time I change my password.
Maybe change the 01, to 10, maybe
change it to 20, maybe change it to 90,
or 99, or any other combination
of numbers that I want.
I can make it 001,
I can always add more numbers if I like,
I don't have to stick with 2,
I just have to have at least 2, right.
So that is just good security.
Now if you are not required to add any of
the capitalization, special characters,
or numbers, that's okay,
length really helps out with those.
Short passwords when it comes to that,
those aren't going to be very good at all,
they're going to be very easy to crack.
The complexity helps when it comes to the,
what we call a dictionary type,
I've got a list of words.
If I were to use just, we the people
of the United States, or the US,
that might actually be in a dictionary.
Somebody might have a file that has
something like that inside of it.
And that's what they call a dictionary,
its just a file full of common phrases and
words that people use as passwords.
So we don't want to be inside
of one of those files, but
we might want to use stuff that would be
in there, but we've gotta change it up.
So we break it up, I put 01 before,
I don't put it at the end,
I don't put it at the beginning,
put in the middle somewhere, right.
Cuz that keeps that from
being a dictionary word.
It's no longer a word to the computer.
It's a word to us, and that works out
great because I can remember that word,
but the computer is just, this is
just a string of a weird characters.
And now my dictionary's not
gonna have that in there.
I'm gonna have to resort to that
brute force that, okay, let's try 0.
Let's try 00, let's try 000, A,
AB, ABC, and so on, and so forth.
And we've seen the amount of time that
a password of this length would take.
And as we're looking at the actual time it
would take to maybe crack that password,
I don't know, Don,
you think that's a pretty secure password?
I thing 300 Trillion Years
is probably fine.
[LAUGH]
And
we could even make it more if we wanted.
Because you mentioned weird characters,
right?
Yeah.
You've got the exclamation point there.
You could go ahead and
put the spaces between the words, right?
Yes.
And if you did that here,
what we looking at, what, six more spaces?
Mm-hm.
That means your password
would be that much stronger.
I mean, you could really crank this one up
without having to jump through a bunch of
extra hoops to be able to remember it.
So the key secret here is using
a pass phrase, not a password.
Exactly, you hit the nail on the head.
Easy to remember, meets complexity and
length requirements for strength.
And that's what we're looking for.
And like Don said, if you have a hard
time typing that out without hitting
the spacebar, I know, it did take
a little getting used to, for myself.
That's fine, add the spaces.
That way you're just typing it
like you normally would type.
You're just typing a phrase out,
easy to remember, I like this.
Now there's another way to create
a really strong password using length and
complexity requirements.
And that is to take the phrase, and
just take the first letter
of each word in the phrase.
Again, an easy mnemonic to remember,
I used Little Miss Muffet as an example.
I don't know why that jumped into my
head when I was creating an example for
this, but it did.
And then I have, little miss muffet sat
on her tuffet eating her curds and whey.
I think this says something
about your personal character.
I think we might need
to look into this one.
Don't judge me.
[LAUGH]
Don't judge me cuz I don't like where
he's going right now.
[LAUGH]
[LAUGH] But it's a nursery rhyme, so
pick something like that.
And you just take that first character out
of each one.
And
that is going to make up your password.
Right above it, you'll see I have a hash
symbol, or a pound symbol, whatever
you like to call it, that starts mine.
Instead of putting it at the end,
I put it at the beginning this time.
I could've put it in the middle,
I could put it anywhere I like.
And then, little miss muffet sat on her
tuffet eating her curds and whey.
And I could even remember that,
lmmsohtehcaw.
[LAUGH]
Maybe I'll remember it that way after
a few hundred times of typing it in.
But I'll never forget
the Llittle Miss Muffet nursery rhyme.
And then I add my numerical complexity,
if I like, or if that's required
of me by our administration.
Not a problem, and
there you go, I put 001 at the end.
This is not as long
as the We the people one.
And so unfortunately,
I only got 10 million years out of that.
And man, I should probably think about
strength increasing on that.
But again, easy to remember,
meets the complexity requirements.
And speaking of the time on these.
We might look at it and say,
10 million years, that's forever, right?
But each year,
computers get faster and faster.
And that means the people that are running
password cracking utilities or the brute
forcing utilities, they get faster and
faster.
So today, it might be 10 million years.
But a year from now it might only be one
million.
And then it keeps going down, and down,
and down.
Right.
So as the years go by,
passwords get increasingly weaker.
But the reality is that the biggest
weakness of a password is not so much the
brute force side of it, it's ourselves,
right, Daniel?
Like we can weaken password security
pretty easily.
Man, there is apparently no patch for
our humanity.
And that is that if Don and I were working
together, this is a prime example.
Don is hitting the nail right on the head,
again, that we tend to
give our passwords out.
This is a bad practice, this is a no.
Warning, warning, warning, Will Robinson,
do not do this.
Do not give out your password.
No administrator is going to call,
worth their salt, and say, I need your
password to log into such and such.
He's an admin, he has rights to every
system that you have in your company,
your organization, wherever you're at.
And he doesn't need yours.
And in fact, I could change your
password and log in as you, if I felt so
inclined, as an administrator.
I can't think of many reasons
why that would come about.
But almost invariably, if not invariably,
they will not ask for your password.
They won't have you write it down and
give it to them.
So you don't need to give
your password out to anyone.
And going even a step further, let's
say I give mine to an IT rep that calls.
Or even a family member, or
a co-worker, or whatever.
And so I give it to her, and
it's the Little Miss Muffet 001.
And I think to myself, well,
when she's done with it,
I'll just change it to make it 002, right?
But now she knows the pattern.
She sees like, Don uses Little Miss Muffet
001, I bet he's going 002.
[LAUGH]
Or whatever, it, again,
minimizes the guessing pool she had to
go through to figure out that password.
So you gotta keep that in
mind with these passwords.
That they're designed to be just for you.
And if you do give it to somebody else for
some particular reason.
Hopefully, that doesn't happen,
but if you do.
You not only need to change
your password afterwards,
you need to change it to
something completely different.
Because otherwise, you've already weakened
the integrity by giving out a part of it.
That's right, you set a precedence of,
well, they use nursery rhymes.
Maybe I'll just go through
a book of nursery rhymes and
try the same thing until I hit it.
Maybe I can create a computer
program that does that for me.
Hint, hint, that exists, okay?
[LAUGH]
So
we don't want to be giving our passwords,
don't share them with anyone.
Also, this has been a common practice for
quite some time.
Even though it's become a bit of
a joke inside of the IT industry,
is that people write their passwords down.
And what do they do with it?
They put it on a sticky note,
and they put it on their monitor.
If they think they're really slick,
they stick it underneath their keyboard.
[LAUGH]
And they just, flip it up,
there's my password.
Now you might be going, I do that,
well, a lot of people do.
So we wanna get you away
from that practice.
And there's a good reason for
that, obviously.
Then we could just look up and
check it out.
Yeah, and Daniel and I,
we used to work together at
an insurance company years ago.
And you'd go in the field
to some of the offices.
And if the person wasn't there
who was working on the computer,
it was just our general practice to say,
you know what?
Let me look under the keyboard.
Yep.
Or let me ask their secretary,
let me check some of the other employees.
Somebody'll know the password if
it's not stuck on the monitor.
And we joke about it, but it was so
common you could almost count on it!
[LAUGH]
That everybody in the office knew their
password, or it was written somewhere
easy to find, it was almost comical.
And the thing here is you may not mind if
you share your password with a coworker.
Yeah.
Maybe it's a part of your normal
workflow that you'd do that.
But if it's in an area of open display,
somebody could be coming in to
clean the office after hours.
You could have customers that are in
the office that see the password.
And now they know it, now it's leaked out.
And that's why it's so
important to remember that passwords
are designed to be kept secret.
That we don't share them, and
that we keep them committed to memory.
So like Daniel, your techniques of making
it easy to remember these passphrases,
that really helps with that, right?
Yes, that's exactly right, that way
you don't need to write them down.
It's something you'll easily remember.
And therefore,
it just keeps you out of those weeds,
out of putting them on a sticky note.
Watch the old 1980-something
movie WarGames.
[LAUGH]
As he sits down in his
principal's office, and
he sees the secretary pull a sheet down.
And there's the passwords, and
they're all scratched out.
And only the current one is available,
we don't wanna get into that business.
Now back then,
we typically only used one system.
And you'd log into a mainframe,
you had this one password.
But in today's world,
you've got people that have email.
They have network servers,
they have Facebook.
They have all these different accounts.
That is a lot of passwords to remember.
So doesn't that encourage us
to write them down on paper?
It does actually,
Don is very right on this.
Because we have so many different
places that we're logging into,
makes it really difficult for us.
Even if we create a really
strong password, well,
maybe I can't use that
password at this login, right?
Maybe I can't use that
password over in this login.
So we end up having this
multitude of different passwords.
Now we have a really good way of creating
strong passwords, That we can use, but
they'll still be different.
Which password did I use for this login?
I don't remember.
I'll just try them all.
Well maybe you've got seven or eight
different passwords that you want to rifle
through, and
maybe that hits a lockout threshold.
You've tried the login too many times,
and now your account is locked out.
And that's well,
man the anxiety starts coming.
I know when I've typed in about three or
four passwords, and they are not the right
one I'm starting to go I wonder if I'm
about to get locked out of this system.
And you just, you get anxious about it.
You don't want to do that because then
you've got to call the help desk, and
say help me unlock this thing.
So we have to come up with some
system that will help us with that.
All right,
I know how to solve the problem.
I can come up with one strong password,
use that same password everywhere, right?
That would be nice, but
unfortunately that's just not practical.
Maybe that will work,
you might be able to get away with that.
I have done a pretty good
job in my own life of,
I think I have three
passwords that I can use.
If it's not this one, it's this one.
If it's not that one,
it's this one, right.
And those have worked just about
anywhere I want to log in from email to
systems that I work with to creating
logins for whatever purposes, right.
So I've kind of boiled
it down to about three.
But not everyone wants to go
through that kind of headache, so
we've come up with what's
called password managers.
And these are freely available, and
maybe your company will implement them or
maybe they have already.
You just need to be aware of them so
that you can use them.
Yeah, there's a lot of software out
there like Last Pass, and Key Pass,
End Pass, pass in the name.
[LAUGH]
[LAUGH]
That help you managing passwords and
the key secret that they have is that they
allow you to use a different password for
every single system that you touch.
Normally that would be a nightmare, right?
And if I log into 100 sites,
I have 100 different passwords,
there's no way I can remember that.
I'm gonna write it down.
Well, these programs allow
us to write it down,
in an encrypted database that
is protected, that we can call.
And it actually improves our security.
Because when you reuse a password
in more than one place,
you're trusting that all of those sites
are securing your data the same way
when in reality you're gonna get
the weakest security out of all of them.
So, your Facebook password
is probably pretty secure.
They're one of the most
secure networks in the world.
Your Apple password is pretty secure but
then,
maybe you log in to some forum or some
sites to find out a little information and
used the same password there.
And their security is not up to snuff.
Maybe their site is run by just one
person with a very limited budget.
And if that site ever gets compromised and
the one password that you use
everywhere just got obtained,
now they can log into Apple or
Facebook because they've got the one
password you use everywhere.
So, you're better off using a different
password everywhere if you can.
But it's too much for our human
minds to wrap around, at least for
most of us, some of you are savants and
you remember these.
[LAUGH] And so that's where these
password managers come in really handy,
is that ability to have a secure
database of passwords you can call up.
And you can use really complex,
really long passwords that
you would never remember.
And different ones for every single site,
but it's okay because it can all be
pulled right from this database.
So definitely a technology you'll want to
look into if your company already hasn't.
Well, Don,
I fully agree with you on that.
Well, around here, we like the LastPass.
We work with that.
It's very simple to install and use, so
there's no good reason not to go ahead and
use something like that.
I love how it can create complex passwords
for you and then it stores them.
You don't have to do anything about it.
You just have that one
password to log into that.
And then Last Pass takes care
of the rest of it for you.
All right, very good.
Now let's talk about some,
just some best practices.
Maybe you're wondering what happens if you
do try the wrong password too many times.
Or why is it that it has me
use a different password.
How come I can't use the password I
used last time, things of that nature.
