DOCSLIB.ORG

Protected Web Components: Hiding Sensitive Information in the Shadows

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

IT SECURITY Protected Web Components: Hiding Sensitive Information in the Shadows Philippe De Ryck, Katholieke Universiteit Leuven, Belgium Nick Nikiforakis, Stony Brook University Lieven Desmet, Frank Piessens, and Wouter Joosen, Katholieke Universiteit Leuven, Belgium Third-party code inclusion is rampant, potentially exposing sensitive data to attackers. Protected Web components can keep private data safe from opportunistic attacks by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a Web component. he Web has evolved from including have severe consequences if the included code static images and document links to doesn’t behave correctly. comprising Web applications with in- Consequently, by including potentially un- dividual components provided by trusted remote scripts, a Web application de- T numerous service providers. When a Web ap- veloper accepts a certain risk, both for the site’s plication incorporates third-party components integrity and for the safekeeping of user data. using remote scripts, the user’s browser will run Opportunistic attacks on the client-side content the third-party code within the security context of a Web application can be mitigated by hiding of the Web application. This not only exposes the private data and sensitive elements from poten- code’s functionality to the Web application but tially malicious scripts. For example, iframes sup- also gives the included code full access to the Web port content isolation in a webpage, albeit with a application’s client-side context, including the large overhead and a lack in flexibility for integra- page’s content, local data, and origin-protected tion in highly dynamic, visually streamlined Web functionality. This lack of code isolation can applications. Alternatively, JavaScript sandboxing 36 IT Pro January/February 2015 Published by the IEEE Computer Society 1520-9202/15/$31.00 © 2015 IEEE techniques support code isolation,1,2 but don’t extracting security tokens and session identifi- offer isolation of data in the Document Object ers. Even when developers carefully select only Model (DOM).3 Finally, the recent Web Com- trusted third parties for remote script inclusion, ponents specification lets developers instantiate a certain risk persists, because third-party pro- custom HTML tags for use within the page.4 A viders can be compromised as well. The dangers major feature of such custom elements is the of third-party script inclusions are best illus- support for a hidden DOM, known as the Shad- trated by real-world examples, such as on-screen ow DOM.5 Unfortunately, the Web components keyboard scraping malware,7 malware spread specification focuses on functional separation of through advertisements,8 or actual compromises the DOM and doesn’t offer security features or of third-party providers.9,10 code isolation. An opportunistic attacker can gain access to Here, we motivate the need for a flexible mech- the Web application’s client-side context through anism that supports the isolation of the user’s several attack vectors—for example, by compro- private data in the DOM, as well as the isolation mising a remotely included script or advertise- of sensitive elements, such as input elements of ment, or through a cross-site scripting attack a login form. Furthermore, we investigate the (XSS). Because of the wide variety of sites that properties of the Web components specification, can be compromised through a malicious script and show that there’s a potential for offering the desired level of isolation without compromis- ing the much needed flexibility of modern Web Even when developers carefully select applications. only trusted third parties for remote Use Cases and Existing Technologies script inclusion, a certain risk persists. Integrating third-party components using re- mote scripts is common on the Web. Examples include programming APIs and development frameworks (such as JQuery and Bootstrap), or advertisement, opportunistic attackers carry advertising services (such as DoubleClick and out nontargeted attacks, such as looking for input AdSense), Web analytics tools (such as Google elements of the type password, or scraping any us- Analytics), and social media plug-ins (such as er-specific displayed content, such as email mes- Facebook’s “like” button). A 2012 study of re- sages, health records, and bank statements. mote JavaScript inclusions on the Alexa top 10,000 sites showed that 88.45 percent include Use Cases at least one remote script, and one site even in- In light of the opportunistic attacker model, we cluded scripts from 295 remote hosts.6 Further- propose three general use cases that benefit from more, 68.37 percent of sites included the Google effectively isolating data or HTML elements Analytics library, and 79.74 percent included at within the browser. least one Google library. Finally, the study ap- plied a set of metrics to show that 12 percent Displaying sensitive information. Many Web of sites that were deemed security conscious applications