US-CERT Cyber Security Tip ST05-012 -- Supplementing Passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                      Cyber Security Tip ST05-012
                        Supplementing Passwords


   Passwords are a common form of protecting information, but passwords
   alone may not provide adequate security. For the best protection, look
   for sites that have additional ways to verify your identity.

Why aren't passwords sufficient?

   Passwords  are beneficial as a first layer of protection, but they are
   susceptible  to  being  guessed  or  intercepted by attackers. You can
   increase  the effectiveness of your passwords by using tactics such as
   avoiding  passwords  that  are  based on personal information or words
   found  in  the  dictionary;  using  a  combination of numbers, special
   characters,  and  lowercase  and capital letters; and not sharing your
   passwords  with anyone else (see Choosing and Protecting Passwords for
   more  information).  However,  despite your best attempts, an attacker
   may  be  able  to  obtain  your  password.  If there are no additional
   security  measures  in  place, the attacker may be able to access your
   personal, financial, or medical information.

What additional levels of security are being used?

   Many organizations are beginning to use other forms of verification in
   addition  to  passwords. The following practices are becoming more and
   more common:
     * two-factor  authentication  -  With two-factor authentication, you
       use  your  password  in  conjunction  with  an additional piece of
       information.  An  attacker who has managed to obtain your password
       can't  do  anything  without  the  second component. The theory is
       similar  to  requiring  two forms of identification or two keys to
       open  a  safe  deposit  box.  However,  in  this  case, the second
       component  is commonly a "one use" password that is voided as soon
       as  you  use  it.  Even  if  an  attacker is able to intercept the
       exchange,  he or she will still not be able to gain access because
       that specific combination will not be valid again.
     * personal  web  certificates  -  Unlike  the  certificates  used to
       identify  web  sites  (see Understanding Web Site Certificates for
       more  information), personal web certificates are used to identify
       individual  users.  A web site that uses personal web certificates
       relies on these certificates and the authentication process of the
       corresponding  public/private  keys to verify that you are who you
       claim   to   be   (see   Understanding   Digital   Signatures  and
       Understanding    Encryption   for   more   information).   Because
       information identifying you is embedded within the certificate, an
       additional  password  is  unnecessary.  However, you should have a
       password  to protect your private key so that attackers can't gain
       access  to  your key and represent themselves as you. This process
       is  similar  to  two-factor authentication, but it differs because
       the  password  protecting  your private key is used to decrypt the
       information on your computer and is never sent over the network.

What if you lose your password or certificate?

   You  may  find  yourself  in  a  situation where you've forgotten your
   password  or  you've  reformatted your computer and lost your personal
   web  certificate.  Most  organizations  have  specific  procedures for
   giving you access to your information in these situations. In the case
   of  certificates,  you may need to request that the organization issue
   you a new one. In the case of passwords, you may just need a reminder.
   No  matter  what happened, the organization needs a way to verify your
   identity. To do this, many organizations rely on "secret questions."

   When  you  open  a  new  account  (email,  credit  card,  etc.),  some
   organizations  will  prompt  you  to provide them with the answer to a
   question.  They  may  ask  you this question if you contact them about
   forgetting your password or you request information about your account
   over  the  phone. If your answer matches the answer they have on file,
   they  will assume that they are actually communicating with you. While
   the  theory  behind  the  secret  question  has  merit,  the questions
   commonly  used  ask  for  personal information such as mother's maiden
   name, social security number, date of birth, or pet's name. Because so
   much  personal  information  is  now available online or through other
   public sources, attackers may be able to discover the answers to these
   questions without much effort.

   Realize  that  the  secret  question  is  really  just  an  additional
   password--when  setting  it  up,  you  don't have to supply the actual
   information  as your answer. In fact, when you are asked in advance to
   provide  an  answer  to  this  type  of  question that will be used to
   confirm  your identity, dishonesty may be the best policy. Choose your
   answer  as  you  would  choose  any other good password, store it in a
   secure  location,  and  don't share it with other people (see Choosing
   and Protecting Passwords for more information).

   While  the  additional security practices do offer you more protection
   than  a password alone, there is no guarantee that they are completely
   effective. Attackers may still be able to access your information, but
   increasing the level of security does make it more difficult. Be aware
   of these practices when choosing a bank, credit card company, or other
   organization that will have access to your personal information. Don't
   be  afraid  to  ask  what  kind of security practices the organization
   uses.
     _________________________________________________________________

     Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
     _________________________________________________________________

     Produced 2005 by US-CERT, a government organization.

     Note: This tip was previously published and is being re-distributed 
     to increase awareness. 
  
     Terms of use
 
     <http://www.us-cert.gov/legal.html>
  
     This document can also be found at
 
     <http://www.us-cert.gov/cas/tips/ST05-012.html>
 

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
     


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBSE/DCnIHljM+H4irAQJrTAf6A2gQmoA4/MnJnNjis120+/XM2pqdwdLK
kis+yWmuYHSHLm0JGqLjd9q7K0Wx7u+ZFAOUNNvEeeflwQMr4rN5qr6N/uy17fmN
K+arY6JH3xteT0xCr0jTcTrnQwBfyxjTUxkp6lnyiP8PggrxleR06gZGr6O/vmb4
A6WCDPvdWBRuOEsvtPqgC7ZBaHpG4zGQslMLtnjOeRcG2XgajkhyQrCiPtLbZsK0
52bDhw5NvAGsXLEEFVxdTNR6Nf/SfqbSjhUKm9BLHXBYQclBDZe+1eKqaARo81uw
yF0J61PNrWJ33jcRw0pzN6E8WWgLemllx9s16Z+2eocG23y9mJlvQw==
=SHvS
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux