Pages

Thursday, November 6, 2008

Password Management

We all have passwords. As IT professionals we have gotten used to them. Hopefully you have memorized them and they are not on a Post it next to your screen. What I want to discuss is separating passwords for different duties.

Consider for a moment a bank VP named Bob that is reasonably familiar with security. Bob is a careful guy and he doesn't utilize and easily guessed password. It's sufficiently sprinkled with different case, special characters and numerics. He's got this password thing figured out. Except he doesn't want to remember more than one password so he makes all his passwords the same. VPN login, work email, PC login, home email, iTunes login, and numerous other site share a variant of the same password. In some sites the id he enters is different. but they all use the same password.

Think about this. This means that if I can dig up the emails of executives for a given company and then cross reference that with similar emails in the same location I have potentially discovered the IDs for Bob. Now all I have to do is harvest his password from some lightly defended url. Unfortunately for the bank network security manager, his security is co-opted by Bob using his password in a different domain.

This is already being exploited by criminals: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133195

With the rise in popularity of social networking, criminals are attacking social network sites to harvest their passwords. These sites don't have greatly hardened security (really they are just protecting my list of friends) right? Wrong, people tend to want to use similar passwords for all sites. These users also have the potential to discuss what they do for a living. More than likely they have their email available on this site. The email credentials are a gold mine. Once an attacker has cracked your email account he doesn't even have to guess... he can open their email up and see password reset emails, and what websites the prey does business with. He could even ask that a password be reset.

To sign up for stupid web offers and free stuff, select a password that is used for just this purpose.

To protect your email from this, select an utilize a password only for your email account. Delete password reset type emails immediately after use.

To protect commerce types of accounts change that password and use it only with sites that you use your credit cards on.

To protect your banking and financial sites, again select yet another password.

To protect your work, again select yet another password.

This yields 5 separate passwords that you can use to mitigate your risk. This is not a perfect system by any means but it is better than having one password for all websites.

No comments:

Post a Comment