Asus Tech Support

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 11 June 2012

Use a 'code book' to protect (and to recall) your online passwords

Posted on 12:03 by Unknown

Use a 'code book' to protect (and to recall) your online passwords

from BetaNews by Aryeh Goretsky
via SysAdmin

With the recent announcements of password breaches at LinkedIn, and warnings from Google about state-sponsored attacks on Gmail accounts, it seems like a good idea now to review some password security basics. Then there is report today that someone hacked presidential candidate Mitt Romney's Dropbox and Hotmail.
In this post, we’re going to take a look at a rather low-tech solution to a decidedly high-tech problem: How to guard against password reset attacks, and where to securely store the answers to your password reset questions.
Even if you use highly secure passwords, it is possible someone might still be able to compromise your account if they were able to gather enough information about you to know -- or at least guess -- the answers to your password reset questions. Many services use the same questions, e.g., your mother's maiden name, the name of the town you were born in, the name of first pet and so forth. Because similar questions are used over and over again to reset passwords, it can be fairly easy, even somewhat boring, for an attacker who gathers this type of information to use it to gain access to all sorts of accounts one might have, across services ranging from those which are purely social to financial institutions, or even identity theft. The reported Romney hack is about someone guessing the answer to one of his security questions.
Password Reset Hack Attacks
Sometimes, though, it’s even simpler than that: An example of this is former Alaskan governor Sarah Palin, whose personal Yahoo! mail account was compromised via password reset using data about her available from public resources. Of course, most people are not going to have enough biographical data available online to make such an attack easy. Or do they?
With the rise of social networking has come a kind of blurring of the sorts of personal information it’s okay, and safe, to put online. Eager to generate more revenue, social media sites encourage, and in some cases may even require, people to share information about themselves such as birthdays, hometowns, where they went to school and so forth. While this is the sort of information we readily share with friends and family, social media companies request it because it allows for more targeted advertising. The fact that it is the same type of information needed to perform an attack or an impersonation is not something those companies typically tell you about when asking you to fill out your profile, or warn you that profile is not complete.
To date, I cannot recall any criminals going after aggregate personal data en masse in order to perform password reset attacks. Data breaches typically provide the password themselves or other information that can be readily used for identify theft, such as birth dates, information about credit cards and, in some cases, even social security identification numbers.
Defending Your Passwords
But even if you are not a politician, celebrity or somewhere between the two, you should still take steps to safeguard your privacy and, these days that means some creativity is needed when filling out online forms, such as when filling in the answers to questions used to reset a password.
One of the largest problems is, of course, deciding exactly what to enter. In the case of birthdates, some websites, such as online stores, might require you to enter your birthdate so they can send you a birthday offer or as the answer to a password reset question. They have no other reason for asking for this information, though, and there’s no guarantee they will keep this information secure or use it for other purposes, including selling it to marketing firms. On the other hand, there are plenty of web sites -- financial, insurance and government all come to mind -- where you may not only need to enter your correct birth date but you may be obligated to give them the correct information.
There’s also another issue to consider, both for you and the website, and that’s the issue of ethical behavior. Knowingly providing false data to a website is something of a gray area, even if there is no legal requirement not to do so. How does your obligation to provide a website with correct information balance with your right to freedom from the theft of that data, let alone the issue of privacy? Measuring these competing, and often contradictory, needs is something everyone has to do for themselves, and we cannot make the decision for you. You will need to decide if breaking this social contract is justified as a matter of practical protection.
If you have made the decision not to enter your actual birthdate, than what should you enter? The correct month and day of your birthdate, but the wrong year? The correct year, but with January 1st as your date of birth? The date of your favorite holiday? Making the answers to your password reset questions as unique as your passwords is the key to protecting against attacks on them, so using the same answer over and over again is out: That simply provides another widely-disseminated piece of information for a criminal to collect during the data aggregation phase of the attack.
One Low-Tech Solution
There is a solution, though, and it is a decidedly low-tech one: Write them down in a small notebook (that is, the kind you write in with a pen or pencil, not a laptop computer). Or, if you are not partial to keeping a little black (or orange) book, a business card or recipe card holder filled with index cards works just as well, too. Store your little “code book” in the area near, but not directly at, the computer, preferably in a location where it is at least out of site. The ubiquitous junk drawer works well for this purpose. Of course, if you use a computer in a shared area, you might want to look at storing your code book in a locked desk drawer, filing cabinet or safe.
Now that we have discussed what to use your code book for and where to place it for safekeeping, exactly what sort of information should you write in it? I would recommend something along the following lines:
  • name of website
  • username
  • date you signed up for the service
  • answer(s) to password reset questions
  • date of last password change (and/or date of next password change)
For additional security, do not store the actual answers to your password reset questions, but rather mnemonics or clues that will tip you, but not an attacker, to the answers.
During the course of writing this blog post, I came across the rather descriptively-named Personal Internet Address & Password Log Book, which, as the name implies, is a place to store information about your website and email accounts. It does, however, contain fields to enter the actual passwords, and not the answers to the questions used to reset those passwords.
Regardless of whether you choose to store password reset questions or the actual passwords, it’s important to keep in mind, though, that the physical security of any written-down information in your notebook -- whether it be the passwords themselves or just the responses password reset challenges -- is paramount: Writing down that information is the equivalent to putting your passport, driver’s license, social security card, check book, credit cards and debit cards (and their PINs) all together in one convenient bundle.
If you do not have a place that is physically secure enough to store a password reset notebook in, you should not use one for this purpose. Keep in mind that an accident or disaster could result in the notebook being destroyed or unavailable, and plan accordingly. Another thing to keep in mind is that as a tangible, physical object, your password reset notebook is subject to loss. Making a copy of it with a photocopier and storing that offsite in a secure location like a safe deposit box is far less risky than scanning it and storing the copy on your PC where an attacker can access it.
Reprinted with permission.
Photo Credit: urfin/Shutterstock
Aryeh Goretsky is distinguished researcher for security provider ESET. He is responsible for a variety of activities, including threatscape monitoring, investigating new and emerging technologies, working with ESET's developers, QA and support engineers, and liaising with other research organizations. He was the first employee at McAfee Associates and is a veteran of several software and networking companies. A Microsoft MVP since 2004, he runs the C-SQUAD mailing list for law enforcement and IT professionals.
 

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Security | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Economy Hosting just Rs. 109/month for 12 months!

Popular Posts

  • Build the Mac Pro That You Wish Apple Released [Hackintosh]
    Build the Mac Pro That You Wish Apple Released [Hackintosh] : Last week Apple updated their Mac Pros to cutting-edge processors from 2010, e...
  • BD singer Porshi Scandal video download online
    BD singer Porshi BD singer Porshi video online BD singer Porshi  online Bangladeshi Chaneel I superstar singer Porshi recently released her ...
  • Curvy Girls of Miss Bumbum Brazil 2012
  • se l/e i ;ertoi' toi';t894t'4343
     EYAGA;P98 GTY;O' 98G/O; i; aiygt;a 90ghkhbkdhsl tie[ q[4890'8ihgxdhfs ;oa'9t hk4l ty'ae4t4 EYAGA;P98 GTY;O' 98G/O; i; a...
  • Sameeksha
  • Melyssa Grace: Hot Asian Import Model.
    Who Is Melyssa Grace? Quick Bio Name: Melyssa Grace Roberts Nickname: Mely Ethnicity: Filipina/German Profession: Model (Import) Birthdat...
  • Ankitha
  • Kay Valentine: Hot British Import Model.
    Kay Valentine Bio Quick Bio Name: Kay Valentine Nicknames: Princess Kay & Kay Veezy Ethnicity: Vietnamese/French Profession: Model (I...
  • Serangoon Road
    HBO's pioneer Asian series premiers this weekend By Nico Erle Ciriaco SINGAPORE CITY – Home Box Office (HBO) Asia announced in a press c...
  • Powering the Possible (Dell)
    Affording chances and other life skills By Earl D.C. Bracamonte Total solutions company Dell announced very recently that it will support t...