These are best practices that maybe you're
in charge of a system that requires
that kind of thing to occur, or
you're just wondering what
happens when this does occur.
So let's just talk about that.
Really quickly, we talked about this.
how many attempts do we get.
Well, that varies by organization and it's
just kind of a feel thing as I've noticed.
Maybe it's six tries and
then you get locked out.
Maybe it's ten tries and
you get locked out.
But you do need to come up
with some Lockout policy.
You get X amount of tries before
the system is locked that user out and
that stops those bad guys out there
from just knocking at the gate and
trying to get into the door.
So, that helps that.
It'll put a pause on that and
raise a flag up to the people or
the powers that be that are watching
over these things to say, hum,
looks like we might have
a bad guy going on here.
Yeah and on your diagram earlier,
you said that if I had a seven
character password it could be
broken in 0.24 minutes, right?
Yes.
Really, really fast.
But that's assuming that we have unlimited
guesses and we can just rapidly guess.
So, by having a password lockout, if your
IT department says you get five tries then
you're locked and then you have to call
tech support and get unlocked, right?
That will make it one attacker
only getting five guesses.
What are the odds of getting your password
in only five guesses, extremely low.
So password lock out policies can be
annoying especially if you are the one who
is locked out and you are in a hurry.
But they effectively eliminate
brute force attacks.
So really useful thing so
don't be frustrated If you are locked
out because it is a really useful thing.
So don't be frustrated when you see a lock
out because it's gonna stop somebody
guessing and all you have to do
is to call the text support and
say hey I tried to log in this morning.
I got it wrong a few times.
I got locked.
Or you can say, hey,
I came in this morning and I'm locked out.
I haven't tried to log in at all, and
that alerts the IT department
that an attack happened.
They know that something
incorrect happened.
Either way, your data is protected, so
you should really be thankful
whenever you see that limit.
And you have the added benefit of,
a lot of times this will occur, that
you've got something on your mobile device
that you log into the system with and
now you've updated your password.
Well you forgot to update it on your
mobile device, so what is it doing?
It's hammering away and
hitting that lockout threshold.
Then you have to call the help desk and
they go hum, looks like you might have
a mobile device that needs to be checked.
Did you update your password recently?
Yeah, that's right.
I need to update it on my phone as well.
Because I've had a lot of people go, I
haven't been getting email on my phone for
the last three days.
When was the last time you changed your
password? That was like three days ago.
Ah-ha.
Well that can really help on that
side of things.
The user end spectrum, so
it's a really good thing.
And this can vary a bit from
company to company as well, right?
Yeah.
So I might get locked out and
have to call the support desk.
Correct.
In order to get up.
Or some places make it a little
more automatic, don't they?
Yeah, maybe they'll have a form that
you can go on to the internal site,
the internal website of your company, and
then you can just maybe answer a security
question or something in that effect and
it'll automatically unlock you.
There's a lot of different mechanisms
which they used to make it easy for
the end user to get back in their system
if it's legitimately, I just accidentally
type my password wrong a few times and
I need to get back in the system.
So very good stuff there.
Let's also talk about password reuse.
How many times should you allow
someone to reuse a password.
I've seen 12,
you have to have 12 new passwords
before you can use the old password.
It's gonna go hand in hand a lot with how
long before the password changes a lot
of times.
So, maybe 12 is a lot.
You know maybe you're changing
your password every 20 days and
all of the sudden that's not so much.
But maybe you change your
password every 60 days.
All of a sudden 12 is a better number for
your end user experience,
it's a whole lot easier.
And the idea here is to
protect people from guessing
based on our patterns, right?
So, if my old password was gator001,
and I make it gator002.
[LAUGH]
Somebody could guess that, right?
So, if it triggers a reuse, because
a lot of them are going to look for
how many characters and it'll say you
can't read those five characters or
whatever It, it would pick up by
not changing my password enough.
And that'll stop you.
And again it's just a, to help maintain
the security of your password.
That's why that policy is in place.
That's right.
And also it keeps you from going,
okay well I'm gonna change my password.
I've got gator001, really like it,
I'm gonna make it gator002 and
then I'm gonna change my password and
go right back to gator001.
There are mechanisms usually in place for
that as well, that keeps you from reusing
those old passwords, so
someone can't guess your pattern.
