Tuesday, January 27, 2015

How To Get Someone’s Password

   No matter what else is going on, it seems that I keep circling back to the subject of passwords.  I’ve covered this topic many times, including here, here and here.  But it’s a new year and a new week and passwords are in the news again

   I’ve jokingly said for many years that the easiest way to get someone’s password is to just ask them!  What I mean by that is that many people will inadvertently give up their userid and password via a Social Engineering attack.

   Wikipedia defines Social Engineering as the "psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme."

   An attacker can send a phishing email that either directly, or via a link to an online form, asks for a password.  They can call the victim on the phone, or call a help desk impersonating the victim.

   Or, they can just walk up to someone on the street and ask!...

   And this is certainly not the first time something like this has been tried.

   There you have it!  So protect your passwords… use a password vault; use different passwords for different systems; use strong passwords; watch out for phishing emails and calls, and; don’t give your password to someone else!

   For extra fun, try one of these phishing quizzes.  See if you can identify the imposters!  And reread this post on phishing.

Tuesday, January 6, 2015

The Secret Life of Passwords

   I've written about passwords plenty of times in the past.  Passwords are one of the main security touch-points for people, and it's often not a pleasant experience.

   As we've discussed, it's hard for people to pick good passwords and remember them.  So users need "tricks" to help the memory.  One way I've told people to construct a password is to base the password on an embarrassing moment in your life - that way you won't forget the password and you also won't tell it to anyone else.

   Apparently people have been using that, and similar, methods.  NY Times reporter Ian Urbana wrote a great piece on this called "The Secret Life of Passwords".  He asked people to tell him their passwords - yes, you shouldn't do that - but also the story behind the passwords.  There are some very interesting stories.  People seem to memorialize a part of their life in their passwords!  You can read the full story hereLeo Laporte did a great interview with Ian in the Triangulation podcast.  You can hear that here.

   I'd like to focus to two aspects of this story that jumped out at me.

   First is the story of Cantor Fitzgerald.  They are a large financial firm who were headquartered at the World Trade Center in 2001.  When the terrorist attacks hit the towers, Cantor Fitzgerald over two-thirds of their employees were killed.  That was tragic.