Categories

  • 1964
  • 3D frame resolution
  • 44th season
  • 4K technology
  • 60s theme
  • 84-inch LED
  • Abarat
  • Abbey Clancy
  • accessories
  • acqua
  • action
  • Aditi Gowarkar
  • Aditi Rao
  • adventure
  • agnes locsin
  • airlines
  • airplanes
  • Aisha
  • Aishwarya Rai
  • aklan
  • Alexandria Eissinger
  • Alia Bhatt
  • Alicia Machado
  • all-day
  • altro mondo
  • Amalia
  • american cuisine
  • Amisha Patel
  • Amrita Rao
  • Amy Jackson
  • Andrea Jeremiah
  • Aneh
  • anemia
  • Anika Kabir Shokh
  • Anjana Sukaani
  • Ankitha
  • Annelise Marie
  • anti-ageing
  • Anu Mehta
  • Anushka Sharma
  • apparel
  • Apple
  • appliances
  • Archana
  • Arpita Paul
  • art
  • art of dance
  • arte contemporanea
  • Asha Saini
  • asia pacific
  • asian
  • asians five nations tournament
  • aspen
  • Attahama Cheewanitchaphan
  • australian broadcasting corp
  • autumn
  • ayala center
  • Bag of Bones
  • ballet philippines
  • Bangladeshi Model
  • Bangladeshi Sexy Model
  • Bangladeshi Singer
  • bb pilipinas
  • bb. pilipinas
  • BD Model
  • beauty
  • beauty in giving
  • beddings
  • beds
  • Belarus
  • belt
  • beverly hills 6750
  • bgc
  • Bhavana
  • Bhuvaneshwari
  • biki
  • bikini
  • bio-oil
  • Bipasha Basu
  • Bisnis Lokal Go Online
  • bit.ly
  • blood disorder
  • book review
  • boracay
  • bp
  • bpci
  • breakfast
  • campaign
  • car seats
  • carriers
  • cause
  • ccp
  • cebu
  • Celina Jeitly
  • Certification
  • chef
  • childhope asia
  • children's joy foundation
  • Chitrangada Singh
  • christmas carol
  • cinema
  • cjfi
  • classical
  • Clive Barker
  • clothing
  • co-production
  • Cobie Smulders
  • collection
  • colors
  • comedy
  • competition
  • competitions
  • computer literacy
  • contact sports
  • contemporary
  • contest
  • contests
  • conveyances
  • coronation night
  • corporate social responsibility
  • corporate value
  • cqgq
  • CSR
  • cuisine
  • dance
  • Deeksha Seth
  • Deepika Padukone
  • deficiency
  • Dell
  • destination
  • destinations
  • detective noir
  • devices
  • Dhallywood Actress
  • Diana Monteiro
  • Diana Penty
  • digital products
  • dining
  • dive spots
  • Divya Bharathi
  • dockers
  • edna vida
  • elan awards
  • electronics
  • Elisha Cuthbert
  • Elle Evans
  • Emma Watson
  • Eragon
  • Erin Andrews
  • Evelyn Sharma
  • events
  • exhibit
  • f & b
  • fall
  • fashion
  • festivals
  • fila
  • filapinas
  • Filipina
  • film
  • foam
  • food
  • formulation
  • foundation
  • furnishings
  • gallery
  • garcia college of technology
  • gct
  • Geeta Basra
  • German brand
  • gianfranco pirrone
  • giselle
  • giselle sanchez
  • gkmbq
  • glorietta 5
  • gma 7
  • goo.gl
  • Google
  • grant
  • greenbelt 5
  • gusto kong maging beauty queen
  • H2O hotel
  • Hansika Motwani
  • hanupriya
  • Hazel Keech
  • hbo
  • hboasia
  • HD
  • Heera
  • high chroma texture
  • history
  • holiday
  • home
  • hot
  • iBT
  • IFBS
  • indigenous people
  • Indonesia
  • Indraja
  • initiative
  • installation art
  • international pageants
  • IPK
  • iron
  • Isha Chawla
  • italian
  • Japanese brand
  • jeff bridges
  • Jinri Park
  • john robert powers
  • Kajal Agarwal
  • Kajo
  • kalibo
  • kallery.net
  • Kamalini Mukharjee
  • Kamna Jatmalini
  • Kareena Kapoor
  • Katrina Kaif
  • Katy Perry
  • Kausha
  • Ken Follett
  • khaki
  • Kitami Masao
  • KLM
  • kristen stewart
  • kuh ledesma
  • Lambert Academic Publishing
  • LAP
  • Laura Baca
  • leather
  • Lee-Ann Roberts
  • lena gercke
  • life wear
  • linear atrophy
  • Lisa Haydon
  • mactan shangri-la
  • Mahima Chowdary
  • makati
  • malampaya
  • malaria
  • MAM
  • Mandakini
  • manila ocean park
  • Manjari
  • margie moran
  • Marian Rivera
  • Marika Baldini
  • marvel comics
  • Mary Elizabeth Winstead
  • mattresses
  • Maxim
  • mcjim
  • men
  • men's fashion
  • merck serono
  • Mette Munkø
  • Mila
  • minerals
  • Minisha Lambha
  • Minka Kelly
  • Minsk
  • Miss Supranational
  • miss world philippines
  • model
  • modern
  • modern art
  • moisturizer
  • Mounica Bedi
  • movie
  • movie review
  • mr jones
  • mutya johanna datul
  • mutya ng pilipinas
  • mvp bossing awards
  • mwp
  • My life
  • Nargis Fakhri
  • Natalie Pack
  • Navneet Kaur
  • Nayanatara
  • nbc tent
  • Neelam
  • Neha Jhulka
  • niccolo jose
  • Nikisha Patel
  • Nikitha
  • Nisha Kotari
  • nonoy froilan
  • nude
  • online voting
  • original
  • outreach
  • P2SMTP-LIPI
  • pageant
  • pageantry
  • pageants
  • painting
  • palawan
  • pants
  • Paris Hilton
  • paul morales
  • philippine volcanoes
  • pilipinas shell
  • Pillars of the Earth
  • planes
  • platinum award
  • poll
  • Pooja Bhatt
  • Pooja Gupta
  • Poonam Bajwa
  • popularity contest
  • Porshi
  • Porshi Scandal
  • Poses
  • powering the possible
  • Prachi Desai
  • precious lara quigaman
  • Preeti Jhingania
  • pret-a-porter
  • Priyanka Kotari
  • program
  • project
  • psfi
  • puerto princesa
  • PurCellin
  • quests
  • Raasi
  • Rachana Mourya
  • raffles hotel
  • raintree
  • Rambha
  • Ramya Krishna
  • Ramya Krishnan
  • range
  • readers digest
  • reality TV
  • Refaeli Bar
  • referrer spam
  • regza
  • rest in peace department
  • restaurant
  • restaurants
  • ripd
  • robert schwentke
  • Robin Scherbatsky
  • rock supremo
  • RTW
  • rugby
  • ryan renolds
  • SAKA
  • salagubang
  • salaminkera
  • Salli Villefrance
  • Saloni
  • Sam Kellet
  • Sameeksha
  • Sana Khan
  • sandra bullock
  • sangobion
  • Sara Carbonero
  • scarlett johansson
  • sculpture
  • sea air
  • search
  • Security
  • serangoon road
  • series
  • Sheela
  • shell
  • sheridan group
  • sheridan spa resort
  • Shireen
  • Shokh
  • Shradda Das
  • Shreya Saran
  • Shruthi Hassan
  • Shwetha Tiwari
  • sicily
  • Silk Smitha
  • Simran
  • SINAG
  • Sindu Tulani
  • singapore
  • skin damage
  • Sneha Ullal
  • social responsibility
  • solar entertainment
  • Sonam
  • Sonia Agarwal
  • sports palace
  • Stephen King
  • Stine Fabech
  • streetchildren
  • stretch marks
  • Sunny Leone
  • supplements
  • Susan
  • Swordless Samurai
  • technology
  • television
  • Thailand
  • the wicked
  • theater
  • Thomas Agatz
  • tiger air
  • tiger airways
  • Tim Clark
  • TOEFL
  • topical
  • toshiba
  • tourism
  • Tracy Chevalier
  • Translation
  • travel
  • treatment
  • tubbataha reef
  • Tulip Joshi
  • TV
  • Uditha Goswami
  • uip
  • Under The Dome
  • Uniqlo
  • Unknown
  • uratex
  • Urvashi Sharma
  • UT
  • Valentina Zambrotta
  • Varvara
  • Veda
  • Vedika
  • very hot
  • vijaya
  • Virgin Blue
  • visual arts
  • vitamins
  • well being
  • western philippines university
  • western visayas
  • wolverine
  • wood
  • world cup sevens
  • World Without End
  • x-men

