Passwords

[jerryctx]

A couple of loose ends...

Re complex passwords. Should be enforced if possible. The network I audited includes some specialized devices that, for example, don't allow lower case or special character data entry. They also have both Windows and Linux. You can substitute length for complexity. They have chosen to require long (12 character) passwords to avoid compatibility problems. This is a new requirement based on my recommendation. Now, if they can just get the employees to actually use 12 characters ...

This may be well known but for our non-USA members, SSN means Social Security Number, the closest thing we have to a national ID. Its supposed to be confidential but your employer, insurance agents, doctor, creditors, .... have to know it. My phone number is more confidential.

As to date of birth, most people will tell it to a perfect stranger (Hi, we're giving away wide-screen TVs to selected idiots. I just need to know your DOB ...)

Reminds me of a test from a few years back. People in a London train station were offered a cheap pen if they would reveal their office password. I have forgotton the details but 70 or 80% told.

Social Engineering - Most of the newsworthy exploits depended on SE. Its impossible to prevent but tell your telephone operators and customer assistance people (and remind them monthly) that they must not give out personal info no matter how unimportant it seems. No one's birthday, middle name, that they're on vacation, nothing. Most people want to help and its hard to make them remember that a sad story may be false. Also, shred your sensitive paperwork before discarding. Dumpster diving has yielded some of the most valuable data used in hacks.

[KatMac]

This is a good thread, well worth passing along to others that don't visit here. Jerry, I passed along your earlier tips on creating passwords to my friend who tends to use simple ones in multiple places. She had an accident at a young age which slightly impairs her memory at times. She's quite grateful, as your tip for using acronyms (along with numbers) fit the bill perfectly for her ( as well as for those of us suffering from the more common 'brain overload' )

One more thing, on a side note. I've run into so many people lately who suspect or have encountered some form of ID theft it's frightening. My most recent experience: just last month I purchased two items on Ebay after a year of inactivity. That prompted a slew of spoof emails purportedly from both Ebay and PayPal requesting my Password or PIN in order to 'prevent my account from being frozen'. Unreal!

So in addition to what's been mentioned, it's probably well worth it to order routine credit checks in this day and age.

[Rapmaster]

I was doing some work on a user's computer today and I needed to go in under his account, but he had left for the day.

Looking through his office, I could see pictures of his kids and cute little drawings saying "I love you Daddy" from his daughter. His daughter's name was at the bottom of the picture.

Guess what the first password I tried was? Yep, his daughter's name. And yep it let me in

I could have used my amazing administrator powers to change his password, but that's a hassle because then he comes in the next morning and locks out his account

[jerryctx]

I used to work for what is perhaps the most security conscious private IT company. They have tank traps at entrances to their main campus, their security guards are ex-military police, the data center is bermed so, hopefully, it can survive a car full of explosives.

A colleague and I disagreed re our password procedures. He felt they were secure. Since we often looked over the other's shoulder when working on the same project, I knew his ID. (The ID was formed from known, freely available info. If necessary, I could have found it with at most a few dozen tries).

When he went to lunch, I went to his cube, called the operations center, gave his ID, and asked them to reset "my" password because I had forgotton it. They did so since all they checked was the caller's phone extension. The third day I did this he figured out what was going on and the procedures were changed.

My point is not how clever I am but how ineffective the password security was. It depended on physical access to the terminal and telephone (and that is good security; its often the most effective and cheapest) and secret procedures (that's bad security; no one can keep a secret for ever).