Tuesday, August 31, 2010

Episode 111 - Keys to the Kingdom

It’s Tuesday August 31st, 2010 and welcome to episode 111 of TechTalk4Teachers, I’m Tom Grissom. We’re Back! It is back-to-school time here at EIU and we have survived the first full week. Schools across America are going through the annual ritual of back-to-school activities as students once again enter classrooms. Faculty are going over their syllabi with students. Whether you are at a K-12 school or at a college or university you are most likely faced with another ritual of obtaining userid(s) and password(s) for the new school year.

Right Click Here to Download MP3
(30 minutes 23 seconds)

Userids and passwords are literally the keys to the kingdom when it comes to accessing electronic resources. Your userid and password is the only thing that stands between you and the often sensitive and confidential information available electronically. It seems like one of the simplest of things to deal with but because of the importance of userids and passwords I thought it would be valuable to have a discussion on TechTalk4Teachers of how important they have become to the everyday business and operations of schools.

It was just six years ago that the term Web 2.0 gained popularity at the O’Reilly Media Web Conference in 2004. Web 2.0 represents a fundamental change to cloud based computing resources where users can share information, not on locally based servers but rather servers on the Internet. In the early days of the Internet network engineers drew a picture of a cloud to represent resources on the Internet and thus the name cloud computing.

Today we have userids for everything from our cable company to our bank account. Of course one has to have a way to authenticate ones identity on a server whether it be local or “out in the cloud”. The ancient userid and password system is still here as a solution.

One major problem has occurred as Web 2.0 technologies have proliferated and that is that each Web 2.0 service requires its own userid and password. Your Facebook userid may or may not be the same userid as your Google gmail account. Even if you have the same userid on Facebook and Google changing your password in Facebook will not change your password in Google unless you use some type of federated userid system like OAuth.

I hope I did not lose you there as this is an extremely important point. Back in the wild, wild, west days of Web 2.0 I was routinely signing up for new Web 2.0 services and easily had over 100 different accounts as I was experimenting with new services. As a new startup Web 2.0 service went online I would often setup an account to try out the service. Since these were startups most of them were free so monetary costs was not a barrier.

It did create a conundrum for me as I had dozens and dozens of accounts to deal with. I developed a system that kept my Web 2.0 accounts separate from my personal and work related accounts but it was very messy, … and still is.

If you are a 21st Century educator you probably have your fair share of Web 2.0 accounts. Everything from Twitter, Google Docs, Skydrive, Voice Thread, and Skype not to mention all your various email accounts for work and home. Given all of these accounts how do you best protect yourself against unauthorized access? The best way is to have what we call “strong” passwords that are not easy to guess or to hack into.

To help me explore this important topic further I have with me today Adam Dodge who is our chief security officer here at Eastern Illinois University. Adam is an expert in security and knows first-hand the importance of userids with strong passwords. Welcome Adam.

(Links mentioned in this Interview)





(Interview Transcript)

Tom: Welcome Adam.

Adam: Thanks for having me, pleasure to be here.

Tom: Sure. I wanted to invite you in this afternoon and talk a little bit about our user ID’s and passwords and how important strong passwords are in particular. The TechTalk for Teacher’s audience ranges from K-12 teachers all the way through university professors and things here on campus. So I just wondered if you could just give a few tips and hints and a little overview of how important the user ID and password system is.

Adam: Sure. As you mentioned earlier, passwords really are the keys to the kingdom. It’s what authenticates you and identifies you on most of the systems that you’re using within either your higher-ed environments or your K-12 environment or even online in a lot of these newer Web 2.0 services that are offered. So protecting your user ID and protecting your password particularly, are what is important to protecting the information that you deal with, protecting the service, making sure that you are the only one using that service under the account that’s assigned to you. By protecting your password, you’re protecting the information that you have access to. When somebody gets into your account, not only can they get access to the information that you have on these different services, they can copy that information, they can take that information, or they can masquerade, as you, which happens quite a bit in email accounts. Of course, in most of higher-ed, we are no strangers to phishing attacks, people that are trying to get a hold of our email accounts. Why they do that is they try to get a hold of them to then flood out other spam.

