[admin]

Cyber Security Tip ST05-012
Supplementing Passwords

Passwords are a common form of protecting information, but passwords alone
may not provide adequate security. For the best protection, look for sites
that have additional ways to verify your identity.

Why aren't passwords sufficient?

Passwords are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can increase
the effectiveness of your passwords by using tactics such as avoiding
passwords that are based on personal information or words found in the
dictionary; using a combination of numbers, special characters, and
lowercase and capital letters; and not sharing your passwords with anyone
else (see Choosing and Protecting Passwords for more information). However,
despite your best attempts, an attacker may be able to obtain your password.
If there are no additional security measures in place, the attacker may be
able to access your personal, financial, or medical information.

What additional levels of security are being used?

Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and more
common:
* two-factor authentication - With two-factor authentication, you use your
password in conjunction with an additional piece of information. An
attacker who has managed to obtain your password can't do anything
without the second component. The theory is similar to requiring two
forms of identification or two keys to open a safe deposit box. However,
in this case, the second component is commonly a "one use" password that
is voided as soon as you use it. Even if an attacker is able to
intercept the exchange, he or she will still not be able to gain access
because that specific combination will not be valid again.
* personal web certificates - Unlike the certificates used to identify web
sites (see Understanding Web Site Certificates for more information),
personal web certificates are used to identify individual users. A web
site that uses personal web certificates relies on these certificates
and the authentication process of the corresponding public/private keys
to verify that you are who you claim to be (see Understanding Digital
Signatures and Understanding Encryption for more information). Because
information identifying you is embedded within the certificate, an
additional password is unnecessary. However, you should have a password
to protect your private key so that attackers can't gain access to your
key and represent themselves as you. This process is similar to
two-factor authentication, but it differs because the password
protecting your private key is used to decrypt the information on your
computer and is never sent over the network.

What if you lose your password or certificate?

You may find yourself in a situation where you've forgotten your password or
you've reformatted your computer and lost your personal web certificate.
Most organizations have specific procedures for giving you access to your
information in these situations. In the case of certificates, you may need
to request that the organization issue you a new one. In the case of
passwords, you may just need a reminder. No matter what happened, the
organization needs a way to verify your identity. To do this, many
organizations rely on "secret questions."

When you open a new account (email, credit card, etc.), some organizations
will prompt you to provide them with the answer to a question. They may ask
you this question if you contact them about forgetting your password or you
request information about your account over the phone. If your answer
matches the answer they have on file, they will assume that they are
actually communicating with you. While the theory behind the secret question
has merit, the questions commonly used ask for personal information such as
mother's maiden name, social security number, date of birth, or pet's name.
Because so much personal information is now available online or through
other public sources, attackers may be able to discover the answers to these
questions without much effort.

Realize that the secret question is really just an additional password—when
setting it up, you don't have to supply the actual information as your
answer. In fact, when you are asked in advance to provide an answer to this
type of question that will be used to confirm your identity, dishonesty may
be the best policy. Choose your answer as you would choose any other good
password, store it in a secure location, and don't share it with other
people (see Choosing and Protecting Passwords for more information).

While the additional security practices do offer you more protection than a
password alone, there is no guarantee that they are completely effective.
Attackers may still be able to access your information, but increasing the
level of security does make it more difficult. Be aware of these practices
when choosing a bank, credit card company, or other organization that will
have access to your personal information. Don't be afraid to ask what kind
of security practices the organization uses.
_________________________________________________________________