Protecting your online identity - Managing your passwords
0 likes745 views
The document provides information on securing online identities and managing passwords, highlighting recent password breaches and best practices. It emphasizes the importance of using strong, unique passwords and implementing two-factor authentication. Additionally, it details F-Secure's protection services and products aimed at enhancing online security for individuals and businesses.
Protecting your online identity - Managing your passwords
- 1. Protecting your online identity Managing your passwords 18th of December 2013
- 2. Securing your online identity Managing your passwords Agenda Bunmi Sowande Technical Specialist – F-Secure (UK) bunmi_Sowande@f-secure.com 07818 515 687 1. 2. 3. 4. 5. 6. Security in the news Recent password breaches What‟s the most popular password? How websites store your passwords Password Best Practice - (Mission Impossible?) Using a Password Manager – F-Secure Key
- 4. Awarded Best Protection “Out of all corporate endpoint protection products reviewed, FSecure Client Security offered by far the best protection.” Andreas Marx, CEO of AV-TEST Certified and Awarded by numerous 3rd parties!
- 5. Praised by Analysts The Forrester Wave™: Endpoint Security, Q1 2013 Forrester Research Inc. gave us the highest score among all vendors for our product roadmap and strategy. We received top ranking scores on our performance and satisfaction, in addition to our advanced antimalware technologies.
- 6. Comprehensive Protection Providing 360 protection from all threats Protection Service for Business Business Suite In-House IT Policy Manager Management as a Service Internet Gatekeeper Messaging Security Gateway PSB Portal Out-sourced IT Server Security Client Security Email and Server Security Mobile Security Linux Security AV for Workstations PSB Server Security PSB Email and Server Security PSB Workstation Security Protection Service for Email PSB Mobile Security
- 7. Karmina Senior Analyst Security in the news
- 8. Security in the News
- 9. Security in the News
- 10. Security in the News
- 11. Security in the News
- 12. Security in the News - Passwords
- 13. Security in the News - Passwords
- 14. Data Breaches in 2013 Adobe – 38 million accounts – October Evernote – 50 million passwords reset - March Twitter – 250,000 accounts – February Facebook – Email addresses and phone numbers for 6 million users – June
- 15. Other ’famous’ breaches LinkedIn – June 2012 – 6.5 million passwords Sony PlayStation Network – April 2011 – 77 million accounts
- 16. Adobe Hack – Analysis of data • 123456 – 1.9 million passwords • 123456789 – Around 450,000 passwords • “password” – 346,000 passwords • Poor encryption meant passwords were easy to determine • Password hints were stored in plain text
- 17. How do we pick our passwords? Poor passwords go right to the top !!
- 18. How do sites store your passwords • Plain Text Cupid Media – November 2013 – 30 Million passwords • • • • Basic Password Encryption Hashed Passwords – e.g. SHA-1 Salted Hashed Passwords Slow Hashes
- 19. How do sites store your passwords SHA1 Hash of a password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
- 20. Length is more important that complexity
- 21. Password – Best Practices Don‟t write down or share your passwords Don‟t use websites with poor security Use a strong password – length is better than complexity Always change your password after a breach Use a different password for every site If you are unsure of a website‟s security, use Oauth where available Use 2 factor Authentication where available
- 22. 2 Factor Authentication Something you know + Something you have
- 23. 2 Factor Authentication • • • • • • • • • • • • Google/Gmail - Text Message or Google Authenticator LinkedIn – Text Message Apple – Text Message or Find My iPhone Notification Facebook – Login Approvals – Text Message Twitter – Text Message Dropbox – Text Message or Google Authenticator Evernote – Google Authenticator Paypal - Text Message Steam - Email Microsoft Accounts – Text Message or Email Yahoo! – Text Message Wordpress – Google Authenticator
- 24. What is a strong password ?? • • • • 12 Characters Not a Dictionary Word No Personal Information Use Upper and lower case letters, numbers and symbols