process and display user-specific included scripts from sites that deployed weak information, which is often considered private security measures. and sensitive. Common examples of such pri- Including remote scripts not only creates a vate data are email messages, chat conversations, vector for attacks targeting a specific Web ap- bank statements, and security challenges. Op- plication, but it also presents an attack vector portunistic attackers can easily inspect and col- for opportunistic attackers, who aim to execute lect such sensitive information because it isn’t low-profile attacks on a large number of Web isolated from the rest of the page, which includes applications. Such attacks can yield large quan- third-party scripts. tities of sensitive information—for example, by An effective isolation mechanism for in-appli- scraping the webpage’s user-specific content, re- cation content could prevent inspection or col- cording user-provided input in form fields, and lection by an opportunistic attacker. computer.org/ITPro 37 IT SECURITY Table 1. Six of the seven highest ranking free online password managers include at least one remote script on the user password page. components with known vulnerabilities” ninth Search No. of remote place.12 A similar initiative, the CW E/SA NS Top ranking Name scripts 25 Most Dangerous Software Errors, puts “inclusion 1 PassPack 1 of functionality from untrusted control sphere” 13 3 LastPass 1 at the 16th spot. 4 Norton Identity Safe 4 To support the high rankings in these indus- try surveys, and to establish the relevance of the 5 Keeper 1 aforementioned use cases, we conducted two rel- 8 Dashlane 1 atively small-scale experiments. To support the 10 Clipperz 0 use cases for hiding sensitive data in the DOM, 16 Mitto 1 we investigate popular online password manag- ers, where the DOM holds all of the user’s pass- words to every website. The second experiment supports the use case for protecting sensitive in- Protecting security tokens. A variant of dis- put elements by measuring the exposure of login played private information are application- forms to third-party script providers. related, hidden security tokens, often associated with a user’s session. For example, the security Password managers. Online password manag- tokens protecting against cross-site request forg- ers are used to store the multitude of authenti- ery (CSRF) attacks are embedded as hidden form cation credentials required on the modern Web. elements.11 This private and highly sensitive data is often Hiding such security tokens from opportu- even stored in an encrypted container, which is nistic attackers raises the security level of the decrypted at the client side when the client pro- applied countermeasures, thereby eliminating vides the correct master key. One might expect alternative attack vectors. that in such a sophisticated setup, the decrypted data is handled with care, preventing any risk of Protecting sensitive input elements. A third stolen or leaked data. use case focuses on protecting client-side input For seven online password managers, gath- elements, in contrast to hiding server-delivered ered from the top 20 results for the Google query content. Most Web applications contain sensitive “free online password manager,” we investigated input elements, such as HTML password elements whether they include scripts from a third-par- and on-screen keyboards. Opportunistic attack- ty on the page that hosts the passwords in the ers can easily gather sensitive user-provided data DOM, giving these scripts full access to the us- by using generally applicable selectors for sensi- er’s credentials. As Table 1 shows, six of the seven tive input elements. (86 percent) include third-party scripts from at Isolating such sensitive input elements from least one remote host on the page that displays opportunistic attackers ensures that user-provid- the user’s passwords. The Ghostery browser ex- ed input cannot easily be stolen with a nontarget- tension (https://www.ghostery.com/en/) consid- ed attack. Note that such an isolation mechanism ers all scripts to be analytics. Additionally, two must extend toward event handlers associated password managers include scripts from addi- with isolated input elements. tional remote hosts on their main page, which is situated within the same origin as the sensitive Motivating Empirical Evidence page. The inclusion of potentially untrusted third- party code into a Web application is a common Login forms. Almost every webpage has a login though potentially dangerous practice.6 Two im- form, which are a trivial target from which an op- portant industry-driven surveys of the most criti- portunistic attacker can extract user credentials. cal software errors warn of this risk. The Open We crawled the Alexa top 1,000 sites, looking for Web Application Security Project (OWASP) login forms situated on a page with third-party Top Ten Project, which lists the 10 most dan- script inclusions, thereby giving the third party gerous risks for Web applications, gives “using full access to the login form.
Recommended publications
  • PDF-LATEX 2Ε Abstract

