Password Security and Social Engineering

I was doing some research for an upcoming blog post for work and came across this funny bit that Jimmy Kimmel did during the Sony hack hype.  It has some really important content for security professionals and the general public.

One, it is really easy to social engineer information from people.  A book I enjoyed reading, “Ghost in the Wires” by Kevin Mitnik gives endless examples of how he used social engineering  to get valuable information about corporate networks, account details, even passwords.  The Jimmy Kimmel bit illustrates one technique that not many hackers have in their arsenal (a TV camera crew) but less sophisticated techniques are used all the time. How much information do you give out over social media or phone calls from employees, telemarketers, etc.  I am not advocating dropping down the draw bridge and not sharing on those sites or in conversations (I am in the collaboration business so that would not be convenient) but I am saying be aware.  There is no reason under any circumstances that you should be compelled to give out your passwords or information about your password.

Two, it is a good reminder to go in and change your password from time to time.   If you work for a large corporation you will be forced to do this on a set schedule. However, this doesn’t cover your social media sites.  It is good practice especially with the number of devices you probably have today to go in and change those passwords.  I like to do it twice a year after the clocks change.

Last, creating a good password with decent entropy is really easy by using what I call the sentence method.  This is certainly not a new technique and I can’t remember where I first learned the technique so I would normally attribute the method here.   Here is how it works:  One, create a sentence that you can remember e.g. “My favorite teacher in 3rd grade was Mrs. Smith who wore glasses and was a star”; two, take the first letter of each word in the sentence and include a number and special character e.g. Mfti3gwMSwwgawa*.  Some websites won’t allow special characters because they are worried about across site scripting vulnerabilities so if your financial institution is one of those then use the word equivalent of the special character.  If you want a shorter version, create a shorter sentence.  There are variations of this that allow you to take the last letter of the word in the sentence or second letter, etc.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s