Tom: And phishing accounts with a P-H. Some people may hear that word and they think F-I-S-H. No, it’s P-H-I-S-H.

Adam: Yeah, phishing accounts. Actually 2010, the first six months of it, higher-ed actually saw a dramatic increase in the amount of phishing attacks that were coming into these emails servers and of course it’s an embarrassment for you. It actually causes problems for the organization your with, especially if you’re using your school or university or college account. Because what happens is they start to get blocked. So much spam gets sent out, all of a sudden nobody can send to say Hotmail because they’re blocking you.

Tom: And one of the great things that we have and a great service ITS provides, is that whenever they are aware of those, they can block the spam filters and things and being proactive on that helps tremendously.

Adam: Yeah. It’s one of the things we actually have daily reports looking at every morning when I come in. The email administrators have alerts setup so if one account is all of a sudden sending a lot of email over a normal threshold, they start getting alerts for that. We’ve tried to be a little bit more proactive.

Tom: Yeah. And we should backup and maybe just explain basically what a phishing attack is. That’s where somebody would send you an email and masquerade, as you said, as somebody else, and say ‘Hey, I’m your IT Department. We’re having system problems. Would you please send me an email, your user ID and password. We need to check something out’. And that’s the classic phishing attack out there. And if you’re not savvy enough to know differently, a lot of people do fall for that and that’s where your systems are compromised no matter how strong of user ID and password system you have because at that point, the bad guys--the hackers, have it at that point.

Adam: Absolutely, absolutely. We are here to talk about strong passwords, and those are very important. But, I don’t want to get too far ahead of, that’s not fair. But, a strong password alone is not enough to fully protect you online with these systems. You do really have to be careful about what information you’re sharing, how you’re sharing it, to make sure that all of that information is secure. But, that being said, a strong password really can do a lot to protect you. A lot of times, people think of passwords as just kind of, well I know I need it but I have 200 accounts. I don’t know how to keep track of all of these. I’m going to just put in, you know, my daughter’s first name or my dog’s name or my husband’s birthday. They’re going to put something in there that’s familiar with them. The problem is a lot of this information, especially with the popularity of social networking, Facebook, MySpace, Twitter, all of these other ones, is a lot of that information that normal people base their passwords on is now publicly available to anybody on the internet. What I like to tell people, is there’s a couple of different things you can do. One, generally speaking, the longer the password, the better. I like to go 8 characters minimum. Some of my other ones are a little bit stronger, little bit longer, little bit more complex and I’ll get into those topics in a second. The second thing you want to do is make sure you aren’t just using lowercase letters.

Tom: Mix cases.

Adam: Mix case. You want to make sure you have uppercase and lowercase. What this does is add to the complexity and it adds to what’s called the entropy of the password, the randomness of it. It’s not just a simple one lowercase. Because if you’re password is made-up of all lowercase, basically you’ve got thirty-two characters that it could be, and that’s it. It’s not going to be anything else. It’s going to be one of those thirty-two characters. Well, if you add uppercase into it, now anyone of those characters in your password could be one of sixty-four. Same thing if you add numbers into it as well as, you go ahead and you add special characters into it on top of that. All of those add to the complexity, make it more difficult. Some of the things I like to tell people, one of the things you can do, look around your office. Look for things that are there that can serve as reminders for what your password is. But don’t use whole words if you’re going to do that. If you’re picking something off of a calendar, one of the ones I used to use was off of a phonebook that I had sitting on my home office desk. It was parts of the word, so it was maybe the first three characters of this word, maybe these numbers, and then the last three characters of this word. It helped me because anytime I was in there, I could just look at that phonebook and I’d know exactly what my password was. But nobody sitting down there, at least I hope, would be able to pick that out. Other things you can use are kind of gaining in popularity, are called passphrases. These are actually whole sentences. You can use punctuation, you can use spaces, you can use apostrophes, hyphens, however you want to do it to try to make sure that your password not only is long enough, because like we said you want it to be complex. Thirty-two lowercase a’s is going to be very easy for somebody to break then say fifteen mixed-case full password. We could use, for example, Hello. My name is Adam! Because I’m really excited about who I am. That could be my password. You know full spaces within there. These kinds of things are going to help people. Help you protect your password from most likely brute force attempts. This is very common. Passwords have been around since computers have been around for the most part. Brute force programs, which there are several freely available, what they do is they just try your password, one after the next.

