Passwords

In many cases the only protection from unauthorized access and use of computing and network  resources are passwords. Passwords must be complex enough, so other people may not be able to  guess them, passwords should not be found in a dictionary, or they will be guessed and cracked  easily.

Please don’t share your work password in your own household, it is not an indication that you  don’t trust your spouse or kids. Password is not your own but the access to the company networking and  computing resources. Please don't treat it as your own, for example kids may tell their friends what the parents are using as their passwords. It is possible to find commonly used passwords on the  Internet, please make sure the passwords that are used are not in there. 

Password complexity 

Often the only thing that protects your account is a password. Passwords need to be complex enough  so it is difficult to guess it or to hack it. Good password will be long, will not be commonly used, and it will contain upper and lower case characters, symbols and numbers. Passwords should not be something you commonly use such as names of your spouse or children.

If it is too difficult to remember, then it is possible to find sticky notes with the passwords written down on these. I have never seen a sticky note on the wall of a  cubicle, but this story of a password written down on a sticky note and attached to a wall of a  cubicle is so believable, so I need to mention it.

Passwords are often called things that people know. Good password will contain upper and lower case characters, numbers and special characters that are found on the keyboard. It is also possible to set  the minimum length of a password. If it is too long, then it is too difficult to remember, however as a  security professional it is necessary to get approval from the top management of a minimum length of a password, and if it is received, it is possible to refer to it, as  a company's policy. Good passwords are rotated on a periodic  basis, such as every few days. Again, as security professionals get approval from the top  management, so that it does not become your invention, but there is support from the top  management.

Keys that change every few seconds is another line of defense, and forces a user to change the pass  keys often. These are often used as VPN keys for remote access. The number on the VPN key  changes every few seconds, and it allows a user to access special resources. Please check what is  provided and supported by the vendors. Another one to consider is Google Authenticator. It is an  application that is installed on the phone and allows for a similar experience as VPN keys. Pass keys are used in combination with the numbers on the keys to connect and give access to the  computing or networking resources. Please check with your favorite vendor if the VPN keys are  available from it.

Passwords are often referred to as something you know. In many cases this is the only thing that  protects your computer from unauthorized access. In some cases the entire network may become  exposed if a password is weak or well known. Good password is long enough, it is rotated regularly (every few days)  and contains upper and lower case characters, numbers and special characters. Good password is not common, and it is not the name of your wife or kids. Please find what works best for your workplace. Passwords may be rotated regularly, for special access consider one time keys such as tokens, or something to touch like YUBI keys.

Good security is a combination of two: something you know (such as a password) and something you have (like a token). Even better security implementations ask for something you are, such as a scan of your eye. But I have yet to see this. I think the implementation of this technology is costly, and the cost paid for it should justify things that are protected by it.

YouTube video 1

YouTube video 2

YouTube video 3

Password Security Study Guide

Quiz

Instructions: Answer the following questions in 2-3 sentences each.


Why is it crucial for passwords to be complex and not easily guessable?

Explain why sharing your work password, even with family members, is strongly discouraged.

Describe the characteristics of a strong password.

What is the security risk associated with writing passwords on sticky notes?

What is meant by "password rotation," and why is it important?

Explain the concept of a VPN key and how it enhances security.

What is Google Authenticator, and how does it function as a security tool?

In the context of security, what is meant by "something you know" and "something you have"?

Provide an example of a "something you have" security measure.

What is a potential "something you are" security measure, and why is it not widely implemented?

Answer Key

Complex passwords are vital because they make it significantly harder for unauthorized individuals to guess or crack them, protecting your accounts and sensitive information from unauthorized access.

Sharing work passwords, even with trusted individuals, can compromise company security. Family members may unknowingly disclose the password or have their own devices compromised, potentially granting unauthorized access to company networks and resources.

A strong password is lengthy, includes a mix of uppercase and lowercase letters, numbers, and special characters, avoids common words or personal information, and is not easily guessable.

Writing passwords on sticky notes poses a significant security risk as anyone who sees the note gains access to the password, making the account vulnerable to unauthorized access.

Password rotation involves changing passwords regularly at set intervals. This practice helps mitigate the risk of compromised passwords, as even if a password is compromised, its validity is limited, reducing the potential damage.

