-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-012
Supplementing Passwords
Passwords are common form of protecting information, but passwords
alone may not provide adequate security. For the best protection, look
for sites that have additional ways to verify your identity.
Why aren't passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can
increase the effectiveness of your passwords by using tactics such as
avoiding passwords that are based on personal information or words
found in the dictionary; using a combination of numbers, special
characters, and lowercase and capital letters; and not sharing your
passwords with anyone else (see Choosing and Protecting Passwords for
more information). However, despite your best attempts, an attacker
may be able to obtain your password. If there are no additional
security measures in place, the attacker may be able to access your
personal, financial, or medical information.
What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and
more common:
* two-factor authentication - With two-factor authentication, you
use your password in conjunction with an additional piece of
information. An attacker who has managed to obtain your password
can't do anything without the second component. The theory is
similar to requiring two forms of identification or two keys to
open a safe deposit box. However, in this case, the second
component is commonly a "one use" password that is voided as soon
as you use it. Even if an attacker is able to intercept the
exchange, he or she will still not be able to gain access because
that specific combination will not be valid again.
* personal web certificates - Unlike the certificates used to
identify web sites (see Understanding Web Site Certificates for
more information), personal web certificates are used to identify
individual users. A web site that uses personal web certificates
relies on these certificates and the authentication process of the
corresponding public/private keys to verify that you are who you
claim to be (see Understanding Digital Signatures and
Understanding Encryption for more information). Because
information identifying you is embedded within the certificate, an
additional password is unnecessary. However, you should have a
password to protect your private key so that attackers can't gain
access to your key and represent themselves as you. This process
is similar to two-factor authentication, but it differs because
the password protecting your private key is used to decrypt the
information on your computer and is never sent over the network.
What if you lose your password or certificate?
You may find yourself in a situation where you've forgotten your
password or you've reformatted your computer and lost your personal
web certificate. Most organizations have specific procedures for
giving you access to your information in these situations. In the case
of certificates, you may need to request that the organization issue
you a new one. In the case of passwords, you may just need a reminder.
No matter what happened, the organization needs a way to verify your
identity. To do this, many organizations rely on "secret questions."
When you open a new account (email, credit card, etc.), some
organizations will prompt you to provide them with the answer to a
question. They may ask you this question if you contact them about
forgetting your password or you request information about your account
over the phone. If your answer matches the answer they have on file,
they will assume that they are actually communicating with you. While
the theory behind the secret question has merit, the questions
commonly used ask for personal information such as mother's maiden
name, social security number, date of birth, or pet's name. Because so
much personal information is now available online or through other
public sources, attackers may be able to discover the answers to these
questions without much effort.
Realize that the secret question is really just an additional
password--when setting it up, you don't have to supply the actual
information as your answer. In fact, when you are asked in advance to
provide an answer to this type of question that will be used to
confirm your identity, dishonesty may be the best policy. Choose your
answer as you would choose any other good password, store it in a
secure location, and don't share it with other people (see Choosing
and Protecting Passwords for more information).
While these practices do offer you more protection, there is no
guarantee that they are completely effective. Attackers may still be
able to access your information, but increasing the level of security
does make it more difficult. Be aware of these practices when choosing
a bank, credit card company, or other organization that will have
access to your personal information. Don't be afraid to ask what kind
of security practices the organization uses.
_________________________________________________________________
Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
_________________________________________________________________
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-012.html>
Copyright 2005 Carnegie Mellon University
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQqdIMRhoSezw4YfQAQLGsQf/c+3j74R00jILRUnFKhZfeqqX8laut2ag
Zutry3lWABJRQI22+YhR+ikrTNIi1jQwHgGiQnoGGcQ53zmSqexbVATPLmXv1qWA
lisFpd1rm6cnSFpvz729kI/tsiwsnBYv4nYsPeODCQoWRJeZipeJZzv4hNCKsCQ/
JCly6AKiHRK7uDhl8qPBH8Ld+8uWbg7bholvAD1JLl8KbvUAKBwBJ6qOm6VL82We
bI2Wenm+NbH+SSdi6f9SGEliB9Upxe11r/8rwNMJalR4f6FCfaL0ICDTMcp6nJsu
sjSM8kwBqeZIOPiycsh12uwp0dd35iOqlKqyYpNCHsdmWjfxPvJ+JQ==
=Ne7i
-----END PGP SIGNATURE-----
