US-CERT Cyber Security Tip ST05-012 -- Supplementing Passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                       Cyber Security Tip ST05-012
                         Supplementing Passwords

   Passwords are a common form of protecting information, but passwords alone
   may not provide adequate security. For the best protection, look for sites
   that have additional ways to verify your identity.

Why aren't passwords sufficient?

   Passwords  are beneficial as a first layer of protection, but they are
   susceptible to being guessed or intercepted by attackers. You can increase
   the  effectiveness of your passwords by using tactics such as avoiding
   passwords that are based on personal information or words found in the
   dictionary;  using  a  combination of numbers, special characters, and
   lowercase and capital letters; and not sharing your passwords with anyone
   else (see Choosing and Protecting Passwords for more information). However,
   despite your best attempts, an attacker may be able to obtain your password.
   If there are no additional security measures in place, the attacker may be
   able to access your personal, financial, or medical information.

What additional levels of security are being used?

   Many organizations are beginning to use other forms of verification in
   addition to passwords. The following practices are becoming more and more
   common:
     * two-factor authentication - With two-factor authentication, you use your
       password in conjunction with an additional piece of information. An
       attacker who has managed to obtain your password can't do anything
       without the second component. The theory is similar to requiring two
       forms of identification or two keys to open a safe deposit box. However,
       in this case, the second component is commonly a "one use" password that
       is  voided  as  soon as you use it. Even if an attacker is able to
       intercept the exchange, he or she will still not be able to gain access
       because that specific combination will not be valid again.
     * personal web certificates - Unlike the certificates used to identify web
       sites (see Understanding Web Site Certificates for more information),
       personal web certificates are used to identify individual users. A web
       site that uses personal web certificates relies on these certificates
       and the authentication process of the corresponding public/private keys
       to verify that you are who you claim to be (see Understanding Digital
       Signatures and Understanding Encryption for more information). Because
       information identifying you is embedded within the certificate, an
       additional password is unnecessary. However, you should have a password
       to protect your private key so that attackers can't gain access to your
       key  and  represent  themselves as you. This process is similar to
       two-factor  authentication,  but  it  differs because the password
       protecting your private key is used to decrypt the information on your
       computer and is never sent over the network.

What if you lose your password or certificate?

   You may find yourself in a situation where you've forgotten your password or
   you've reformatted your computer and lost your personal web certificate.
   Most organizations have specific procedures for giving you access to your
   information in these situations. In the case of certificates, you may need
   to  request  that the organization issue you a new one. In the case of
   passwords,  you may just need a reminder. No matter what happened, the
   organization  needs  a  way  to verify your identity. To do this, many
   organizations rely on "secret questions."

   When you open a new account (email, credit card, etc.), some organizations
   will prompt you to provide them with the answer to a question. They may ask
   you this question if you contact them about forgetting your password or you
   request  information about your account over the phone. If your answer
   matches  the  answer they have on file, they will assume that they are
   actually communicating with you. While the theory behind the secret question
   has merit, the questions commonly used ask for personal information such as
   mother's maiden name, social security number, date of birth, or pet's name.
   Because so much personal information is now available online or through
   other public sources, attackers may be able to discover the answers to these
   questions without much effort.

   Realize that the secret question is really just an additional passwordâ??when
   setting it up, you don't have to supply the actual information as your
   answer. In fact, when you are asked in advance to provide an answer to this
   type of question that will be used to confirm your identity, dishonesty may
   be the best policy. Choose your answer as you would choose any other good
   password, store it in a secure location, and don't share it with other
   people (see Choosing and Protecting Passwords for more information).

   While the additional security practices do offer you more protection than a
   password alone, there is no guarantee that they are completely effective.
   Attackers may still be able to access your information, but increasing the
   level of security does make it more difficult. Be aware of these practices
   when choosing a bank, credit card company, or other organization that will
   have access to your personal information. Don't be afraid to ask what kind
   of security practices the organization uses.
   _________________________________________________________________

   Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
   _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.

   Note: This tip was previously published and is being re-distributed
   to increase awareness.
  
   Terms of use
 
   <http://www.us-cert.gov/legal.html>
  
   This document can also be found at
 
   <http://www.us-cert.gov/cas/tips/ST05-012.html>
 

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTFBusz6pPKYJORa3AQKT2Qf8CYSTzK8gS/HFqw95HeTy/Ws6/X0fAzea
pm83H8vTj/SUy4HZ8TENYsZIJfQXipVIHEQF4aZ4eaWhlB/mxFLP+QZUiWONIAax
LXMQbQXZa3huWzzhh63tfrxEIIHHc1RwIVNo3f7NoFwrMNwZci8JNXlbEcHH+ji1
/LXOuNgPSNfzQ/OCfE5IIcpnIeygPzDkmob+D+fkZBbWz5YPbA4LYbeNXb4KzpsX
8sRsRI469UMF97DYMuf1deVqxsHiZq5PD7PlyyyUwkmr13BwmFdzu99mv9CqDriU
nxOx/sbgm/J045Kp5XzacL4wMBJudguJ0lFmkyHX6/7q89gDq23lRA==
=PIP6
-----END PGP SIGNATURE-----


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux