Hi, I’m David Hale. I’m the Chief Information Security Officer here at Michigan Technological
University. I'm here presenting the first in a series of videos in recognition of
National Cybersecurity Awareness month. This week we'll be talking about passwords,
password managers, and multi-factor authentication.
Your credentials, normally your username or email address along with a password, are
important. They’re how we identify an individual sitting at the computer. They gain,
they get you access to your bank account, to your Michigan Tech information, your
social security benefits are locked behind password protected sites. They may be access
to your Facebook, Instagram, Snapchat, what have you. We trust that the credentials
are being used by their owner, and we do that because we really don't have a better
way to go around and check who's sitting behind the computer, especially when people
are working remotely. The most common cause of compromise or data theft at this point
in time is stolen credentials. The bad guys know this. They know that it's a relatively
easy target to trick somebody into visiting a website that may look like a website
that they want to go to have them enter their credentials and then reuse those credentials.
At Michigan Tech, we've seen this in the past with sites that have emulated our Banweb
self-service site that many people use to log their hours for employees, or students
use to go check on the transcripts, grades, class schedules, etc. The bad guys, when
they emulated the site, created a site that looked extremely close to our existing
site. Users, when they entered in their credentials in there, within a few moments—and
this is down to under five minutes of them entering their credentials—the bad guys
were trying to enter those credentials into our site. In many cases this was to do
things like try to do identity theft or reallocate direct deposit information to other
bank accounts. We'll talk a little bit more about that later on, because we have protections
in place that have mitigated the risk from that.
So, with passwords, there [are] a few things that you should know about them.
First, for years, security professionals have been stating that passwords need to
be extremely complex. You shouldn't use dictionary words, you should use an uppercase
character a lowercase character, a number, a special character, there should be at
least eight characters in length.
This is somewhat true, but it turns out the complexity of the password is not the
important portion of it. The most important portion of the password is the length.
So for instance, if we're talking computers from, let's say 2015, and we want to try
to see how long it would take them to crack a password, an 8-character password with
completely random digits in it, random characters, special characters, etc., and so
on, getting all the complexity requirements… a five-year-old computer took about eight
hours to crack.
To counter that, a 12-character password— so just adding four characters to it—took
34,000 years to crack. That’s the pace those computers were able to go. A 16-character
password would take 1 trillion years if you had to go through the entire key space
that that password may exist in. You can see by just doubling the number of characters—8
characters to 16 characters—we've moved from eight hours to crack to one trillion
years to crack. It gives us a lot of leeway with the complexity of the password.
Modern equipment is significantly faster than the computers were five years ago. The
introduction of cloud computing has added a new resource to an adversary’s ability
to crack passwords. Just as recent as last month, they set a new record out there
for cracking passwords where they're able to make 100 billion attempts per second
on a computer specially built for cracking passwords.
So what should you do? Unfortunately, the password requirements out there—the special
character, uppercase character, letter, number, etcetera, are still there. They're
built into many of our systems and they're hard to kind of overcome. That said, you
can kind of minimize your use of them. My suggestion to people so you get the length
is to pick four words you can remember. They shouldn't necessarily be a sentence,
but four words that might make sense to you put together. I tend to use as an example:
hot, sun, beach, burn. Those I could kind of remember. I can remember the order for
them, they kind of make sense in my head, I can picture what they kind of mean. To
meet the complexity requirements, you can add the number 1 and an exclamation point
to the end of it, or replace the o in hot with a zero. It's up to you. But just those
four words, if you pass that 16-character password length, and in most cases, it is
okay to put in spaces and passwords. That's often overlooked, but makes it far easier
to type because they're things that we're used to typing.
Other things that you should be doing with passwords: you should not reuse your password.
If you use your password and especially if you're using your associated email address
at a site and that site becomes compromised in the future, the bad guys may be able
to get that password out of the site. We don't know whether they're encrypting those
passwords in their storage or not. We don't know how heavily encrypted they are. The
bad guys can see your email address and figure out that oh, maybe we should try Michigan
Tech to see if those credentials work there, because they have an @mtu.edu address.
So please don't reuse, especially your Michigan Tech password on other sites, but
it's good cyber hygiene to not reuse any of your passwords.
Password Managers (06:13)
Not reusing any other passwords though nowadays causes a lot of problems. Many of
us have multiple accounts that we need to manage on a daily basis. We have some accounts
that we may only need to log into once per year or even less frequently than that.
It's hard to remember those kinds of passwords. Security professionals have told everybody
for years we shouldn't be writing those down.
