Passwords – Change the defaults
August 1, 2011 | By Damon Armour, IT Security Officer, contributing writer
How many of us use the same password for our JagNet accounts and online banking accounts? How many share that same password with their favorite blogging site or gaming forum? How many of us have changed the default password on our home routers or mobile phone service voicemails? The more we rely on technology today, the more at risk we are, making ourselves vulnerable by not protecting our authentication credentials, in other words, passwords. Our passwords are the keys to accessing our email, financial information, work files, benefits information, and more. Yet many of us put little to no effort into securing them.
The News of the World phone-hacking scandal in the UK has been in the news recently. But what secret method was used to break into the phones of so many. In many cases, the investigators for News of the World used the default voicemail passwords or PIN numbers that the mobile phone carriers set. [1] Another method was to guess the password, an effective method when the owner sets up something simple like 1234 or 9876. [2]
Other recent events involving default passwords include home wireless and unfriendly or hostile neighbors. Many home users, after installing a wireless router, do not change the default password on the router. This can give a neighbor the ability, if within range, to connect to and use the wireless router. This provides the wireless trespassing neighbor the ability to download copyrighted materials without permission or, worse, to look at illegal forms of pornography. All of us would like to think this would never happen. However, a Buffalo, N.Y., man may have a different opinion after the misery he went through because of neighborhood wireless pirates: link to resources [3] and [4] below to learn more. Another situation took place in Minnesota, where one neighbor used multiple methods of terrorizing another who had a wireless router with weak security. The terrorizing included creating a fake MySpace account to embarrass the neighbor and threatening Vice President Joe Biden through email. It lasted for two years before the FBI finally tracked it to the offending neighbor and made an arrest. The guilty party was sentenced to 18 months in federal prison. [5]
These stories are shocking and extreme, but involve people like you and me. In ASU’s campus housing, University Village, there have been cases of copyright infringement emanating from a dorm room where an unsecured wireless router was involved. A situation like this can open up unsuspecting students to more serious risks such as being accused of downloading child pornography or losing their online credentials, such as banking, email, social media, etc., to someone.
What can you do to protect yourself from such incidents? The first step is to always change the default password. This can be on a mobile phone voicemail, wireless router, etc. The second step is to create a strong password that is not easy to guess. The SANS Institute [6] recommends:
• You must have at least one number in your password.
• You must have at least one CAPITAL letter in your password.
• You must have at least one symbol in your password.
• We recommend your passwords be a minimum of 12 characters in length. For highly confidential sites or information, we recommend 15 characters.
The third step is protecting those passwords. This can include using different passwords for different sites. For example, don’t use the same password for your JagNet as your online banking website. Use a different level of complexity for sites that do not require as much security like a blogging site or access to news media sites. Be cautious when using your passwords on a public computer since these computers could contain malware or keystroke capturing technology. Lastly, never share your passwords; this includes supervisors, coworkers, or even an IT Help Desk. The password is for you, and you alone, to know.
Password security is a key component of any security architecture. By practicing good password habits, individuals can avoid embarrassments, financial losses, legal issues, employment issues, and more. If you have questions on how to create or protect your passwords, the ITS Help Desk (706-737-1482) or the Office of ITS Security is available to help.
Resources:
1. BBC – http://www.bbc.co.uk/news/uk-11195407
2. About.com – http://bizsecurity.about.com/b/2011/07/21/news-of-the-world-phone-hacking-howd-they-do-it.htm
3. Huffington Post – http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html
5. Yahoo – http://news.yahoo.com/minnesota-wi-fi-hacker-gets-18-years-prison-032803295.html
6. SANS Institute – http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201105_en.pdf
