Passwords
There several things you should be aware of concerning password security.
Passwords (can be and) are often written down by users who have trouble remembering them. Passwords are also more and more stored electronically, on PDAs or mobile phones. Do not leave passwords recorded anywhere for others to find.
Social engineering and Phishing scams
These scams can trick a user to disclose the password, just by asking the password in some way (e.g. a so called helpdesk-person calling).
Key-logging:
Passwords can be intercepted by key-loggers (hardware or software) and then transmitted to other people.
Shoulder surfing:
refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
- Fill out a form
- Enter their PIN at a cash machine or a POS terminal
- Use a calling card at a public pay phone
- Enter passwords at a cybercafe, public and university libraries, or airport kiosks.
- Enter a code for a rented locker in a public place such as a swimming pool or airport
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one’s body or cupping one’s hand.
Cracking:
Passwords can be cracked, especially if they are short (although short is a relative concept, taken into account the increased computing power available today).
Guessing:
Passwords can be guessed, e.g. if no strong password policy is enforced.
To counter guessing, quite simply, the passwords need to be made as long and as complex as is practicable. Be significantly different from your previous passwords. Not contain your own name or user name. (Nor the name of spouse, children, pets etc.)
Have at least one symbol character in the second through sixth positions.
Packet Sniffing:
Passwords can be sniffed, intercepted when in transit between a PC and a server (e.g. on the Internet)
Packet sniffing is the monitoring of data traffic on a computer network. Computers communicate over the Internet by breaking up messages (emails, images, videos, web pages, files, etc.) into small chunks called “packets”, which are routed through a network of computers, until they reach their destination, where they are assembled back into a complete “message” again. Packet sniffers are programs that intercept these packets as they are travelling through the network, in order to examine their contents using other programs. A packet sniffer is an information gathering tool, but not an analysis tool. That is it gathers “messages” but it does not analyze them and figure out what they mean.
Resetting:
Passwords can be reset (which is often easier than cracking a password). If you have created a password restore disk for your computer always ensure that it is stored safely. Anyone can use this disk to reset your password. No matter how many times you have changed your password since the disk was created.
Password Best Practice
You should not include personal information in your password, such as your birthday, the name of your dog, favourite sports team, etc.
- Use as many characters as possible; the longer the password, the harder it is to crack.
- Phrases are better then passwords, e.g. ‘Your company is #No1′
- Do not use dictionary words in any language
- Do not use easily guessed patterns (1234,1bcd, qwerty, etc)
- Use a mix of upper and lower case letters, numbers and special characters
- Change your password as often as possible.