Password Management

Target Audience

Undergraduate
Graduate

Keywords

Social engineering
Password management
Two-factor authentication

Introduction

Overview

This case study explores real world failures in password management and social engineering defenses. It examines incidents such as the leaks of Mark Zuckerberg's personal passwords, the compromise of Michelle Obama's passport through a hacked contractor account, and the Yahoo breach affecting billions of users. These examples illustrate the pervasive human vulnerabilities and weak password practices that attackers exploit through phishing, guessing, and recovery system abuse.

Vulnerability Details

Common password related issues included the reuse of simple, guessable passwords across multiple platforms, failure to enable two-factor authentication, and insecure storage of credentials. Social engineering tactics exploited password recovery processes by using publicly available personal data, as demonstrated in the Sarah Palin email hack. The study emphasizes implementing strong, unique passwords, educating users through phishing simulations, and enforcing 2FA to further account protection. It also highlights best practices and the usability/security tradeoffs involved in password and authentication policy design.

Learning Objectives

Explain social engineering attacks
Explain best practices in password management
Explain what can be done to prevent social engineering attacks

Download

Includes a PDF case study adapted from a real-world cyber breach
Guided questions for student engagement
Instructor materials including context and background
All content packaged in a downloadable ZIP file

Remote Terminal

Terminal Description

Module Questions

What happened in the cases of social engineering and password management failures discussed in the presentation?Companies experienced ransomware attacks due to weak passwords stored in plaintext.A malware attack was initiated on IoT devices.Hackers used phishing emails to steal passwords from employees and individuals, leading to data breaches at several organizations.Physical devices were stolen from company premises, leading to data loss.

As a security consultant, how would you advise individuals and organizations to defend against social engineering attacks?Only monitor for technical vulnerabilities, disregarding human factors.Conduct regular security awareness training, implement email filters, and create a process for verifying any sensitive requests.Advise employees to only change their passwords once every five years.Ignore social engineering attacks, as they are rare.

What methods can be used to improve the adoption and effectiveness of two-factor authentication (2FA)?Disable 2FA to avoid inconveniencing users.Only use 2FA for administrative accounts.Require users to set up 2FA for every login attempt, even when using personal devices.Use simple authentication methods like SMS-based codes, offer biometric options like fingerprints or face recognition, and educate users on the importance of 2FA.

What are the advantages and risks of using mnemonic-based passwords compared to randomly generated ones?Mnemonic-based passwords are automatically encrypted.Randomly generated passwords are weaker because users forget them quickly.Mnemonic-based passwords are always stronger than randomly generated ones.Mnemonic-based passwords are easier to remember but may be less secure if they follow predictable patterns, while randomly generated passwords offer stronger security but are harder to remember.

How would you improve password management and security within an organization to prevent social engineering attacks?Only focus on external threats, ignoring internal vulnerabilities.Implement strong password policies, enforce the use of password managers, conduct regular phishing training, and require 2FA for all sensitive systems.Require users to share their passwords for easier IT management.Allow simple passwords to avoid user complaints.