Cyber Security Tip ST05-012
Supplementing Passwords
Passwords are a common form of protecting information, but
passwords alone may not provide adequate security. For the best
protection, look for sites that have additional ways to verify your
identity.
Why aren’t passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can
increase the effectiveness of your passwords by using tactics such as
avoiding passwords that are based on personal information or words
found in the dictionary; using a combination of numbers, special
characters, and lowercase and capital letters; and not sharing your
passwords with anyone else (see Choosing and Protecting Passwords for
more information). However, despite your best attempts, an attacker
may be able to obtain your password.
If there are no additional security measures in place, the attacker may
be able to access your personal, financial, or medical information.
What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and
more common:
* two-factor authentication – With two-factor authentication, you use
your password in conjunction with an additional piece of information.
An attacker who has managed to obtain your password can’t do
anything without the second component. The theory is similar to
requiring two forms of identification or two keys to open a safe deposit
box. However, in this case, the second component is commonly a "one
use" password that is voided as soon as you use it. Even if an attacker is
able to intercept the exchange, he or she will still not be able to gain
access because that specific combination will not be valid again.
* personal web certificates – Unlike the certificates used to identify
web sites (see Understanding Web Site Certificates for more
information), personal web certificates are used to identify individual
users. A web site that uses personal web certificates relies on these
certificates and the authentication process of the corresponding
public/private keys to verify that you are who you claim to be (see
Understanding Digital Signatures and Understanding Encryption for
more information). Because information identifying you is embedded
within the certificate, an additional password is unnecessary. However,
you should have a password to protect your private key so that
attackers can’t gain access to your key and represent themselves as
you. This process is similar to two-factor authentication, but it differs
because the password protecting your private key is used to decrypt the
information on your computer and is never sent over the network.
What if you lose your password or certificate?
You may find yourself in a situation where you’ve forgotten your
password or you’ve reformatted your computer and lost your personal
web certificate.
Most organizations have specific procedures for giving you access to
your information in these situations. In the case of certificates, you may
need to request that the organization issue you a new one. In the case
of passwords, you may just need a reminder. No matter what
happened, the organization needs a way to verify your identity. To do
this, many organizations rely on "secret questions."
When you open a new account (email, credit card, etc.), some
organizations will prompt you to provide them with the answer to a
question. They may ask you this question if you contact them about
forgetting your password or you request information about your
account over the phone. If your answer matches the answer they have
on file, they will assume that they are actually communicating with you.
While the theory behind the secret question has merit, the questions
commonly used ask for personal information such as mother’s maiden
name, social security number, date of birth, or pet’s name.
Because so much personal information is now available online or
through other public sources, attackers may be able to discover the
answers to these questions without much effort.
Realize that the secret question is really just an additional password
when setting it up, you don’t have to supply the actual information as
your answer. In fact, when you are asked in advance to provide an
answer to this type of question that will be used to confirm your
identity, dishonesty may be the best policy. Choose your answer as you
would choose any other good password, store it in a secure location,
and don’t share it with other people (see Choosing and Protecting
Passwords for more information).
While the additional security practices do offer you more protection
than a password alone, there is no guarantee that they are completely
effective.
Attackers may still be able to access your information, but increasing
the level of security does make it more difficult. Be aware of these
practices when choosing a bank, credit card company, or other
organization that will have access to your personal information. Don’t
be afraid to ask what kind of security practices the organization uses.
___________________________________________________________
Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
___________________________________________________________
Produced 2005 by US-CERT, a government organization.
Note: This tip was previously published and is being re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-012.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.