Blog Archive

  • ►  2013 (137)
    • ►  September (15)
    • ►  August (21)
    • ►  July (8)
    • ►  June (12)
    • ►  May (8)
    • ►  April (6)
    • ►  March (13)
    • ►  February (33)
    • ►  January (21)
  • ▼  2012 (321)
    • ►  December (1)
    • ►  November (7)
    • ►  October (49)
    • ►  September (32)
    • ►  August (44)
    • ►  July (69)
    • ▼  June (113)
      • KeyScrambler Personal protects Firefox and Interne...
      • A LEGO Turing machine for [Alan]‘s centennial
      • Emulating Mac System 7 on an Android device
      • Build the Mac Pro That You Wish Apple Released [Ha...
      • AppyDays Tracks Discounted Mac and iOS Apps [Mac D...
      • DiskDigger Saves Deleted Photos on Your Android De...
      • Top 10 Ways to Get Free Wi-Fi Anywhere You Go [Lif...
      • How to Use Google Calendar as a Project Management...
      • Joe Cornish To Write and Direct Snow Crash Movie
      • The GeekDad Manifesto
      • At last, science explains why there are Internet t...
      • Put Together a Home Networking Emergency Kit for W...
      • Build Your Own VPN to Pimp Out Your Gaming, Stream...
      • Sync iCloud to Dropbox
      • Turn an Old Computer into a Networked Backup, Stre...
      • Hold Off on Those Early-Summer Student Computer De...
      • Prepaid wireless gets some respect
      • Use ImDisk to mount ISO images as virtual discs
      • Menu Uninstaller Lite makes removing apps a whole ...
      • Local Website Archive easily saves the pages you n...
      • Now Is a Great Time to Buy an SSD [Dealhacker]
      • Symform offers 200GB free cloud storage
      • Top 10 Ways to Upgrade Your Music-Listening Experi...
      • Encrypted drive attack hints at original Xbox hacking
      • Course correcting the Science Fiction genre
      • CD/DVD Polisher may save your backups someday
      • Bringing Chromium to the Raspberry Pi
      • Turning the Wii Classic Controller into a gaming rig
      • Turning a Raspberry Pi into a laptop with a LapDock
      • Cheap ARM netbooks have Linux forced upon them
      • Machining cartridge connectors from PCI sockets
      • How to Get the Best Features of Android 4.1 Jelly ...
      • Take control of MacBook Pro graphics with gfxCardS...
      • Now You Can Change your Facebook Page URL
      • Penetration testing with the Raspberry Pi [and Pwn...
      • Cheat your way through the original Prince of Persia
      • Atari Turns 40 Today
      • Dr. Dobb's 2012 Salary Survey
      • Ask Slashdot: Low Cost Way To Maximize SQL Server ...
      • Secunia PSI 3 keeps your PC software up to date
      • [DIY] Raspberry Pi enclosure turns it into a deskt...
      • Resurrecting a PS3 controller that won’t charge
      • Your Resume Is a Sales Letter [Jobs]
      • Top 5 Weirdest Perks Offered by Some of the Bigges...
      • Demonstrating People Skills in an IT Resume
      • Top 5 Tips for a Great Annual Employee Review
      • Salary Negotiation 101: Tips for IT Pros Part 2
