PCB - Clearfield & Jefferson Counties

cyber_security_tips

                      Cyber Security Tip ST05-012

                        Supplementing Passwords

   Passwords are a common form of protecting information, but passwords alone may not provide adequate security. For the best protection, look for sites that have additional ways to verify your identity.

Why aren't passwords sufficient?

   Passwords  are beneficial as a first layer of protection, but they are susceptible  to  being  guessed  or  intercepted by attackers. You can increase  the effectiveness of your passwords by using tactics such as avoiding  passwords  that  are  based on personal information or words found  in  the  dictionary;  using  a  combination of numbers, special characters,  and  lowercase  and capital letters; and not sharing your passwords  with anyone else (see Choosing and Protecting Passwords for more  information).  However,  despite your best attempts, an attacker may  be  able  to  obtain  your  password.  If there are no additional security  measures  in  place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?

   Many organizations are beginning to use other forms of verification in addition  to  passwords. The following practices are becoming more and more common:

     * two-factor  authentication  -  With two-factor authentication, you use  your  password  in  conjunction  with  an additional piece of information.  An  attacker who has managed to obtain your password can't  do  anything  without  the  second component. The theory is similar  to  requiring  two forms of identification or two keys to open  a  safe  deposit  box.  However,  in  this  case, the second component  is commonly a "one use" password that is voided as soon as  you  use  it.  Even  if  an  attacker is able to intercept the exchange,  he or she will still not be able to gain access because that specific combination will not be valid again.

     * personal  web  certificates  -  Unlike  the  certificates  used to identify  web  sites  (see Understanding Web Site Certificates for more  information), personal web certificates are used to identify individual  users.  A web site that uses personal web certificates relies on these certificates and the authentication process of the corresponding  public/private  keys to verify that you are who you claim   to   be   (see   Understanding   Digital   Signatures  and Understanding    Encryption   for   more   information).   Because information identifying you is embedded within the certificate, an additional  password  is  unnecessary.  However, you should have a password  to protect your private key so that attackers can't gain access  to  your key and represent themselves as you. This process is  similar  to  two-factor authentication, but it differs because the  password  protecting  your private key is used to decrypt the information on your computer and is never sent over the network.

What if you lose your password or certificate?

   You  may  find  yourself  in  a  situation where you've forgotten your password  or  you've  reformatted your computer and lost your personal web  certificate.  Most  organizations  have  specific  procedures for giving you access to your information in these situations. In the case of  certificates,  you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No  matter  what happened, the organization needs a way to verify your identity. To do this, many organizations rely on "secret questions."

   When  you  open  a  new  account  (email,  credit  card,  etc.),  some organizations  will  prompt  you  to provide them with the answer to a question.  They  may  ask  you this question if you contact them about forgetting your password or you request information about your account over  the  phone. If your answer matches the answer they have on file, they  will assume that they are actually communicating with you. While the  theory  behind  the  secret  question  has  merit,  the questions commonly  used  ask  for  personal information such as mother's maiden name, social security number, date of birth, or pet's name. Because so much  personal  information  is  now available online or through other public sources, attackers may be able to discover the answers to these questions without much effort.

   Realize  that  the  secret  question  is  really  just  an  additional password--when  setting  it  up,  you  don't have to supply the actual information  as your answer. In fact, when you are asked in advance to provide  an  answer  to  this  type  of  question that will be used to confirm  your identity, dishonesty may be the best policy. Choose your answer  as  you  would  choose  any other good password, store it in a secure  location,  and  don't share it with other people (see Choosing and Protecting Passwords for more information).

   While  the  additional security practices do offer you more protection than  a password alone, there is no guarantee that they are completely effective. Attackers may still be able to access your information, but increasing the level of security does make it more difficult. Be aware of these practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don't be  afraid  to  ask  what  kind of security practices the organization uses.

     _________________________________________________________________

     Authors: Mindi McDowell, Chad Dougherty, Jason Rafail

     _________________________________________________________________

     Produced 2005 by US-CERT, a government organization.

     Note: This tip was previously published and is being re-distributed to increase awareness.

     Terms of use

     <http://www.us-cert.gov/legal.html>

     This document can also be found at

     <http://www.us-cert.gov/cas/tips/ST05-012.html>

     For instructions on subscribing to the US-CERT Emailing list, visit <http://www.us-cert.gov/cas/signup.html>.