So what are we to do about that? Well that's where password managers come in. A password
manager, and you've probably noticed ones that are built into your web browser and
things like that, will allow you to store your password and will automatically fill
them in when you visit or revisit the site. That way you don't need to remember the
The password managers built into browsers are not historically all that great. One,
they don't require any password for you to get access to your passwords. That means
that somebody else accessing that computer may very well be able to access those passwords.
Likewise, there have been vulnerabilities in the past that have allowed an adversary
to convince you to visit a website that would cause your browser to dump all the passwords
out to them.
The password manager that we suggest using is a password manager called LastPass,
and we've purchased a subscription to that for campus that will allow everybody on
campus—students, faculty, and staff—to have a LastPass premium account. It will also
allow departments that have a need to share passwords within their departments to
have a LastPass Enterprise account that allows them to pass things in between them.
If you need help on either one of these, you can contact email@example.com. We'll be happy to help you get set up for them.
So how does LastPass work? In LastPass, you have a master password. This should be
a unique password that's not used any place else. This password is used to encrypt
all the other passwords that are stored in LastPass so that not even the people at
LastPass have access to the passwords. Because nobody has access to your passwords
without this master password, it's very important that you do not forget it. Out of
all the passwords I would ever say you may want to write down and store someplace,
this may be the one. That password will get you into LastPass.
LastPass is a website—there's also a plugin for web browsers or an application that
can be run on computers, it works on smartphones, tablets, and other smart devices.
When you first go to a site that LastPass doesn't recognize and you enter in credentials,
LastPass will ask you if you'd like to save those credentials, which you can. The
next time that you visit that site, if LastPass has credentials for it, it will automatically
sign you into it. It keeps track of what accounts you have out there. That information
they do know as far as that you have an eBay account, and an Amazon account, and a
LinkedIn account. It will pay attention when you sign in if LinkedIn— let's say has
had a recent compromise—it will inform you that your password may have been compromised
in the LinkedIn compromise. Under most situations, for the big players out there in
the service field, it will even give you a single button click that you can click
on that will go out, reset your password, and store the new password back in LastPass
without you having to go through anything. It's terribly convenient and is very secure.
Multi-Factor Authentication (09:37)
So, the other thing that we need to talk about here is we still have a weakness. You
have that password, whether it be that you use the password manager and a master password
for it or whether you've decided to forego on the password manager and are just going
to remember passwords, hopefully not reusing them. Those passwords can still be turned
over. You know, even the best of us can get tricked by some of these messages. Some
of these sites—they're very realistic looking. Bad guys do a good job of luring you
in. There are things like key stroke loggers and things like that that can compromise
your password. What are we going to do about that?
This is where multi-factor authentication comes into play. Multi-factor authentication
is something that you have, in general, to go along with something that you know.
In Michigan Tech's case, we employ a service called Duo, which many of you likely
run into by this point in your time at Michigan Tech. Google is a multi-factor authentication
service. What it does is it allows you to, when you enter in your credentials, it
will then prompt you to either get a message sent to a smart device like your phone
where you have to say, “Yes this is me,” proving that you have access to that smart
device, or will ask you for a number that may come off from the application on a smart
device or from a token that you have, proving again that you have something that goes
along with that password.
Or in the last case scenario, it can either call your phone or send an SMS message
with a code to your phone. Both of those are a little bit insecure compared to the
first two. The first two have a lot more security protocols put around them. SMS messages
have proven to be fairly easy to intercept with somebody who kind of knows what they're
doing on the technical end of things. So sending something through SMS or doing it
through a phone call is a little bit riskier but still far, far better than just trusting
your password by itself.
Many other services also use multi-factor authentication. There's a system out there
called Google Authenticator which you scan a QR code with your phone and it will put
something in there with the code that rotates once every minute. The six-digit code—many
sites employ it. You can store it on your phone, and then when you go and you enter
in the current code for it. Your bank may give you a token to use for things. Even
various gaming sites now out there use multi-factor to protect themselves. It's been
proven to be very effective.
I mentioned earlier that we've had an issue with people being tricked into turning
over their credentials, and then the bad guys trying to sign into our Banner self-service
site to change direct deposit information. The last time that this happened, which
was the example that I gave where they were coming in under five minutes, they were
stopped completely as soon as they hit our Duo multi-factor authentication. People
unfortunately were having messages pop up on their phone saying, are you trying to
sign into banner right now? Which they thankfully said no to, because they were not,
but that also then alerted them to the fact that this activity was going on.
So multi-factor does work, and I urge you for any site you have out there that is
important to you that you might be able to add multi-factor to that you add multi-factor
to it. Again, if you have any questions on any of these things, you can contact us
at firstname.lastname@example.org or on campus at 7-1111, and we'll be happy to help you out with any of these any
questions you may have. Thank you very much for your time. I look forward to talking
to you soon.