US-CERT Cyber Security Tip ST05-012 -- Supplementing Passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                         Cyber Security Tip ST05-012 
                           Supplementing Passwords

   Passwords are common form of protecting information, but passwords
   alone may not provide adequate security. For the best protection, look
   for sites that have additional ways to verify your identity.

Why aren't passwords sufficient?

   Passwords are beneficial as a first layer of protection, but they are
   susceptible to being guessed or intercepted by attackers. You can
   increase the effectiveness of your passwords by using tactics such as
   avoiding passwords that are based on personal information or words
   found in the dictionary; using a combination of numbers, special
   characters, and lowercase and capital letters; and not sharing your
   passwords with anyone else (see Choosing and Protecting Passwords for
   more information). However, despite your best attempts, an attacker
   may be able to obtain your password. If there are no additional
   security measures in place, the attacker may be able to access your
   personal, financial, or medical information.

What additional levels of security are being used?

   Many organizations are beginning to use other forms of verification in
   addition to passwords. The following practices are becoming more and
   more common:
     * two-factor authentication - With two-factor authentication, you
       use your password in conjunction with an additional piece of
       information. An attacker who has managed to obtain your password
       can't do anything without the second component. The theory is
       similar to requiring two forms of identification or two keys to
       open a safe deposit box. However, in this case, the second
       component is commonly a "one use" password that is voided as soon
       as you use it. Even if an attacker is able to intercept the
       exchange, he or she will still not be able to gain access because
       that specific combination will not be valid again.
     * personal web certificates - Unlike the certificates used to
       identify web sites (see Understanding Web Site Certificates for
       more information), personal web certificates are used to identify
       individual users. A web site that uses personal web certificates
       relies on these certificates and the authentication process of the
       corresponding public/private keys to verify that you are who you
       claim to be (see Understanding Digital Signatures and
       Understanding Encryption for more information). Because
       information identifying you is embedded within the certificate, an
       additional password is unnecessary. However, you should have a
       password to protect your private key so that attackers can't gain
       access to your key and represent themselves as you. This process
       is similar to two-factor authentication, but it differs because
       the password protecting your private key is used to decrypt the
       information on your computer and is never sent over the network.

What if you lose your password or certificate?

   You may find yourself in a situation where you've forgotten your
   password or you've reformatted your computer and lost your personal
   web certificate. Most organizations have specific procedures for
   giving you access to your information in these situations. In the case
   of certificates, you may need to request that the organization issue
   you a new one. In the case of passwords, you may just need a reminder.
   No matter what happened, the organization needs a way to verify your
   identity. To do this, many organizations rely on "secret questions."

   When you open a new account (email, credit card, etc.), some
   organizations will prompt you to provide them with the answer to a
   question. They may ask you this question if you contact them about
   forgetting your password or you request information about your account
   over the phone. If your answer matches the answer they have on file,
   they will assume that they are actually communicating with you. While
   the theory behind the secret question has merit, the questions
   commonly used ask for personal information such as mother's maiden
   name, social security number, date of birth, or pet's name. Because so
   much personal information is now available online or through other
   public sources, attackers may be able to discover the answers to these
   questions without much effort.

   Realize that the secret question is really just an additional
   password--when setting it up, you don't have to supply the actual
   information as your answer. In fact, when you are asked in advance to
   provide an answer to this type of question that will be used to
   confirm your identity, dishonesty may be the best policy. Choose your
   answer as you would choose any other good password, store it in a
   secure location, and don't share it with other people (see Choosing
   and Protecting Passwords for more information).

   While these practices do offer you more protection, there is no
   guarantee that they are completely effective. Attackers may still be
   able to access your information, but increasing the level of security
   does make it more difficult. Be aware of these practices when choosing
   a bank, credit card company, or other organization that will have
   access to your personal information. Don't be afraid to ask what kind
   of security practices the organization uses.
     _________________________________________________________________

     Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
     _________________________________________________________________

     This document can also be found at
 
     <http://www.us-cert.gov/cas/tips/ST05-012.html>

     Copyright 2005 Carnegie Mellon University

     Terms of use

     <http://www.us-cert.gov/legal.html>


     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQqdIMRhoSezw4YfQAQLGsQf/c+3j74R00jILRUnFKhZfeqqX8laut2ag
Zutry3lWABJRQI22+YhR+ikrTNIi1jQwHgGiQnoGGcQ53zmSqexbVATPLmXv1qWA
lisFpd1rm6cnSFpvz729kI/tsiwsnBYv4nYsPeODCQoWRJeZipeJZzv4hNCKsCQ/
JCly6AKiHRK7uDhl8qPBH8Ld+8uWbg7bholvAD1JLl8KbvUAKBwBJ6qOm6VL82We
bI2Wenm+NbH+SSdi6f9SGEliB9Upxe11r/8rwNMJalR4f6FCfaL0ICDTMcp6nJsu
sjSM8kwBqeZIOPiycsh12uwp0dd35iOqlKqyYpNCHsdmWjfxPvJ+JQ==
=Ne7i
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux