Your online identity is only as secure as your weakest password. Delivered in December 2013, this presentation discusses how passwords are used online, and the best way to protect yourself.
2. Securing your online identity
Managing your passwords
Agenda
Bunmi Sowande
Technical Specialist – F-Secure (UK)
bunmi_Sowande@f-secure.com
07818 515 687
1.
2.
3.
4.
5.
6.
Security in the news
Recent password breaches
What‟s the most popular password?
How websites store your passwords
Password Best Practice - (Mission Impossible?)
Using a Password Manager – F-Secure Key
3.
4. Awarded Best Protection
“Out of all corporate
endpoint protection
products reviewed, FSecure Client Security
offered by far the best
protection.”
Andreas Marx,
CEO of AV-TEST
Certified and Awarded
by numerous 3rd parties!
5. Praised by Analysts
The Forrester Wave™: Endpoint Security, Q1 2013
Forrester Research Inc. gave us the
highest score among all vendors for
our product roadmap and strategy.
We received top ranking scores on
our performance and satisfaction, in
addition to our advanced antimalware technologies.
6. Comprehensive Protection
Providing 360 protection from all threats
Protection Service for Business
Business Suite
In-House IT
Policy Manager
Management as a Service
Internet Gatekeeper Messaging Security
Gateway
PSB Portal
Out-sourced IT
Server Security
Client Security
Email and Server
Security
Mobile Security
Linux Security
AV for
Workstations
PSB Server
Security
PSB Email and
Server Security
PSB Workstation
Security
Protection
Service for Email
PSB Mobile Security
14. Data Breaches in 2013
Adobe – 38 million accounts – October
Evernote – 50 million passwords reset - March
Twitter – 250,000 accounts – February
Facebook – Email addresses and phone
numbers for 6 million users – June
15. Other ’famous’ breaches
LinkedIn – June 2012 – 6.5 million passwords
Sony PlayStation Network – April 2011 – 77
million accounts
16. Adobe Hack – Analysis of data
• 123456 – 1.9 million passwords
• 123456789 – Around 450,000
passwords
• “password” – 346,000 passwords
• Poor encryption meant
passwords were easy to
determine
• Password hints were stored in
plain text
17. How do we pick our passwords?
Poor passwords go right to the top !!
18. How do sites store your passwords
• Plain Text
Cupid Media – November 2013 – 30 Million passwords
•
•
•
•
Basic Password Encryption
Hashed Passwords – e.g. SHA-1
Salted Hashed Passwords
Slow Hashes
19. How do sites store your passwords
SHA1 Hash of a password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
21. Password – Best Practices
Don‟t write down or share your passwords
Don‟t use websites with poor security
Use a strong password – length is better than complexity
Always change your password after a breach
Use a different password for every site
If you are unsure of a website‟s security, use Oauth where
available
Use 2 factor Authentication where available
23. 2 Factor Authentication
•
•
•
•
•
•
•
•
•
•
•
•
Google/Gmail - Text Message or Google Authenticator
LinkedIn – Text Message
Apple – Text Message or Find My iPhone Notification
Facebook – Login Approvals – Text Message
Twitter – Text Message
Dropbox – Text Message or Google Authenticator
Evernote – Google Authenticator
Paypal - Text Message
Steam - Email
Microsoft Accounts – Text Message or Email
Yahoo! – Text Message
Wordpress – Google Authenticator
24. What is a strong password ??
•
•
•
•
12 Characters
Not a Dictionary Word
No Personal Information
Use Upper and lower case letters, numbers and symbols
25. F-Secure Key – Password Manager
Built with Security in Mind
Completely anonymous- even F-Secure cannot identify who
you are/what is your data
Multiple layers of protection – Data is „encrypted‟ securely.
Works on PC‟s, Macs and Tablets
26. F-Secure Mobile Apps
Best Protection for your Android Device
Anti Theft
Anti Malware
Browsing Protection
Parental Control
Safe Contacts
F-Secure Lokki
Personal
Location
tracking for
family and
friends
F-Secure App
Permissions
One app to reveal
them all
Displays the permissions
for all the apps on your
phone.
For example, see apps
that can cost you money
or drain your battery
27. F-Secure Mobile Apps – Coming Soon
Security in the Cloud
Tracking Protection
Virus Protection
Browsing Protection
Connection Protection
Virtual Location
Sign up for early access at
http://freedome.f-secure.com
Cloud Storage - It's your stuff. Not theirs.
We believe in people‟s right to privacy.
No spying. No backdoors. Access Everything, everywhere.
Access your content from Facebook, Picasa
Younited for Business – Collaborate and share
Sign up for early access at www.younited.com
28. Questions ??
Next Webinar – January 15th 2014 (11am)
Securing Virtual and Cloud Environments
Register now at http://bit.ly/fswebinar3
29. Save the Date
Securing Virtual and Cloud environments
Wednesday 15 January @ 11:00-11:45
Why SMBs are outsourcing Security to Managed Service Providers
Wednesday 12 February @ 11:00-11:45
It’s time for business to secure their mobile phones and tablets
Wednesday 12 March @ 11:00-11:45
Editor's Notes
We have been awarded Best Protection..
But why should you use F-Secure to protect your customers?We have been endorsed by Forrester….
Let’s look at the detail of our security offering…
Lee Miles, deputy head of the National Cyber Crime Unit, says: "The NCA are actively pursuing organized crime groups committing this type of crime. We are working in co-operation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."
2012 – LinkedIn – 6.5 million passwordsThe stolen passwords, which were in an encrypted format, were decrypted and posted on a Russian password decryption forum later on that day. By the morning of June 6, passwords for thousands of accounts were available online in plain text.The attack occurred between April 17 and April 19, 2011,forcing Sony to turn off the PlayStation Network on April 20. On May 4 Sony confirmed that personally identifiable information from each of the 77 million accounts appeared to have been stolen. Credit card data was encrypted, but Sony admitted that other user information was not encrypted at the time of the intrusion (including passwords)
123456 - 5% of the passwords
Basic Encryption - The problem is, the key is often stored on the very same server that the passwords are, so if the servers get hacked, a hacker doesn't have to do much work to decrypt all the passwords, which means this method is still wildly insecure.unlike encryption, hashing is a one way street: If you have the hash, you can't run the algorithm backwards to get the original password. However, you can try different paswords until the hashes match. Rainbow tables are made up of passwords that have already been tested against hashes, which means the really weak ones will be cracked very quickly. Their biggest weakness, however, isn't complexity, but length. You're better off using a very long password rather than a short, complex one (like kj$fsDl#). Salt - It uses a different salt for each password, and even if the salts are stored on the same servers, it will make it very hard to find those salted hashes in the rainbow tables, since each one is long, complex, and unique. LinkedIn is famous for not using salted hashes, which brought them under a lot of scrutiny after their recent hack—had they used salts, their users would have been safer. Adding a salt in itself does not make hacking harder. Instead, it makes the procedure longer.Slow hash. Bcrypt - By using a slower hash—like the bcrypt algorithm—brute force attacks take much, much longer, since each password takes more time to compute.
Google Authenticator, text message or email.Apple – Find my iPhone NotificationMicrosoft covers the Xbox
Freedome – Android first,ioS 7 coming, PC and MacWindows Phone doesn’t support VPN