A VPN key is a small physical device that generates a time-based, one-time password used in conjunction with a user's regular password for secure remote access. The constantly changing code adds an extra layer of security, making it difficult for unauthorized users to intercept and use the credentials.

Google Authenticator is a mobile application that generates time-based, one-time passwords, adding an extra layer of security to online accounts. Users must enter both their regular password and the code from the app to gain access.

"Something you know" refers to information only the authorized user knows, like a password or PIN. "Something you have" is a physical item the user possesses, such as a security token or a smart card.

A security token, a small device that generates a unique, time-sensitive code, is an example of a "something you have" security measure. The code is used in addition to a password for authentication.

Biometric authentication, like iris or fingerprint scanning, is a potential "something you are" security measure. It's not widely implemented due to its higher cost and the need for specialized hardware and software.

Essay Questions

Discuss the importance of password complexity in maintaining security, and analyze the potential consequences of using weak or easily guessable passwords.

Explain the rationale behind the principle of "least privilege" in password management and how it contributes to enhancing overall security.

Compare and contrast the effectiveness of "something you know," "something you have," and "something you are" authentication methods, evaluating their strengths and weaknesses.

Analyze the role of technology, such as VPN keys and Google Authenticator, in strengthening password security and mitigating the risks associated with traditional password-based systems.

Discuss the evolving landscape of password security and emerging authentication technologies. How might advancements in artificial intelligence and biometrics influence the future of password management?

Glossary of Key Terms

Password: A secret string of characters used to authenticate a user and grant access to a system or resource.

Password Complexity: A measure of a password's strength, determined by its length, character diversity, and randomness.

Dictionary Attack: A method of cracking passwords by systematically trying every word in a dictionary or a list of common passwords.

Brute-Force Attack: A method of cracking passwords by trying all possible combinations of characters until the correct password is found.

Password Rotation: The practice of regularly changing passwords at set intervals to minimize the impact of compromised passwords.

Sticky Note: A small piece of paper with an adhesive strip, often misused for storing passwords, creating a significant security risk.

VPN Key: A physical device that generates a time-based, one-time password used for secure remote access via a Virtual Private Network (VPN).

Google Authenticator: A mobile application that generates time-based, one-time passwords as a second factor of authentication.

Something You Know: An authentication factor based on knowledge, such as a password, PIN, or security question answer.

Something You Have: An authentication factor based on possession of a physical item, like a security token, smart card, or mobile phone.

Something You Are: An authentication factor based on a unique biological trait, such as a fingerprint, iris pattern, or facial features.

YubiKey: A brand of hardware authentication security keys that provide strong two-factor authentication.

Least Privilege: A security principle that grants users only the minimum level of access required to perform their tasks, minimizing the potential damage from unauthorized access.

Briefing Doc: Password Security

This briefing document reviews key themes and important facts regarding password security, based on the provided source text.


Main Themes:


Criticality of Strong Passwords: The source heavily emphasizes the importance of strong passwords as the primary defense against unauthorized access to computing and network resources. Weak or easily guessed passwords leave systems vulnerable and can potentially expose entire networks.

Characteristics of Strong Passwords: The text details the characteristics of strong passwords, including:

Complexity: Passwords should be complex enough to make guessing or hacking difficult. This includes using a combination of upper and lower case letters, numbers, and special characters.

Length: Longer passwords offer greater security. Obtaining management approval for a minimum password length is recommended and can be referenced as company policy.

Uniqueness: Passwords should not be commonly used words, names of family members, or easily guessable personal information.

Rotation: Regular password rotation (e.g., every few days) enhances security. Management approval for the rotation frequency ensures company-wide support.

Beyond Passwords: Multi-Factor Authentication: The source acknowledges the limitations of relying solely on passwords ("something you know"). It highlights additional security layers like:

One-Time Keys/Tokens: These devices generate time-sensitive codes, offering an extra layer of security for remote access (e.g., VPN keys).

Software Tokens: Applications like Google Authenticator provide similar functionality to physical tokens.

Biometric Authentication: While not commonly implemented due to cost considerations, the source mentions biometric methods like eye scans as a highly secure authentication method.

Important Facts & Quotes:


"In many cases the only protection from unauthorized access and use of computing and network resources are passwords." This emphasizes the critical role of passwords as the first line of defense.