    PDF-LATEX 2Ε Abstract

    Universität Ulm | 89069 Ulm | Germany Faculty of Engineering, Computer Science and Psychology Databases and Information Systems Department Evaluating State-of-the-Art Web Component Frameworks Bachelor’s thesisat Universität Ulm Submitted by: Stefan Engelmayer [email protected] Reviewer: Prof. Dr. Manfred Reichert Supervisor: Dr. Johannes Schobel 2019 Version from May 29, 2019 c 2019 Stefan Engelmayer This work is licensed under the Creative Commons. Attribution-NonCommercial-ShareAlike 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/de/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Composition: PDF-LATEX 2ε Abstract Websites are getting more complex over the years because it is not just used to display information, but to use some applications. One challenge is to maintain these services and keep them up to date. To reuse existing code, Web Components are introduced to outsource complex structures as an HTML element including its functionality. Therefore, some frameworks available which help to create Web Components by providing some useful tools and make the development process easier for developers. Because there are numerous different frameworks available for the development, it is not easy to find the right one for the own project. Because the standards are changing fast in computer science, the development process should always be State-of-the-Art. The aim of this thesis is to give a brief overview over Web Component frameworks and find out which framework is a good choice for given use cases. First some frameworks are introduced.
  • Google AMP and What It Can Do for Mobile Applications in Terms of Rendering Speed and User-Experience

    Google AMP and What It Can Do for Mobile Applications in Terms of Rendering Speed and User-Experience

    URI: urn:nbn:se:bth-17952 Google AMP and what it can do for mobile applications in terms of rendering speed and user-experience Niklas Andersson Oscar B¨ack June 3, 2019 Faculty of Computing Blekinge Institute of Technology SE-371 79 Karlskrona Sweden This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the bachelor degree in Software Engineering. The thesis is equivalent to 10 weeks of full time studies. The authors declare that they are the sole authors of this thesis and that they have not used any sources other than those listed in the bibliography and identi- fied as references. They further declare that they have not submitted this thesis at any other institution to obtain a degree. Contact Information: Authors: Niklas Andersson [email protected] Oscar B¨ack [email protected] External Advisor: Simon Nord, Prisjakt [email protected] University Advisor: Michel Nass [email protected] Faculty of Computing Internet: www.bth.se Blekinge Institute of Technology Phone: +46 455 38 50 00 SE-371 79 Karlskrona, Sweden Fax: +46 455 38 50 57 1 1 Abstract On today’s web, a web page needs to load fast and have a great user experience in order to be successful. The faster the better. A server side rendered web page can have a prominent initial load speed while a client side rendered web page will have a great interactive user experience. When combining the two, some users with a bad internet connection or a slow device could receive a poor user experience.
  • An Architecture for Cryptography with Smart Cards and NFC Rings on Android

    An Architecture for Cryptography with Smart Cards and NFC Rings on Android

    OpenKeychain: An Architecture for Cryptography with Smart Cards and NFC Rings on Android DOMINIK SCHÜRMANN, TU Braunschweig, Germany SERGEJ DECHAND, University of Bonn, Germany LARS WOLF, TU Braunschweig, Germany While many Android apps provide end-to-end encryption, the cryptographic keys are still stored on the device itself and can thus be stolen by exploiting vulnerabilities. External cryptographic hardware solves this issue, but is currently only used for two-factor authentication and not for communication encryption. In this paper, we design, implement, and evaluate an architecture for NFC-based cryptography on Android. Our high-level API provides cryptographic operations without requiring knowledge of public-key cryptography. By developing OpenKeychain, we were able to roll out this architecture for more than 100,000 users. It provides encryption for emails, messaging, and a password manager. We provide a threat model, NFC performance measurements, and discuss their impact on our architecture design. As an alternative form factor to smart cards, we created the prototype of an NFC signet ring. To evaluate the UI components and form factors, a lab study with 40 participants at a large company has been conducted. We measured the time required by the participants to set up the system and reply to encrypted emails. These measurements and a subsequent interview indicate that our NFC-based solutions are more user friendly in comparison to traditional password-protected keys. CCS Concepts: • Security and privacy → Usability in security and privacy; Key management; Hardware-based security protocols; • Human-centered computing → Mobile devices; Additional Key Words and Phrases: NFC, near-field communication, smart card, ring ACM Reference Format: Dominik Schürmann, Sergej Dechand, and Lars Wolf.
  • Web Components in Action MEAP