      • Salary Negotiation 101: Tips for IT Pros Part 1
      • 6 Ways to Get a Tech Job Without a Tech Degree
      • INSIDE WILL'S FIX-IT (AND TAKE-IT-APART) TOOLKIT
      • LoL
      • Kepada Titien
      • Use a 'code book' to protect (and to recall) your ...
      • The 25 worst pins and passwords
      • Comic for June 10, 2012
      • How Many Seconds Would It Take To Crack Your Passw...
      • Get $290 Worth of Mac Productivity Apps for $40 [D...
      • Make a Long Range Wi-Fi Extender out of a Coffee C...
      • Keep Your Tie Perfectly Straight with a Paper Clip...
      • Found Is a Universal Search for Your Mac Hard Driv...
      • Circumvent Wi-Fi Time Limits at Coffee Shops by Sp...
      • Get 11 Awesome Mac Apps for $50, Including the Gre...
      • Tracking small changes in video to see someone’s p...
      • Simple power adapter thumbs its nose at proprietar...
      • Manually configuring an iCloud email account [More...
      • Passware Encryption Analyzer hunts down hidden arc...
      • Registry Editing Tips and Tools
      • Determining what service or application owns a TCP...
      • Troubleshooting: Installing a legacy device in Win...
      • LastLogonTimestamp for Group Members
      • New MCSE - Personal FAQs
      • Trench Tales (Part 3) - Apple in the Enterprise
      • Scripted Network Defense (Part 1) - Programmatic D...
      • IT Positions Some of the Toughest Jobs To Fill In US
      • Apple Releases IOS Security Guide
      • Geezers Pick Stronger Passwords Than Young'uns
      • Ask Slashdot: Syncing Files With Remote Server Whi...
      • Worst Companies At Protecting User Privacy: Skype,...
      • First Steps With the Raspberry Pi
      • Ask Slashdot: Provisioning Internet For Condo Asso...
      • Manga Guide to Surface Mount Devices & Soldering
      • Buy Your Own Cable Modem to Avoid Rental Fees
      • Top 10 Cellphone Accessories You Don't Need to Buy...
      • MCSE vs. MCITP – Which certification is better?
      • Miss Thailand World 2012.
      • Miss Thailand Universe 2012.
      • Miss America 2012
      • Purrint makes screen capture simple
      • All about the new Microsoft MCSE certification
      • VisiPics quickly finds duplicate photos
      • Dungeons & Dragons Next Playtest Released
      • The Gamification of Hiring
      • (2012-05-26) Using Both Microsoft Hyper-V And VMwa...
      • Error'd: Docking Ejection
      • Sorry, you can't mail your iPhone or iPad overseas...
      • Get Serif PagePlus 11 for free while you still can...
      • Get organized with WikiPad
      • Comic for April 9, 2012
      • Malwarebytes Anti-Malware 1.61 is an essential upd...
      • The misunderstood 'digital native' has a two-minut...
    • ►  April (3)
    • ►  February (1)
    • ►  January (2)
  • ►  2011 (42)
    • ►  December (2)
    • ►  November (4)
    • ►  September (1)
    • ►  August (21)
    • ►  July (2)
    • ►  June (1)
    • ►  May (5)
    • ►  April (6)
Powered by Blogger.

About Me

Unknown
View my complete profile