Tom: And sometimes you hear of dictionary attacks.

Adam: Dictionary attacks, yes, yes. Computationally, all it has to do is match. So, it’s very, very quick. Especially with more modern computers to do this kind of attack. Now, unfortunately, with some of the advent of graphics cards, with their own dedicated processors…

Tom: Yeah, I’ve been reading some articles on that.

Adam: Yeah, the GPU’s. It’s wonderful. In a lot of scientific endeavors are actually using these instead of having to build these massive cluster systems where you have, you know, fifteen, twenty, a hundred, machines all working together, they’ll have a few machines with several of these graphics cards and dedicate these specific processors to these highly complex, computational tasks which has been really nice. Especially for within the academia for people to, for not as much money, be able to get some more computing power for some of the research which is excellent. The problem is the bad guys have learned this too and so they can use these to brute force your passwords. So when you have multiple processors, you have multiple systems all being able to just do highly complex.

Tom: In prepping for today’s show, I have several links that I’ll throw out in our show notes. But one that particularly caught my eye since you’re talking about some of the computational power is an article out there Life Hacker and I’ll provide this in the show notes. But, they have a table out there talking about these brute force attacks and they have an example here that says if your password length is only three characters, you would only take .86 seconds to crack. And if it was only lowercase it would take .022, two-hundredths of a second to do that. If it were four characters it would be 1.36 minutes. If it were eight characters, it takes you up to 2.1 centuries. So that’s the importance of the length there along with that randomness out there. But, back to your point, eight characters 2.1 centuries if you only use lowercase it takes you to 2.42 days. So that’s dramatic right there and the number of permutations that algorithm goes through in those brute force attacks. So, I mean, we can’t stress it enough. The length is extremely important and then a little bit earlier in the article they gave the top ten most common passwords and the name of this article is How I’d Hack Your Weak Passwords, so that link will be in the show notes. They list the ten most common and then the sentence after that statistically speaking that probably should cover about 20% of you.

Adam: Yeah. And that’s the scary part I think of that list. If you look at that article, which is a great article, it really is, the fact that the top ten most common passwords that they have there, the fact that 20% or one in five people statistically will nab with one of these passwords is worry some for somebody like me who’s trying to keep all this information in these systems protected and safe. Yeah, it is very interesting in fact, there’s this great video that was put together by some college students.

Tom: I think down in Texas. Is that the one that’s on the ITS page?

Adam: Yeah, I think it was Texas. It was actually part of the edu-cause, they do a national cyber-security, video, and poster campaign.
Tom: We’ll put a link in the notes for that as well.

Adam: Absolutely. I use those all the time because I think they’re great resources. Freely available for everybody to use in higher education or I would assume in the K-12 space, by all means, go ahead and use those as well. But they’re really nice, because they are kind of…

Tom: Kind of plain language type.

Adam: Yeah. They’re plain language but they’re fun to watch too. Usually the winners. You know they’re not just these dull, boring. I’ll put myself into that category sometimes when I’m talking to people about passwords or talking about security. It’s not the most exciting topic, often and I’ll get glazed eyes.

Tom: But it’s so extremely important.

Adam: But these videos are really well done and yeah, we’ll have a link to that because it’s really nice talking about commonly used passwords. If you see one of yours on there, you need to change it right away.