You wanna stay away from that.
That way, the bad guys stay out,
the good guys stay in.
And the last thing I wanna talk
about is the lockout period.
A lot of times there is a lockout period,
if you do get locked out and
let's say it's lunchtime or for whatever
reason nobody's at the help desk or
it's super slammed and you're having
to wait on the phone, typically we can
create a lockout period, maybe 15 minutes,
maybe 30 minutes, maybe 10 minutes.
Of just stopping that and
then after that time expires,
the lockout will relinquished and the user
will be unlocked, allowing them to just
wait the timeout if they can't get to
an administrator to get that to them.
And that might sound like a weakened
security but it really doesn't.
Remember if someone is brute
forcing they're trying to throw
thousands of passwords
per second at the system.
If you hold them down for ten minutes, and
then they get another five guesses, and
then another ten minutes, it slows them
down so much it becomes theoretically
impossible for them to break a password
in any realistic amount of time.
So, it helps to alleviate some of the
frustration on our part as end-users if we
get the password wrong.
I know, I just need to wait ten minutes.
Or wait 30 minutes.
Yeah [LAUGH].
So, you'll have to check with your IT
department to see what your duration is.
Some like high security
environments won't have a duration.
They'll say you are just locked out
until you contact the help desk.
You've got to initiate that procedure.
So, it just depends so that lockout
thresholds, the timers, are pretty common
and you see those pretty frequently just
to help stop those brute force attacks.
That's right.
Well passwords obviously
are a very important thing.
Also, I want to iterate the fact that, if
you are locked out and you don't know why,
you haven't typed in your password
incorrectly X amount of times and
you're still locked out,
contact your helpdesk.
Contact somebody in authority over that
system, so that they are aware that has
happened, maybe there is a bad
guy knocking at the door and
that will help raise that flag for them.
So always be aware of that.
Then when it comes down
to passwords length and
complexity is going to be your friend.
Use pass phrases it's gonna help
you out with that pneumonic device.
So you can remember those lengthy
passwords and if you can get away with it
by all means if you have the means,
get yourself a password manager.
It's gonna make your
life a whole lot easier.
Don, I think that's about all I
got on passwords for today though.
Hopefully that helps you good folks out
there meet your complexity requirements,
meet your length requirements and
stay safe in your environment.
All right, well hopefully
that was a good description for
you guys to explain away why we have
some of these really weird password
requirements that can seem annoying,
and frustrating and pointless.
But they all actually have a reason.
There's a reason they're there in place
and we're the ones who help maintain that.
The IT department can only do so much.
It's up to us to make sure that we
follow proper password policies and
procedures as well.
So, that's a pretty good wrap-up.
Daniel, did you have any parting
words before we close up?
Just don't share your passwords please.
[LAUGH]
Don't write them on sticky notes.
I can't reiteratize that enough, because
if you give someone your password and
they login and
they do something that they shouldn't do.
And they're logged in as you,
the only thing that we can,
and they don't cop to it.
What are we supposed to assume?
Is that you did it.
So don't share passwords, don't write
them down, keep them secure and safe,
use those password managers.
All right, well, ladies and gentlemen
that is gonna wrap up our episode right
here for enduser security awareness.
I do hope you guys enjoy it.
I've been your host, Don Pezet.
I'm Daniel Lowrie.
And we will see you next time.
[MUSIC]
Thank you for watching ITProTV.
Overview
This is a non-technical course designed for every end user. Our experts explain very common security topics that are critical to be aware of in today’s work environment, but explains in the “end-users” non-technical language, so everyone can understand. Many stories are told as examples for easier understanding. One might think this is super easy and doesn’t go deep on topics, but you would be wrong, this course is a perfect fit for everyone to understand and prevent security risk.
Learning Style
On Demand
Length of course
3h 4m
6 Episodes
Here are the topics we'll cover
- End User Security Awareness
Learning Options
Options for this course
Train your team
Stay ahead of the curve and future-proof your business with training programs designed for you.
Channel & Reseller
Transform your experience and integrate with our unique evolving library of Audit, Cybersecurity, and Information Technology courses.
Individual learners
Learn at your own pace and get your certification training.