Wednesday, February 2, 2011

Password, the WORST security tool we need to eliminate, but can’t

A username and a password protect our access to virtually all applications that we use from stock trading, enterprise to social networking. A typical individual would have over half a dozen passwords. Since passwords are the key to unlock the data or functionality within these systems they are the focus of attack by hackers. Hackers use a combination of four methods to steal passwords:
Tools and techniques to guess passwords: Easily guessable are passwords which are less than six characters, or are based on dictionary words or commonly known personal information or simple answers to secret questions.
Social Engineering Techniques such as phishing, spear phishing or vishing: Methods used to deceive an individual’s into giving away passwords in response to a perceived genuine request from an organization or person. The request is couched in an officially looking email with a link to a fake bank website or via an urgent telephone request from an IT staffer for your password to load the latest software on your laptop!
Use of malware or key loggers: Sophisticated applications which steal credentials from your desktop or when you key them in at cyber café’s. Malware typically gets installed when your surf malicious websites or download application such as games, audio, movies or tools.
Over a WIFI or wired network such as the Internet: Passwords may travel over an unencrypted channel over the network, both wired and wifi. In case of a wifi network it is easy to sniff traffic over an unencrypted home or public network within a given range. In case of wired networks the compromise requires access to network nodes such as the internet router in the WIFI café, or within the cable operator or network provider network. In either case, credentials can be harvested in bulk by simple tools. Some, not all websites or applications use SSL or an encrypted link which help encrypt the channel over which the unencrypted password is sent and reduces chances of compromise.
If we put two and two together, a strong password and the best password policies may not serve to prevent password theft.
So what really protect us our anonymity? Technology? Security Awareness? A combination? or just luck?
Perhaps being security smart just helps to reduce not eliminate the risks. To enhance protection, security awareness and judgmental decisions is a must. Should I or Should I not follow this link or download this application shared by a friend and so forth. None of us can simply afford to turn of the tap to anything and everything. 100% safe means pen and paper. The world does not work that way any more
Technology helps to reduce the frame of exposure. Banks and large enterprises use one time passwords to protect access to their specific applications. In a sense minimize risks to those systems where your money can be stolen. But there is a limit to the number of tokens you carry and affordability.
My view of the future is a token based system on a credit card or a mobile phone to support access to all our applications.  But sadly, we are not there yet. Till then, take care, get lucky and be smart.

Related Strips:- The Secret

No comments:

Post a Comment