    Web Components in Action MEAP

    MEAP Edition Manning Early Access Program Web Components in Action Version 2 Copyright 2018 Manning Publications For more information on this and other Manning titles go to www.manning.com ©Manning Publications Co. We welcome reader comments about anything in the manuscript - other than typos and other simple mistakes. These will be cleaned up during production of the book by copyeditors and proofreaders. https://forums.manning.com/forums/web-components-in-action welcome Thank you very much for purchasing the MEAP for Web Components in Action. I’ve been speaking and blogging for over a decade now, and the common thread throughout has been that there hasn’t really been a common thread. I get excited about new technologies and techniques, but ultimately move to the next new thing. Web Components have been a bit different for me. I spoke at a few conferences and wrote some blog posts about them, and I did move on to other new and exciting things, but the difference here is that I never stopped building with Web Components. They’ve been a staple of my web development workflow for four years now. Like many web developers, I too have cycled through many frameworks and libraries that help with application development. Most we really good! It’s easy to laugh at a three or four year old framework years later, but it’s been very interesting to see how we as web developers progress as we try to make better and better applications with better and better tools. I’ve also been fortunate enough to use many other programming languages and platforms as well.
  • Keepass Password Safe Help

    Keepass Password Safe Help

    KeePass Password Safe KeePass: Copyright © 2003-2011 Dominik Reichl. The program is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative. For more information see the License page. Introduction Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. He would have access to your e-mail account, website, etc. Unimaginable. But who can remember all those passwords? Nobody, but KeePass can. KeePass is a free, open source, light-weight and easy-to-use password manager for Windows. The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another. KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Website, etc.). You can drag&drop passwords into other windows. The powerful auto-type feature will type user names and passwords for you into other windows. The program can export the database to various formats. It can also import data from various other formats (more than 20 different formats of other password managers, a generic CSV importer, ...). Of course, you can also print the password list or current view. Using the context menu of the password list you can quickly copy password or user name to the Windows clipboard.
  • Lastpass Frequently Asked Questions (FAQ)

    Lastpass Frequently Asked Questions (FAQ)

    Portal > Knowledgebase > Accounts and Passwords > Security > LastPass Frequently Asked Questions (FAQ) LastPass Frequently Asked Questions (FAQ) Patricia Falcon - 2021-07-02 - 0 Comments - in Security Getting Started with LastPass at Brown Is LastPass mandatory? How do I set up my LastPass Enterprise account? What are the differences between LastPass Enterprise and Premium accounts? How do I keep my personal and work LastPass vaults separate? What if I already have an account with LastPass? What happens to my LastPass account when I leave Brown? Can I use my existing LastPass Family Plan Premium account? Can Brown clinical faculty use LastPass? How about medical residents? LastPass Basics How can I set up a browser extension? How do I import passwords from other sources? How can I set up account recovery options? What is the Security Dashboard? How can I manage my vault? How can I generate secure passwords? How do I securely share a password? What are shared folders, and how can I use them with my group to share passwords? Is there a risk to putting all your passwords in one place? LastPass Help Guide Troubleshooting What if I forget my Master Password? Why am I not able to see my team's shared folders? Can I access LastPass when I'm not online? Why does the password field not auto-populate when using the VPN client (Big-IP/F5)? How can I access Windows Desktop applications with LastPass? It doesn't seem to be working. Getting Started with LastPass at Brown Q. Is LastPass mandatory? A. If you are unable to remember all of your passwords, then we strongly encourage the use of a password manager and our recommendation would be LastPass.
  • Bitwarden Install Guide

    Bitwarden Install Guide

    Bitwarden Install Guide Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials, payment data and notes in an encrypted vault. Bitwarden has completed a security audit and cryptographic analysis from the German based firm Cure53. The Bitwarden Security Assessment Report, dated November 8th, 2018 is available for download at: https://cdn.bitwarden.net/misc/Bitwarden%20Security%20 Assessment%20Report.pdf Install Guide based on Bitwarden Version 2.12.0. Downloads available at: https://bitwarden.com/#download Author: Edward Wayne Hilton https://orcid.org/0000-0002-0846-3646 Version Number: 1 Version Date: September 2, 2019 The Information provided herein is for instructional purposes only. Contents Setup Bitwarden Account .................................................................. 2 Setup Two Setup Login (2FA) with Bitwarden EMAIL OPTION ... 6 Saving Recovery Codes for Bitwarden ........................................... 10 Domain Rules for Bitwarden ........................................................... 11 Bitwarden iOS Install ........................................................................ 13 Bitwarden iOS Password Autofill ................................................... 17 Bitwarden Install Guide Page 1 of 18 Setup Bitwarden Account 1. It is recommended to create an account first, before installing the software and/or browser extensions. Bitwarden Install Guide Page 2 of 18 2. For additional security an email alias could be used which is only associated with this service. Example for Gmail users can add +alias to their normal email address (ex. [email protected]) -> ([email protected]). NOTE: The Master Password is NOT recoverable is lost/forgotten. Bitwarden Install Guide Page 3 of 18 3. Sign in with new account Bitwarden Install Guide Page 4 of 18 4. Click the Verify Mail -> “Send Mail” option to confirm your account.
  • How to Integrate Your Password Management Software Into Remote Desktop Manager

