Another very simple and low-tech way Mitnick says hackers find passwords is by going into dumpsters to collect bits of paper with passwords scribbled on them. Users who have too many passwords to manage frequently resort to jotting them down on a piece of paper. Whether that paper is left lying around in a bar, or thrown in the trash bin, it still constitutes a vulnerability.
One simple trick to minimise the risk of a security breach is to encourage users to write down text and numbers to which they then apply an algorithm to get the password. For example, write down "AJ" to remind yourself of your friend Andrew Johnson. Follow that with "382920" to remind yourself to add the birthday of your friend Andrew Johnson to 382920 to get the real password.
Passwords will be with us for the next few years. So IT directors wishing to minimise the risk of security breaches might follow these words of advice:
- Establish a policy on user behaviour. Gartner analyst Ant Allan says that users must not disclose passwords to anyone-and users should never write down passwords. However, as mentioned above, you might encourage users to write down something to which they can apply an algorithm to get the password.
- Allow several login attempts-but not too many. Ant Allan says, "If unlimited login attempts are allowed, automated attacks can eventually discover a user's password. However, if only one attempt is allowed, a legitimate user can be locked out as a result of a simple typo or some other honest error."
- Use multi-factor authentication and biometrics where you can. IDC's Duncan Brown recommends the following to UK IT directors: "Deploy multi-factor authentication that supplements-or better, replaces-passwords. One-time passcodes are an example, as is biometrics. Biometrics are becoming mainstream with fingerprint and facial recognition being built in to smartphones and PCs, respectively."
- Don't rely too much on password aging. According to Gartner analyst Ant Allan, "Password aging is widely advocated, but rarely worthwhile. It is essentially a stopgap for other missing controls. However, long-period aging may ameliorate residual risks." Allan says that asking users to change passwords every 90 days or less is counterproductive. But asking them to change passwords every year "can still mitigate residual risks when other controls fail or are poorly implemented."
- Protect your devices. Duncan Brown says, "Verizon state that 95% of web app incidents involve harvesting credentials stolen from customer devices, then logging in with them." Make sure you employ device wipe and device lockdown strategies, and encrypt critical data on devices.
- Protect yourself from phishing. Duncan Brown says, "It might come as a surprise that phishing emails are opened by nearly one out of three recipients. CIOs should deploy anti-phishing strategies and training to reduce the effectiveness of this attack vector."
Source: CIO UK
Sign up for CIO Asia eNewsletters.