- 25. F-Secure Key – Password Manager Built with Security in Mind Completely anonymous- even F-Secure cannot identify who you are/what is your data Multiple layers of protection – Data is „encrypted‟ securely. Works on PC‟s, Macs and Tablets
- 26. F-Secure Mobile Apps Best Protection for your Android Device Anti Theft Anti Malware Browsing Protection Parental Control Safe Contacts F-Secure Lokki Personal Location tracking for family and friends F-Secure App Permissions One app to reveal them all Displays the permissions for all the apps on your phone. For example, see apps that can cost you money or drain your battery
- 27. F-Secure Mobile Apps – Coming Soon Security in the Cloud Tracking Protection Virus Protection Browsing Protection Connection Protection Virtual Location Sign up for early access at http://freedome.f-secure.com Cloud Storage - It's your stuff. Not theirs. We believe in people‟s right to privacy. No spying. No backdoors. Access Everything, everywhere. Access your content from Facebook, Picasa Younited for Business – Collaborate and share Sign up for early access at www.younited.com
- 28. Questions ?? Next Webinar – January 15th 2014 (11am) Securing Virtual and Cloud Environments Register now at http://bit.ly/fswebinar3
- 29. Save the Date Securing Virtual and Cloud environments Wednesday 15 January @ 11:00-11:45 Why SMBs are outsourcing Security to Managed Service Providers Wednesday 12 February @ 11:00-11:45 It’s time for business to secure their mobile phones and tablets Wednesday 12 March @ 11:00-11:45
Editor's Notes
- #5: We have been awarded Best Protection..
- #6: But why should you use F-Secure to protect your customers?We have been endorsed by Forrester….
- #7: Let’s look at the detail of our security offering…
- #9: Lee Miles, deputy head of the National Cyber Crime Unit, says: "The NCA are actively pursuing organized crime groups committing this type of crime. We are working in co-operation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."
- #16: 2012 – LinkedIn – 6.5 million passwordsThe stolen passwords, which were in an encrypted format, were decrypted and posted on a Russian password decryption forum later on that day. By the morning of June 6, passwords for thousands of accounts were available online in plain text.The attack occurred between April 17 and April 19, 2011,forcing Sony to turn off the PlayStation Network on April 20. On May 4 Sony confirmed that personally identifiable information from each of the 77 million accounts appeared to have been stolen. Credit card data was encrypted, but Sony admitted that other user information was not encrypted at the time of the intrusion (including passwords)
- #17: 123456 - 5% of the passwords
- #19: Basic Encryption - The problem is, the key is often stored on the very same server that the passwords are, so if the servers get hacked, a hacker doesn't have to do much work to decrypt all the passwords, which means this method is still wildly insecure.unlike encryption, hashing is a one way street: If you have the hash, you can't run the algorithm backwards to get the original password. However, you can try different paswords until the hashes match. Rainbow tables are made up of passwords that have already been tested against hashes, which means the really weak ones will be cracked very quickly. Their biggest weakness, however, isn't complexity, but length. You're better off using a very long password rather than a short, complex one (like kj$fsDl#). Salt - It uses a different salt for each password, and even if the salts are stored on the same servers, it will make it very hard to find those salted hashes in the rainbow tables, since each one is long, complex, and unique. LinkedIn is famous for not using salted hashes, which brought them under a lot of scrutiny after their recent hack—had they used salts, their users would have been safer. Adding a salt in itself does not make hacking harder. Instead, it makes the procedure longer.Slow hash. Bcrypt - By using a slower hash—like the bcrypt algorithm—brute force attacks take much, much longer, since each password takes more time to compute.
- #24: Google Authenticator, text message or email.Apple – Find my iPhone NotificationMicrosoft covers the Xbox
- #28: Freedome – Android first,ioS 7 coming, PC and MacWindows Phone doesn’t support VPN