    How to Integrate Your Password Management Software Into Remote Desktop Manager

    How to Integrate Your Password Management Software into Remote Desktop Manager In this webinar, we showcased how easy it was to implement that integration. For most password managers, INTEGRATION integration is fast and simple. Here are the steps: 1. Create IS FAST AND SIMPLE a new credential entry. 2. Select your password manager from the list. 3. Connect your password management account to Remote Desktop Manager. 4. Use that entry from other sessions, or even better for a whole folder. (Spoiler alert! Next week blog will explain everything about Recently we hosted a Password Managers Webinar on inherited credentials.) integrating the most popular Password Managers with Remote Desktop Manager, you can find the recorded video And that’s it! You’re all done, and can sit back, relax, and enjoy on our Youtube channel. some hilarious Sysadminotaur comics. However, for the most popular tool in our community, namely Keepass, integration involves a few more steps. Here are the steps to follow: 1. Create a new credential entry. 2. Select KeePass. 3. You’ll notice that a plug-in is required; you can either click Install Plug-in, or you can click: Tools – Extensions Manager – Others – KeePass Plugin. (Note: a KeePass Professional Edition (AKA 2.x) is required to proceed with the integration.) 4. You’ll see that there are multiple options in the Credential Selection tab; if you choose the Default Method, you can select a specific KeePass credential from your list, which will create a hard link to the credential stored in your KeePass database. Another option is to select Always prompt with list.
  • Win Big with [Insert Open Source App Here] Win Big with Open Source

    Win Big with [Insert Open Source App Here] Win Big with Open Source

    Win Big with [Insert Open Source App Here] Win Big With Open Source Introductions Dave Nevala – Lukins & Annis Jerry Askew – Askew Network Solutions Win Big With Open Source No Licensing Headaches High Quality – peer reviewed Paid Support Available If you want a feature, add it! OSS can’t be discontinued or sold Win Big With Open Source KeePass – Password Manager Zotero – Web Research Manager 7-Zip – Fast Archiver Truecrypt – Disk Encryption PDF Creator Ntop – Network Analyzer Prey – Loss Prevention Win Big With KeePass What is KeePass? Password Management Database Strong Password Generator Hot-key login Obfuscation techniques Multi-platform Download for free http://keepass.info/ Win Big With KeePass Password Database Strong Encryption Can be opened with single password Win Big With KeePass Why KeePass? No need for PostIt notes, slips of paper, etc. Easy to have unique strong passwords Turn off auto form fill Win Big With KeePass Ports KeePassPPC & KeePassSD – PassDrop - iPhone/iPad PocketPC KeePassDroid – Android 7Pass - Windows Phone KeePassMobile - J2ME MiniKeePass - iPhone/iPad KeePassJ2ME - J2ME SyncPass - iPhone/iPad KeePassBB – BlackBerry iKeePass - iPhone/iPad KeePassBB2 – BlackBerry MyKeePass - iPhone/iPad Export to Keyring - Palm OS KyPass - iPhone/iPad KeePassX - Linux / Mac OS X Win Big With KeePass Share with multiple devices Portable version (run from folder) Keep database on flash drive or dropbox Win Big With KeePass Alternatives Last pass (requires to be online) KeePassX (requires to be online) 1Password (Mac and Linux)
  • Five Best Practices for Password Management​

