Tuesday, April 21, 2009

User Names & Passwords : False Hope Of Security

Recently my article on "User Names And Passwords" was published as one of the cover stories by CSO Pakistan (Part Of CIO Pakistan) magazine in their Jan 2009 issue (http://ciopakistan.com/2009/01/usernames-and-passwords/) . The very same article was than selected and published by Network World on their website (http://www.networkworld.com/news/2009/011509-giving-false-hope-of.html?page=1) so here is the very same article for your viewing pleasure.

“Hold on let me transfer funds online” may have sounded like a distant concept a few years ago, but today it’s happening everywhere. We have moved from the conventional papertrail life to a digital life and with so many advancements so quickly. And everything happens at lightening speeds - just like the transaction.

Information Security is a vast field so what we’ll do in this article, is address the most common mistakes committed in our everyday cyber lives, both intentionally or unintentionally, making an impact on our privacy.

We’ll talk about the basics, where so much can go wrong username and passwords and the problems associated with them.

In a typical office environment, on average, an individual has a couple of different passwords. A times, these passwords are unique, while in other instances, they are not. But everything has a password - from accessing the domain to email,from the ftp servers or however your unique environment and it’s IT infrastructure works. Let’s go through the five most common problems associated with usernames and passwords and practices associated with them.

1. Keeping same password for multiple login
2. Writing the password on sticky note or on desktop with file name password.txt
3. Sharing of password
4. Easy to guess passwords
5. Shoulder Surfing

All of a sudden, our simple problem, doesn’t seem all that basic any longer.

Let’s admit it, we are always behind schedule and run ning out of time. In such a scenario (with alzheimer’s so contagious!) who has time to remember multiple passwords? If your IT or Network Administrator has enforced some policies than you have to remember combination of upper and lower caps, numbers, symbols and before you know it, you are not a very happy camper. So what you end up doing, is the most convenient option which comes to mind: keep the same password for everything or almost everything and make your life easier. Sure. It’s something everyone does on a regular basis. However what you are failing to realize is he big picture. Someone manages to guess one password, they will try that for every other connected faucet in your life. Something, most likely, everything, comes leaking out into the world and no longer remains in your control.

There are times when your IT administrator knows what he or she is doing and makes you have different passwords for different applications running under his domain. You mumble and jumble many impolite words under your breath and in the event that there is a policy which will force-change your password after a certain period of time your IT admin becomes an even less popular chap.

Most people, without really thinking of the consequences, scribble down the password on a sticky note and place it in their line of sight. And in case you aren’t a fan of sticky notes, then some opt to create a textfile and name it “my passwords.txt” on desktop. How techie is that!?

With sticky notes, you are inviting everyone in your surrounding to have a go at your private files or to abuse your authorization and authentication which puts you in all kinds of trouble. Server logs can indicate that you (yes, you!) were logged in at a time when something bad (bad!!) happened, and you get in blamed for it.

Password sharing in the office environment is also common practice. After all, you are among friends, aren’t you? Some colleague calls you to say the boss urgently needs something and requests your password to make the “transaction” happen. You try and rememebr to change it later on but forget, as is usually the case. Combine this with the risk that you may only have a “one password fits all policy” and this is one mega disaster just waiting to happen.

‘Date of birth’, ‘name of a child’, ‘PAKISTAN’, ‘KARACHI’, ‘spouse name’ or a phone number -you can’t be serious and put THIS kind of protection! Now again if we combin this scenario with our first one again and we have a potential problem on our hands.

Something known as ‘brute force’ refers to the fact that someone is just going to guess passwords based on the details they know about you, and as many tries as it takes, try and force his way into your data. Welcome to Information Security 101!

Is everything lost? No certainly not, there are many ways of properly authenticating users without compromising security. The most convenient way to do so is to use Digital Certificates for authentication purposes than there are OTP’s (One Time Passwords). Whichever product or service you end up using make sure it adheres to the five pillars for Information Security. These are:

1. Authentication (The person accessing the information is really the person he or she claims to be)

2. Privacy (Any information exchanged between two parties shall remain private between them)

3. Authorization (The person should have access to information according to his or her authorization level)

4. Integrity (Content of any transaction/information transferred among two or more parties should remain intact)

5. Non Repudiation (In case of any conflict the parties cannot deny or reject their role in the disputed transaction).

1 comment:

Anonymous said...

Willkommen und Hallo im Sextalk.

Unser Sextalk bietet dir eine Alternative erotikchat und jedemenge andere Sachen,sicherlich auch Blind Date
Hier in unsrem Sextalk erwarten dich erotikchat Sexgeschichten
Du suchst sexuellen Vorlieben , mit Sicherheit bist du hier genau richtig.Gut,worauf wartest du?
Sexgeschichten frau für dreier gesucht ,einfach anmelden .
Suchst du jemand aus Kärnten, oder aus Lübeck, oder in Waadt , oder in Ebikon, oder in Waadt? Sicher kein Problem.!