The use of your account could be used in various criminal activities if not well maintained and kept secret. Remember the trace leads back to your account.
The most common password exposure scenarios
- Physical security breach
A physical breach of your computer will completely bypass even the most sophisticated authentication methods, even the most secure encryption ones. A keylogger, both software and hardware might be installed, your secret PGP key might as well be exposed, thus all your accounting and encrypted data will be compromised. It doesn't matter how long, or secure your password is as physical security breaches are one of the most critical ones.
- Unintentionally shared
A user might share his/her accounting data without even realizing that by exposing it the risk of a potential break-in increases. A password is usually shared with friends, bosses, and family under different circumstances. A "benefit" considered by some users is the convenience for two persons or more, to know certain accounting data in order to gain access to a certain resource. Passwords might also be shared in an informal talk with coworkers discussing the latest company's password policy, or the way they choose their passwords, how they maintain them and in some cases how the management will never find out about their thought to be secret ways of storing the accounting data. One of the most critical and easy to conduct ways of obtaining sensitive data is simply to ask for it, both in a direct or an indirect way, which is what social engineering, is all about.
Sometimes in case of a partial break-in, the encrypted password file of a company might be exposed to a malicious attacker. If it happens, the attacker will start password cracking the file, namely trying all the possible combinations with the idea to find the weakest passwords and gain privileges later on. In case the company is aware that its passwords' file has been compromised, it should immediately notify all employees to change their passwords, so even if weak passwords are exposed, they wouldn't be valid ones anymore. However, if the company is not aware of its password file exposure, it should constantly try to crack its password file just like an attacker would do and filter out the weakest passwords.
Are you aware how many employees are accessing sensitive data through their already breached computer or their friend's one? Having strong password doesn't guarantee its integrity when it's not securely transmitted over the Internet. Don't give your employees the ability to choose between plain text or SSL authentication; instead, enforce all network communications in encrypted mode. Another highly recommended option would be to provide everyone with "last login from...” feature, so that in case they notice an unauthorized login, they would report it right away.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.