Everybody's objective in the cybercrime, tug "o" war games is to be on the winning side. Nobody likes losing especially when the prize is your own personal property or even worse your identity that is at stake. However, there are steps you can take to reduce both an organization's and your individual personal risk/threat impact levels.
Over the course of the next few days I will be presenting a series of articles dealing with the many and varied aspects, concerns, issues, strategies, policies, threats and countermeasures that constitute password security.
Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.
Honesty - Being True to Yourself
If you are not going to assess your current password security status honestly then do not even bother. You will probably just waste a whole pile of blood sweat and tears on useless ineffective time consuming misdirected and most definitely misguided pies in the sky.
The type of honesty that I refer to is the kind of honesty that is so necessary to a realistic and accurate assessment of your current password security status. Assess yourself honestly. You do not have to let anyone else know the details of your dirty laundry.
So please, do yourself a favor and do this right. For, only after appraising your current password security status will you be able to identify areas of weakness that need prompt attention.
Hard Password Copies (Paper)
Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know how.
An envelope opener and a matter of five to ten seconds tops is usually all that it takes to open the majority of desk drawers. Failing to lockup your desk compounds the crime. It may save damage to your desks lock but will do nothing to save your password hard copy.
Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor. It is a very bad idea. Leaving a hard copy of your logon and password details in open public view is worse. Then again, the practice of writing your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor is probably the worst of all.
Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is no secret that over the years, post-it-notes along with other password hard copies have provided a profitable source of information to would be password attackers.
Recommended countermeasures concerning practices relating to hard copies of passwords and other authentication credentials should not be necessary since the best advice of all is that you should never maintain a hard copy of authentication details period.
Electronic, Magnetic and Optical Password Copies
While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of this information. You should always encrypt authentication data when storing it in an electronic, magnetic or optical format.
As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC to big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.
Recommendations to help protect the electronic, magnetic and optical physical copies of your data will always begin with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies. Password locking files is also important.
Security-In-Depth
Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build defenses based around password authentication to open a channel after which you use additional passwords to gain additional access privileges.
Here is an example to illustrate the security-in-depth approach using password authentication systems. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources.
If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based but immeasurably more secure than just a one password accesses all system provides.
Now suppose you wish to gain access to sensitive information held within that database. In which case, you will need to supply another different user name and password. A third layer of password protection access has now taken place.
Your level of security has increased yet again and the best bit is that it is not going to cost you anything. Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.
A classic example of this would be your email account. Your operating system will supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.
WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure.
To overcome this you can configure more secure communications channels of use multifactor authentication systems, which I do recommend. They will be the topic of my next article.
Conclusions
NEVER disclose account information such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to your security, administration and support personal and then only on a need to know basis.
NEVER keep hard copies of passwords and other authentication details. It is a practice wrought with danger.
ALWAYS store data in an encrypted format
ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network
ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.
Until next time when I will discuss multifactor authentication systems, enjoy!