Tom: Yeah. Number four on the list, you would think this would be common sense not to use, but password is password. And you know, 20% of that group of ten, that’s an extremely common one. Philosophically, on the strength and the randomness and things, people are people, but we’re human so I know that you get the reactions like ‘Oh I have to do at least 8 characters and it has to have a number and a special character, uppercase and lowercase. It’s like how am I ever going to remember it?’ But, please remember that you’re protecting yourself against that. Another layer of that security is, I know on some of our systems here, if you try a password and it’s incorrect three times, it locks you out for a period. And so that’s another protection measure. But also for, just the everyday user, please do not write your passwords on Post-It notes, although you see that from time to time. That just completely defeats the whole purpose of things. Like I said, I have a system without giving away all of the trade secrets of what you and I do.

Adam: Yeah. They’re out there and one of the big problems with that are the character substitutions. That was a very big thing for awhile. ‘Hey instead of the letter O, let’s use 0. Instead of I use 1.’ The problem is, those are very formulaic and if they’re very formulaic it’s very easy to program one of these password correcting programs into okay, well just try this letter with regular letters and let’s start substituting the numbers for the letters. So, you have to be careful about that and make sure you’re not tricking yourself into a false sense of security through that.

Tom: Yeah. And then I ran across another article today I think from PC magazine that just was very recent, but it just kind of had some of the common sense things out there. Just kind of to remember things, one of their statements was treat your password like your underwear, change it often. That’s another thing that I don’t think people probably do enough. Here at EIU, we have some systems that automatically expire after so many days that you must change your password. And that’s what it’s for, to protect and make sure that no accounts have been compromised and you choose something new.

Adam: Absolutely, absolutely. Because if you are say using a password that would take, we’ll say for instance, you have a password that the strength on average, it will be broken once every 12 months. Well, if you’re changing your password every six months or fewer, what you’re basically doing, not in all the cases, but you have some pretty good assurance there that you’re always staying ahead of them being able to crack your password. So, that’s a benefit to that. Make sure you do change your passwords, especially on your sensitive and work related files.

Tom: And like I said, I have different systems. This is philosophically, everybody has their own philosophy on how to do this. But because I do have so many Web 2.0, I use a completely different system. Other options for doing that, and I’ve used some of these in the past, biometrics, some laptops have had the fingerprint scanners. I’ve had a couple of HP’s around here like that. The worry there is, you need that backup plan just in case, knock on wood, that I’d lose a finger. But, the scanner itself could go bad and then you actually setup a strong password in that sequence to do that as well as, you know, this has been around for a long time, but I particularly remember the SunRay system where you had a card and you swiped your card. But then, once again just like a password, that’s only as good as you have that on your person and that’s easy enough to lose. And again, those keys to the kingdom are out there.

Adam: Right. Usually what those do, or what a lot of the newer systems are doing, for example I know PayPal you can actually get a token. It will go ahead and it will generate based off of some really complex algorhytms that they have. You will basically have this token that will spit out a string of digits. You go ahead and you enter those numbers in as long as you pair it with your account and then you will also need to know your password. So really what this does, is this is called two factor authentication. You have two factors generally, it’s either something you know, something you have, or something you are. You have to use two of those three categories. A lot of places, it’s not as common anymore, but a few years ago a lot of places were trying to taught two factor authentication. But really it was just ‘oh yeah, you just need to know your password, username, and a pin’. Well, that’s actually just three things you know. There’s no second factor in there. Hopefully, we start to see that become more common. The problem then becomes, as you were saying before earlier in the program, well am I really going to need to carry around fifteen of these little fobs and then ‘oh, which one was it for this account, which one was it for that?’ Same thing with the password. What do you do when you have one-hundred different accounts on different systems. What I like to tell people is generally one, what I do personally I’ll let you guys know. My work, because of the type of work I do, it’s always unique. I never mix my work password, it’s not even close to any of my other passwords. Generally, the other one that’s unique, my email account has a unique password I don’t use anywhere else.

