|
| |
 |
|
|
|
If you use Microsoft's Windows 2000 or XP you can use a "pass phrase" in place of a
password. A pass phrase is a group of words you combine in some manner that you can
remember. A pass phrase does not have to make sense to anyone, but you. It can contain
spaces and any of the letters, numbers or characters that can be used in passwords
(see table above). In fact a well chosen pass phrase will substitute symbols or letters
into the words used to construct it.
|
| |
|
There is debate among computer security professionals whether pass phrases are as secure
as passwords. The research that I've read indicates to me that a well chosen
pass phrase of a least 6 words is as secure as a well chosen password of 9 characters.
Some people may find a pass phrase easier to remember than a password that contains
letters, numbers and symbols. Choosing to use a pass phrase instead of a password
will also be influenced by your typing speed. Typing a 6 word pass phrase could be time
consuming if you are a slow typist.
|
|
why use a password?
A strong password reduces the possibility of unauthorized access to your computer and
the information stored on it. Why is this important to you, why should
you care? Both home, and business computer users can become victims of identity theft.
Identity theft is one of the fastest growing crimes in America today. Personal
information could be stolen from your computer and sold to criminals. Social security
numbers and other personally identifying information could be used to illegally obtain
credit cards, loans and other accounts in your name. The economic and emotional impact
to a victim of identity theft can be devastating.
|
| |
|
Those of you who use a computer at work must consider how your choice of a password
affects you and your co-workers. A poorly chosen password could allow a malicious
individual to gain access to your computer and possibly the entire company network. The
company you work for stores an immense amount of personal information about you and all
your co-workers. Your financial well being is directly tied to the economic success of
the company you're employed by. Your companies computer network stores critical
information regarding its customers, products, markets and sources for materials and
components if it manufactures products. If this information were stolen it could be
sold to a competitor.
|
| |
| DON'T GET CONNED!
DO NOT give your password, username or any personal information to someone you do not
recognize to have authorization to request this type of information. No legitimate
organization (bank, PayPal, eBay, investment firm) will ever ask for your password or
username. If at work, any request for your password should be made face to face
(in person) by authorized personnel only. Be suspicious of any requests for your
password over the phone, by fax, e-mail or any method where you can not physically
identify the person making the request. Malicious individuals who want to break
into your companies computer systems may target individual computer users (maybe you).
Using a valid user account and password (yours) is the easiest way for a malicious
individual to gain access to your companies computer network. Gaining control of a single
computer on a company network can allow an intruder to gather information with the goal
of obtaining higher level access to the entire network. If the intruder is using a valid
account and password they are unlikely to be caught unless someone notices he or she is
performing actions beyond the level of access they are granted on the network.
|
| |
|
Some of the more common methods malicious individuals obtain passwords and usernames
are:
|
| |
1) Overhearing a password and user name (Example: during conversation with help desk personnel or co-worker)
2) Copying passwords that are written down and stored at the workstation
("Post It" attached to a monitor, stored under a keyboard, in desk drawer)
3) A person familiar with you guesses your password and username
4) Password is told to a "trusted" co-worker
5) Password "cracking" or "guessing" software (available from the Internet)
6) "Social Engineering" (obtaining information by lying/trying to con you)
|
| |
|
"Social Engineering" is the practise of obtaining information by lying/trying
to con you. It is probably the easiest and most common method malicious individuals
use to obtain information to breach the security of computers and computer networks.
Humans are often the weakest link in computer security and the con (social engineer)
understands this.
|
| |
|
The con (social engineer) understands that most humans have similar needs, aspirations,
desires and fears. They use their knowledge of human behavior to exploit their target
(you). One of the most prevalent Internet based examples of social engineering is the
practise called "phishing". Phishing is the name used to describe the practise of
conning people out of important personal information like passwords, usernames, credit
card, bank and other account numbers. The (your) information can then be used to make
illegal purchases, commit crimes in your name or sold for profit. Most of these scams
use fear as a motivator to manipulate you to take some course of action. The following
passage was taken from an e-mail sent to some "PayPal" users. PayPal is a popular
online payment system used by millions of people worldwide.
Example: "It has come to our attention that your PayPal Billing Information records are
out of date. That requires you to update the Billing Information. Failure to update
your records will result in account termination."
The e-mail included a link to a fraudulent Web site that appeared to be the genuine
PayPal site. The fraudulent Web site provided an online form to allow you to update your
billing information. Of course the information was collected by criminals and not PayPal.
|
| |
| |
final thoughts
If you use a computer at work protect yourself and your employer. Take
the time to choose a good password. A poorly constructed password could allow a
security breach that might have serious implications to the longevity and profitability
of the company you work for. Your actions (or inaction) impacts not only you, but
anyone who relies on the company for their livelihood. I also suggest you periodically
review and understand your companies policies on computer, e-mail and Internet
use. You could loose your job if a security breach is traced back to you.
|
| |
| |
|
|
If you have any comments on how I might improve this information please offer your
suggestions. Thanks, Tom
|
| |
|
|
