Passwords have been getting bad hype these days – and for good reason.
With "phishing" scams and "keystroke logger" virus transmittals on the rise, identity theft and fraud losses have become a major issue for computer-users. According to the Federal Trade Commission, in 2003 there were an estimated 10 million identity-theft victims in the United States at a cost of some $50 billion.
The greatest cause of this current state of despondent affairs regarding identity-theft stems from weak passwords and the lack of other forms of user authentication. But passwords can be a real form of protection when it comes to securing corporate or personal information online – when used wisely.
Take a moment and think of the passwords you use today – more than likely, you have set yours up to be something easily remembered, like a spouse or child's name, your address, telephone number or even your birth date. It is surprising how easy it is for hackers to guess your password when they only know a little bit about you.
The main risks usually fall into several categories: intentional; unintentional or forced disclosure; intercepting; and cracking.
With intentional disclosure, the owner of a password willingly shares password information with someone else. The motivation might be convenience – "Please check my e-mail for me while I'm away" – or helpfulness – "You can use my user-name/password to get the information you need."
Unintentional disclosure is defined when a user is tricked or fooled to reveal an I.D.-password combination. Forced disclosure is the scariest form of identity theft. This occurs when a person is threatened if information is not provided. Chances of a victim falling for forced disclosure are slim, but again, the best protection is awareness.
Intercepting and cracking are technical methods of obtaining a user's password. Here, thieves intercept I.D.s and passwords over communication links or by gaining access to data files that store encrypted passwords on your computer. Either one of these methods create strong arguments for encrypting communications links or data stored on local computers.
Numerous ways exist on instructing people how to come up with passwords and keep them safe. First, do not use passwords related to your job or personal life; i.e., license-plate numbers, a spouse or child's name or fragments of an address.
In such cases, a person trying to gain access to your information may use social engineering skills (the practice of obtaining confidential information by manipulation of legitimate users) to easily crack your codes.
Second, never use complete words found in a dictionary, including proper names, places, technical terms or slang. Hackers use huge word lists to try to match them against entries in the file of encrypted passwords on your computer.
Always use passwords with a combination of mixed case alphabetic characters, numbers and symbols. Using this method makes it extremely hard for a hacker to guess or use computer programs to break in.
In most cases, individual identities are validated using one of three authentication methods – something you know (such as a password); something you have (such as a token or smart card); or something you are (biometric traits such as fingerprints, voiceprints, etc.).
If at all possible, try to use at least a two-factor authentication method when logging on to secured sites or computers. Better to be safe than sorry!
Michael Trantas is CEO of e-Safe Solutions, Inc. He can be reached at [email protected]