Supplementing Passwords
Passwords are a common form of protecting information, but passwords
alone may not provide adequate security. For the best protection, look
for sites that have additional ways to verify your identity.
|
Why aren't passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can
increase the effectiveness of your passwords by using tactics such as
avoiding passwords that are based on personal information or words
found in the dictionary; using a combination of numbers, special
characters, and lowercase and capital letters; and not sharing your
passwords with anyone else (see Choosing and
Protecting Passwords for more information). However, despite your
best attempts, an attacker may be able to obtain your password. If
there are no additional security measures in place, the attacker may
be able to access your personal, financial, or medical information.
What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and
more common:
- two-factor authentication - With two-factor
authentication, you use your password in conjunction with an
additional piece of information. An attacker who has managed to obtain
your password can't do anything without the second component. The
theory is similar to requiring two forms of identification or two keys
to open a safe deposit box. However, in this case, the second
component is commonly a "one use" password that is voided as soon as
you use it. Even if an attacker is able to intercept the exchange, he
or she will still not be able to gain access because that specific
combination will not be valid again.
- personal web certificates - Unlike the certificates used
to identify web sites (see Understanding Web
Site Certificates for more information), personal web certificates
are used to identify individual users. A web site that uses personal
web certificates relies on these certificates and the authentication
process of the corresponding public/private keys to verify that you
are who you claim to be (see Understanding
Digital Signatures and Understanding
Encryption for more information). Because information identifying
you is embedded within the certificate, an additional password is
unnecessary. However, you should have a password to protect your
private key so that attackers can't gain access to your key and
represent themselves as you. This process is similar to two-factor
authentication, but it differs because the password protecting your
private key is used to decrypt the information on your computer and is
never sent over the network.
What if you lose your password or certificate?
You may find yourself in a situation where you've forgotten your
password or you've reformatted your computer and lost your personal
web certificate. Most organizations have specific procedures for
giving you access to your information in these situations. In the case
of certificates, you may need to request that the organization issue
you a new one. In the case of passwords, you may just need a
reminder. No matter what happened, the organization needs a way to
verify your identity. To do this, many organizations rely on "secret
questions."
When you open a new account (email, credit card, etc.), some
organizations will prompt you to provide them with the answer to a
question. They may ask you this question if you contact them about
forgetting your password or you request information about your account
over the phone. If your answer matches the answer they have on file,
they will assume that they are actually communicating with you. While
the theory behind the secret question has merit, the questions
commonly used ask for personal information such as mother's maiden
name, social security number, date of birth, or pet's name. Because so
much personal information is now available online or through other
public sources, attackers may be able to discover the answers to these
questions without much effort.
Realize that the secret question is really just an additional
passwordwhen setting it up, you don't have to supply the actual
information as your answer. In fact, when you are asked in advance to
provide an answer to this type of question that will be used to
confirm your identity, dishonesty may be the best policy. Choose your
answer as you would choose any other good password, store it in a
secure location, and don't share it with other people (see Choosing and
Protecting Passwords for more information).
While the additional security practices do offer you more protection
than a password alone, there is no guarantee that they are completely
effective. Attackers may still be able to access your information, but
increasing the level of security does make it more difficult. Be aware
of these practices when choosing a bank, credit card company, or other
organization that will have access to your personal information. Don't
be afraid to ask what kind of security practices the organization
uses.
Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
Copyright 2005 Carnegie Mellon University. Terms of use