"Good passwords are rotated on a periodic basis, such as every few days." Regular password changes are crucial for maintaining strong security.

"Good security is a combination of two: something you know (such as a password) and something you have (like a token)." This highlights the concept of multi-factor authentication for enhanced security.

"Please don’t share your work password in your own household... Password is not your own but the access to the company networking and computing resources." This underscores the importance of treating work passwords with high confidentiality and not sharing them even with family members.

Recommendations:


Implement a robust password policy with clear guidelines on complexity, length, and rotation frequency.

Educate employees on the importance of strong passwords and best practices for password hygiene.

Explore and implement multi-factor authentication methods to enhance security beyond passwords.

Consider cost-benefit analysis for implementing advanced authentication methods like biometric solutions.

Password Security FAQ

What is the importance of a strong password?

A strong password is often the only barrier between your account and unauthorized access. Weak passwords can be easily guessed or cracked, leaving your data vulnerable to theft. A strong password is complex enough to deter hacking attempts and protect your personal information.


What are the characteristics of a strong password?

A strong password is typically:


Long: The longer, the better. Aim for a minimum of 12 characters.

Complex: Includes a mix of uppercase and lowercase letters, numbers, and special characters (!@#$%^&* etc.).

Uncommon: Avoid using common words, names, dates, or personal information that can be easily guessed.

Not found in dictionaries: Hackers often use dictionary attacks, so ensure your password isn't a dictionary word.

Why should I not share my work password, even with family?

Sharing your work password, even with trusted family members, jeopardizes the security of your company's network and computing resources. Children may unknowingly disclose the password to others, potentially leading to unauthorized access and data breaches.


What are some examples of poor password practices?

Using common words or personal information: Passwords like "password123" or your child's name are easy to guess.

Writing passwords on sticky notes: This makes them visible and accessible to anyone who passes by your workspace.

Using the same password for multiple accounts: If one account is compromised, all accounts using the same password become vulnerable.

How often should I change my password?

Regular password rotation enhances security. It's generally recommended to change passwords every few days, especially for sensitive accounts.


What are some alternatives to traditional passwords?

One-time keys (tokens): These devices generate unique codes that expire after a single use, providing an extra layer of security for remote access.

Biometric authentication: This technology uses unique biological traits like fingerprints or iris scans for verification. While more secure, it's currently less common due to implementation costs.

What is two-factor authentication (2FA) and why is it important?

Two-factor authentication combines something you know (like a password) with something you have (like a token or smartphone app). This adds a significant layer of security by requiring two different forms of verification to access an account.


What are some examples of 2FA methods?

VPN keys: These generate time-based codes that change every few seconds, used in combination with a password for secure remote access.

Google Authenticator: This app generates time-based codes on your smartphone that you enter alongside your password for verification.

YubiKeys: These are small, physical devices that plug into a computer's USB port and act as a second form of authentication.

Comments

Post a Comment

Popular posts from this blog

Absolute and relative path in HTML pages

HTML documents can have relative or absolute links to other web pages. Relative links keeps a visitor on the same web site. Relative links are pointers to other web pages on the same web site. They just contain this page filename. Absolute links on other hand contain full path including protocol and domain name to access the page. Absolute links can point to the same web site or they can point to a different web site.
Read more

Errors

It is a good idea to send errors in production environment to error log. Errors may contain sensitive information. Even so errors maybe helpful to development team or to QA team, errors need to be suppressed in production environment for viewing by everyone. Errors are good way to troubleshoot an issue therefore only trusted people can have access to this information. If not a trusted person get an access to this information, this information maybe used against the company and for a personal benefit. What to do in a case when there are more servers than one? Even so it is possible to inspect the log files in a single server, however it is impossible to do so when there is more than one server is available and web traffic is redirected to a different server each time. Log aggregation is needed in this case. All of the logs will be send to a central location. Logs may contain sensitive information. Please consult your company lawyer of how long logs can be stored, because logs can be use...
Read more

goto PHP operator

goto operator will skip execution of code and continue execution of a code that follows a label to which goto operator points to. If code has many goto operators, than this code probably needs a revision. It is possible to write code that executes without goto operators.
Read more