Password Based Security
From TrustWiki
Password Based Security
Tip from US-CERT [1]
Cyber Security Tip ST05-012::
Supplementing Passwords[2]
Passwords are a common form of protecting information, but passwords
alone may not provide adequate security. For the best protection, look
for sites that have additional ways to verify your identity.
Why aren't passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can
increase the effectiveness of your passwords by using tactics such as
avoiding passwords that are based on personal information or words
found in the dictionary; using a combination of numbers, special
characters, and lowercase and capital letters; and not sharing your
passwords with anyone else (see Choosing and Protecting Passwords for
more information). However, despite your best attempts, an attacker
may be able to obtain your password. If there are no additional
security measures in place, the attacker may be able to access your
personal, financial, or medical information.
What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and
more common:
- two-factor authentication - With two-factor authentication, you
use your password in conjunction with an additional piece of
information. An attacker who has managed to obtain your password
can't do anything without the second component. The theory is
similar to requiring two forms of identification or two keys to
open a safe deposit box. However, in this case, the second
component is commonly a "one use" password that is voided as soon
as you use it. Even if an attacker is able to intercept the
exchange, he or she will still not be able to gain access because
that specific combination will not be valid again.
- personal web certificates - Unlike the certificates used to
identify web sites (see Understanding Web Site Certificates for
more information), personal web certificates are used to identify
individual users. A web site that uses personal web certificates
relies on these certificates and the authentication process of the
corresponding public/private keys to verify that you are who you
claim to be (see Understanding Digital Signatures and
Understanding Encryption for more information). Because
information identifying you is embedded within the certificate, an
additional password is unnecessary. However, you should have a
password to protect your private key so that attackers can't gain
access to your key and represent themselves as you. This process
is similar to two-factor authentication, but it differs because
the password protecting your private key is used to decrypt the
information on your computer and is never sent over the network.
What if you lose your password or certificate?
You may find yourself in a situation where you've forgotten your
password or you've reformatted your computer and lost your personal
web certificate. Most organizations have specific procedures for
giving you access to your information in these situations. In the case
of certificates, you may need to request that the organization issue
you a new one. In the case of passwords, you may just need a reminder.
No matter what happened, the organization needs a way to verify your
identity. To do this, many organizations rely on "secret questions."
When you open a new account (email, credit card, etc.), some
organizat