Tom: We should also mention there that that’s extremely important, because the first thing that they ask you on a Web 2.0 service is, what is your email account? Because they send you back an authorization or a confirmation email to essentially activate that account and if you’re email account is compromised, once again that’s a backdoor way into some of those other accounts.

Adam: Absolutely. I would rather my Twitter account and my Facebook account and all those get compromised and my Web account or my email account stay protected then have them all using the same or similar password. Financial banking stuff I also use unique separate passwords for. A lot of my, I shouldn’t really be saying this…

Tom: You don’t need to give away all the trade secrets.

Adam: I will say that I do have some accounts, I’ll be the first to admit it, some of my accounts have horribly easy passwords. But I am not concerned about those accounts. You know, somebody gets into my Pandora on my radio account, they might delete some of the channels I have setup, I’m really not that concerned. So that is a very, in the terms of actual security, a very insecure password but there’s no risk to me where that’s involved. So those kinds of things. Actually, my NetFlix account too, if anybody wants to…I’m not going to tell you what my password is, but it doesn’t really affect me that much if you jump into my NetFlix account and start removing stuff from my watch instantly quo. So those kinds of things, I’m fine with telling people. Obviously don’t just have it be space or the letter ‘a’ and hit enter. Those do have some complexities, and some of those have complexity requirements.

Tom: But I will say, because there are many educators, twenty-first century educators, that are real progressive about using the Web 2.0 technologies. Anything as benign as Facebook or Twitter compromised and that can be extremely embarrassing because somebody could overtake your identity and start putting out status updates or posts or tweets or whatever it may be.

Adam: Absolutely.

Tom: You know, you feel very vulnerable if that’s ever happened to you. I mean, you feel violated.

Adam: Sure. And a great way to kind of overcome the different accounts for different ones or trying to remember really complex passwords, especially for websites and Web 2.0. Well, there’s a couple of ways. One, Google, Facebook, I’m not sure about MySpace, I haven’t really been on that in a couple of years, they are actually starting their own kind of federated ID where we’re kind of in the first stages of that. I don’t really know where this is going. Is Google going to come out on top?

Tom: Facebook looks to be in the early lead of that because 500,000 (corrected 500,000,000) half a billion users are out there. But even that, again philosophically out there, putting all your eggs in one basket, then if we do go ahead and go that route then you know we certainly need to make sure that’s secure because then you have a conglomeration of accounts using all of the same.

Adam: Absolutely, yeah. If you start using those federated ID’s, you want to make sure that account, say if you’re using Facebook Connect, you want to make sure that Facebook account is unbelievably complex.

Tom: So, it’s a balance out there of doing those. I know here at EIU, we have single sign-on for a lot of that, which has tremendously simplified that and tied systems and things together. But along with that, we do routinely, periodically, change. And that’s a required change and you can’t use, you know there’s different rules, where you can’t use the twelve previous passwords. Again, just to change one letter or something out there.

Adam: We have some complexity requirements and history requirements. We do have of course the routine password changes because we do have so many systems that are now using that same sign-on. We wanted to take some steps to make sure we were doing what we could to protect those systems. If you listeners are worried about how I’m going to remember all of these different passwords, another very viable option is use a password safe. A password safe or password vault are these programs, there’s a bunch of different ones from paid, to free, to open source that are available for all operating systems that you possibly use. Some even have apps for the iPhones and the iPads. What these allow you to do, is save your passwords into a program that actually incryptes them and you then have that one master password. And what you can do, is when you want to go to the website or need the password for that website, you just sign into your password vault and you can then copy that password out and paste it into the application. Very nice, but again, that’s another thing. Make sure that master password is sufficiently complex enough to protect all of your other passwords. But I do recommend those for people, especially those that have multiple accounts and want to use, like I recommend, different accounts for different systems.

Tom: I was just looking through the two or three articles I had bookmarked in my Delicious account and there’s one out here from CNN called How To Create A Super Password, so once again we’ll put those in the show notes. Let’s go ahead and summarize here the big things for just the average user out there to remember.

