The Joy of Passwords

hello everyone my name is Joseph Gwynn Jones I'm studying at Leeds met and I'm doing I.T forensics and Security today I'm going to talk about passwords I'm sure you've all it's in the news recently about passwords been stolen from Big corporate companies like Adobe Tesco Etc and the uh it's a good example in 2009 there was a the company Rock U and there's loads and loads of passwords and these are clear examples of when uh when it's gone wrong so I'm going to talk about that right then just bear with me obviously there's a lot of passwords that have been analyzed and lots of people use the same password regardless of user names so from 2012 there was passwords like on

the screen these are real genuine like I love you Dragon monkeys all of those are actually genuine passwords and the lists don't change you know over time people use the same static passwords all right and this is why password lists are useful because we need to think about information is how information is stored so to make passwords even more secure they have to be sorted and uh and then they're hashed as well so they basically increase the security and the fluidity of the passwords and make them more safe so they use various different characters and numerical Fields within them so when you log in with your account name when it's sorted it becomes hashed as well and the hash has to be matched

through the password security system to actually let you go into your um into your account regardless of where it is unfortunately some big companies I'm talking you know billion turnover companies just use Clear text passwords that aren't sorted that aren't hashed so that's really really bad playing text is very easy to get into and to access and to be compromised and password lists are useful for uh cracking so basically this works in the way where you have your password list so there could be password one two one they'll try and see if it's hashed and then they moved into the next next password one two two and so on in sequential order and then once the hash

is matched then it's cracked that's how it works the password list makes things quicker which means the password cracker will try and go through them in sequential order and to match them to the accounts and you know cracked passwords we need to look at why these are useful for me we all have accounts you know a variety of ones that could be HSBC Facebook Twitter Halifax various Banks Adobe all those kind of places you know myself I've got over 100 accounts and the biggest problem is uh people use the same password for all of their accounts online so it due to the security reasons once you've got the password for one then you can basically access all different

passwords as well so um this is kind of how the system works you know for example Adobe software they could have the uh the email which is linked to a password and they'll they'll try that basically um once everyone's once they've secured one person's uh password for one website they can use it then to repeat it on other well-known famous sites and basically make a pass make a profit from that uh this has been stretched unfortunately from my original presentation basically we all know this Theory but don't use the same password twice I am guilty of doing this myself a couple of times but we all know not to use the same password twice so I'm wondering you know who does use

strong powerful passwords does your mum use them because it's students on security courses only that use powerful strong passwords I'm not sure because at University myself recently and the teachers gave us a challenge where we have to break into other students um images so and I basically use that through a remote access just to their Network and then they put in a key Locker onto their computers and it collected all the keys that have been pressed and that's basically how I've got their passwords for the login I won that competition and uh you know but obviously um this could have carried on I could have you know I knew all their personal information like Gmail and Yahoo and all

that but I basically advise them that this is the weakness and this is what needed to happen so but the situation is very easy to get in and it's um for me that was you know specifically for University that was a quite terrible and a bit of an example of how easy things can be accessed a password manager system is one way myself I use LastPass it's up to you what you use really password will help password managers help you you have loads and loads of passwords and they'll keep a list for different accounts and um and you know for example if you were to be compromised on one account it would just be that one account that would be

uh affected as opposed to all of them because they're all randomly selected I'm also this additional security measures like um you know I'm sure everyone in this room has a smartphone with them at the moment you can download this app called uh the uh the author app or there's the ubico which is a USB key um when you use that it creates a random number which isn't repeated it's changed all the time so that means that's how information can be um secured more safely or if someone wants to try and break into it it doesn't obviously match and synchronize with the numbers in the other devices so there is alternate ways of looking at protection

in terms of passwords talking about password money password management you're thinking okay so if someone's broken into my password manager you know I'm I'm done for you know so you may look at this and think this is a beautiful password it's got characters capitals small case spaces uh numbers and all those symbols as well but actually it's not you know password crackers are really effect really effective and they use specific sites like Wikipedia and they'll look for they look for keywords key phrases key expressions and and it was actually able to break that password because it's actually used and referred to on Wikipedia I mean you look at it and you think oh that's an amazing password no

one ever break that but that's actually stored somewhere as a phrase on the internet as stated on the screen a possible idea is to sorry um I was doing Keynotes but this is no PowerPoint so it's going to be uh SKU if this is Dice where it should say on the screen you know it's basically uh it's software that kind of treats things like the role of a dice in terms of the way that things are selected so when you roll a dice five dimes you get a number as shown on the screen they're the 63425 and the internet has 7725 words listed uh randomly and you match them to the numbers so you roll five dice then you get the

first word and then you roll five dose again to get the second word and it's they're recommended at least six words doing the rolling six times basically to get six words there are English words but they're not within normal syntax normal grammatical structure order they're just very randomly picked this is very strong and to increase it you can actually add an extra character like I did with Vixen in the one below added an extra e into that just to give that extra element of security you can use exclamation marks various characters it's up to you this is something which is a really useful tool I'm sure you've all heard about the harp lead situation it's been spoken about

today a few times I've heard already and um and obviously there was a recommendation for people to change their passwords and things like that so basically if you don't practice safe passwords then obviously you know you're going to be at risk um so we need to look at um it's a good opportunity to remind everyone really to look at their passwords and that's why I use a password um Management systems and things like that to give myself that extra security okay I went a bit quicker than I thought there to be honest and thank you all for watching and thanks for Tom for supporting me and um for organizing everything here and the support and the BSL support I've had

today so and um obviously I think in English and then it's been translated into BSL and then it's going to go to Ian over to you it's a bit like Google Translation going here from English to Russia and then going back to English so it's all going to be a bit excuse so hopefully you understand what the intuitive have been speaking about it today if you're thinking oh my God what's he talking about it's not making any sense blend interpreter not me okay thank you very much

anybody have any questions oh silence well silence is normal for me but there we go some so what's the advantage of the dice method over just getting LastPass to generate a random password foreign

works is the um it's it increases because of how it's set up it's not following the structure and the order it's randomly chosen it kind of increases the um the security levels in terms of the sequence and the words and the orders that they're put in here for example like I am you know grammatically speaking following that structure and this wouldn't match websites like Wikipedia where it's all done within the English grammatical order so it's all mixed a bit in a bit more skew if so that's kind of where the the strength of that comes from in comparison to just doing a random generated did that answer your question or have a gun off the

point I don't think it is

yeah yeah so it's used for the main password for the uh for the foreign management system touch okay okay thank you everyone thank you