    Five Best Practices for Password Management​

    Five Best Practices for Password Management ​ Five Best Practices for Password Management While organizations continue to make security a priority, an important part of that effort involves educating and empowering general users about best practices. Consider some of these statistics from the Yubico 2019 State of Password and Security Authentication Security Behaviors Report: ​ ​ ● 2 out of 3 respondents share passwords with colleagues ● 51 percent of participants said they reuse passwords across personal and business accounts ● 57 percent said they did not change their passwords after experiencing a phishing attempt To bring change at an organization, security and IT teams must educate employees about best practices. In regards to password management, one of the easiest ways to encourage good password hygiene is to deploy a password management solution across your workplace. Here are some other best practices to adopt. 1. Leverage a password management solution. Throughout the day most people visit many different sites that require passwords. Memorizing tens of unique and sufficiently strong passwords (or passphrases) is virtually impossible. A password manager simplifies password use across different sites to keep users more secure. There are a number of solid password managers out there. Prioritize those that work cross-platform and offer services for individuals for free or at least, at a very low cost. Most password manager capabilities have also expanded over the years. 2. Choose a tool that you can easily deploy across your organization. Password managers need to be easy-to-use for every level of user–from beginner to advanced. When considering a large or distributed employee-base, the applications should be user intuitive and easy to deploy.
  • Web Components the Lego Bricks of Web Developers

    Web Components the Lego Bricks of Web Developers

    Web Components The Lego bricks of web developers Aaron Czichon • Aaron Czichon • Head of Software Development • NodeJS & Web Components The basic problem of HTML elements Building a login form… <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>Dev Days Europe 2019</title> <meta name="description" content="Example for Web Components"> <meta name="author" content="Aaron Czichon"> <link rel="stylesheet" href="./assets/edel-elements.css"> </head> <body> <!-- CONTENT HERE --> </body> </html> <div class="login-card card"> <div class="card-meta"> <h3>Login</h3> <p>Please login first</p> </div> <div class="login-card-form"> <div class="form form--grid"> <div class="form-item"> <label>Username or email</label> <input placeholder="Username or email" type="text"> </div> <div class="form-item"> <label>Password</label> <input placeholder="Super Secret Password" type="password"> </div> <div class="form-item"> <button type=“submit“ class="button button--primary">Login</button> </div> </div </div> </div> Want using it in multiple applications? Multiple Framework Options • Mostly only usable inside the framework Downsides • (Angular has export options for web components) • Sometimes a lot of overhead which is not needed Web Components! „Web components are a set of web platform APIs that allow you to create new custom, reusable, encapsulated HTML tags“ Source: webcomponents.org Custom Elements HTML Imports Shadow DOM HTML Template Web Platform APIs Web Component Custom Elements HTML Imports Shadow DOM HTML Template Web Platform APIs
  • Password Managers an Overview

    Password Managers an Overview

    Peter Albin Lexington Computer and Technology Group March 13, 2019 Agenda One Solution 10 Worst Passwords of 2018 Time to Crack Password How Hackers Crack Passwords How Easy It Is To Crack Your Password How Do Password Managers Work What is a Password Manager Why use a Password Manager? Cloud Based Password Managers Paid Password Managers Free Password Managers How to Use LastPass How to Use Dashlane How to Use Keepass Final Reminder References March 13, 2019 2 One Solution March 13, 2019 3 10 Worst Passwords of 2018 1. 123456 2. password 3. 123456789 4. 12345678 5. 12345 6. 111111 7. 1234567 8. sunshine 9. qwerty 10. iloveyou March 13, 2019 4 Time to Crack Password March 13, 2019 5 Time to Crack Password March 13, 2019 6 Time to Crack Password March 13, 2019 7 Time to Crack Password Time to crack password "security1" 1600 1400 1200 1000 Days 800 Days 600 400 200 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Year March 13, 2019 8 How Hackers Crack Passwords https://youtu.be/YiRPt4vrSSw March 13, 2019 9 How Easy It Is To Crack Your Password https://youtu.be/YiRPt4vrSSw March 13, 2019 10 How Do Password Managers Work https://youtu.be/DI72oBhMgWs March 13, 2019 11 What is a Password Manager A password manager will generate, retrieve, and keep track of super-long, crazy-random passwords across countless accounts for you, while also protecting all your vital online info—not only passwords but PINs, credit-card numbers and their three-digit CVV codes, answers to security questions, and more … And to get all that security, you’ll only need to remember a single password March 13, 2019 12 Why use a Password Manager? We are terrible at passwords We suck at creating them the top two most popular remain “123456” and “password” We share them way too freely We forget them all the time We forget them all the time A password manager relieves the burden of thinking up and memorizing unique, complex logins—the hallmark of a secure password.