Adam: Okay. What you want to remember of course is pick a password that is not only sufficiently long enough, so let’s say minimum eight characters. You want to make sure you are including complexity in there as well, so that means make sure you have lowercase and uppercase letters, you’re using numbers, and at least one special character. That’s going to help make your passwords nice and complex to avoid people from brute forcing it. Other things that you want to do, make sure that you change it regularly, especially your work account. I always recommend that, financial accounts absolutely. Basically, if it’s protecting sensitive information or it’s protecting information that you don’t want exposed to other people make sure you are changing it regularly. Other things, watch out how you’re sharing accounts or passwords between accounts. Make sure you separate that. Again, no complex passwords. For simple things, might not be necessary, but you don’t want to share say your banking password with a social media site with your email or with your work account. Keep those all separate and on their own. Things you can try to do to kind of help reduce this complexity is use password vaults, federated ID, is hopefully going to be here soon, we’ll get a clear in that space, might be a good option. But, when you use those, make sure you’re setting your master password or that federated ID password, that’s need to be what that CNN article says is super password. You want to make sure that password is ultra secure.

Tom: Okay, well thank you very much for coming in today. And, hopefully our listeners have learned a few things and can protect their accounts a little but more securely.

Adam: Absolutely.

Tom: Alright, thank you.

Adam: Thank you.

Technology Pick of the Week

For my Technology Pick of the Week this week you get two for the price of one. It is just the first week of school and the ITC lost and found is already amassing a pile of USB Flash Drives. These small flash drives are wonderful for storing all of your data but you must also remember to safely remove your flash drive and take it with you when you finish using the ITC Lab computers. With 500 to 1000 students in and out of the ITC each day it is important that you remember to take your flash drive with you.

Losing a flash drive can be tragic if you have all of your homework files stored on it so it is also a good idea to get into the practice of routinely backing up your flash drive to your home computer so you have a least one copy of your work somewhere else. Flash drives do get lost, sometimes even get run through the washing machine so having a backup is a necessity for important files.

If you have an Internet connection you may want to sign-up for a free Microsoft Hot Mail or Live.com email account as you also get some other services that you may find helpful. I have talked about Skydrive before on TechTalk4Teachers and if you so choose you can use SkyDrive just like you would a USB Flash Drive. Your files are stored in the cloud for you to access anywhere in the world with a computer that has Internet access. SkyDrive gives you 25GB of FREE storage and I find this very valuable to be able to access chosen files online. The downside to this, along with most cloud-based services is that if you do not have an Internet connection or if your Internet connection is down for some reason you have no way of accessing your files.

Microsoft Skydrive - 25GB of free online storage in the cloud

The other advantage of signing-up for a hotmail or live.com email account is that Microsoft has added a lite version of Microsoft Office in the cloud called Microsoft Web Apps. This was announced earlier this summer and web apps give you the ability to access lite versions of Word, Excel, PowerPoint, and OneNote. This is not the full-blown version of these office products however they are quite polished and offer the familiar ribbon-interface. The advantage is that you do not have to install Office on your computer but rather use Word, Excel, PowerPoint, or OneNote from your Internet browser! This of course seems to be the Microsoft answer to Google Docs where your office applications are in the cloud. For the heavy duty lifting I still recommend the full version of Office especially for academic papers that require the use of APA or MLE formats. The advantage is that you now have an online alternative in the cloud available along with online storage if you so choose.

Microsoft Web Apps

That wraps it up for episode 111 of Tech Talk for Teachers. I want to thank Adam Dodge of our ITS department here at EIU for taking the time to talk to us about the importance of strong passwords along with some other tips on how to be more secure online. Show notes for this episode and archived episodes are available on the web at the EIU Instructional Technology Center website at www.eiu.edu/itc To leave a comment or suggestion, please send an email to techtalk@eiu.edu or leave a comment on the Tech Talk for Teachers blog. Until next time, this is Tom Grissom.
Keep on learning…

Tom Grissom, Ph.D.