Wednesday, April 15, 2015

Points About Passwords

Image by Joanna Poe is licensed under CC by 2.0.

A couple of news items came to my attention, the subjects of which spiral around the idea that the end user of technology is the crucial link to good technology security and the easiest first step for everyone is to protect passwords.  I've written several times before about passwords (Some Words About Passwords, Don't Be a Target, Gateway, Public Computers) because, again, securing passwords is the most simple step with the greatest security payoff.  So reminders like these are pertinent and productive.

Naked Security and other sources report a 14-year-old Florida boy was caught trespassing into the school computer system after he shoulder-surfed a teacher typing in the teacher's password, used it without permission to trespass in the network, and tried to embarrass a teacher he doesn't like by swapping his desktop wallpaper with an image of two men kissing.

While many commentators and bloggers are shocked by the felony charges brought against the student by local law enforcement, I'm intrigued by the security aspect, namely that the teacher 1) repeatedly typed the password in full view of the students , 2) the teacher allegedly used a simple password--purportedly just the teacher's last name and 3) that a routine forced password reset policy was not enforced.

The second news item comes from across the pond.  Arstechnica.com reports that a TV5Monde segment filmed a reporter in front of a staffer's desk which was smothered in sticky notes and taped index cards that were covered in account usernames and passwords.  A similar blunder involving Prince William occurred back in 2012 when pictures of the British royalty were published showing the day in the life of the prince on base as Flight Lieutenant Wales at RAF Valley on Anglesey, north Wales that showed sensitive information visible in four of the photographs.  Both news stories are examples of violations of a very simple password policy:  don't write down username/password information on sticky notes or papers and leave them posted anywhere in sight.

TL;DR:  Don't type passwords where people can see you type, use strong passwords, change your password, don't post your password on sticky notes or papers taped to walls/monitors.

No comments:

Post a Comment