The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [164]
15-4 Passwords on multiple systems
Policy: Company personnel must never use the same or a similar password in more than one system. This policy pertains to various types of devices (computer or voice mail); various locations of devices (home or work); and various types of systems, devices (router or firewall), or programs (database or application).
Explanation/Notes: Attackers rely on human nature to break into computer systems and networks. They know that, to avoid the hassle of keeping track of several passwords, many people use the same or a similar password on every system they access. As such, the intruder will attempt to learn the password of one system where the target has an account. Once obtained, it’s highly likely that this password or a variation thereof will give access to other systems and devices used by the employee.
15-5 Reusing passwords
Policy: No computer user shall use the same or a similar password within the same eighteen-month period.
Explanation/Note: If an attacker does discover a user’s password, frequent changing of the password minimizes the damage that can be done. Making the new password unique from previous passwords makes it harder for the attacker to guess it.
15-6 Password patterns
Policy: Employees must not select a password where one part remains fixed, and another element changes in a predictable pattern.
Explanation/Notes: For example, do not use a password such as Kevin01, Kevin02, Kevin03, and so on, where the last two digits correspond to the current month.
15-7 Choosing passwords
Policy: Computer users should create or choose a password that adheres to the following requirements. The password must:
• Be at least eight characters long for standard user accounts and at least twelve characters long for privileged accounts.
• Contain at least one number, at least one symbol (such as $, _, !, &), at least one lowercase letter, and at least one upper-case letter (to the extent that such variables are supported by the operating system).
• Not be any of the following items: words in a dictionary in any language; any word that is related to an employee’s family, hobbies, vehicle, work, license plate, social security number, address, telephone, pet’s name, birthday, or phrases containing those words.
• Not be a variation of a previously used password, with one element remaining the same and another element changing, such as kevin, kevin1, kevin2; or kevinjan, kevinfeb.
Explanation/Notes: The parameters listed above will produce a password that is difficult for the social engineer to guess. Another option is the consonant-vowel method, which provides an easy-to-remember and pronounceable password. To construct this kind of password substitute consonants for each letter C and vowels for the letter V, using the mask of “CVCVCVCV.” Examples would be MIXOCASO; CUSOJENA.
15-8 Writing passwords down
Policy: Employees should write passwords down only when they store them in a secure location away from the computer or other password-protected device.
Explanation/Notes: Employees are discouraged from ever writing down passwords. Under certain conditions, however, it may be necessary; for example, for an employee who has multiple accounts on different computer systems. Any written passwords must be secured in a safe place away from the computer. Under no circumstances may a password be stored under the keyboard or attached to the computer display.
15-9 Plaintext passwords in computer files
Policy: Plaintext passwords shall not be saved in any computer file or stored as text called by pressing a function key. When necessary, passwords may be saved using an encryption utility approved by the IT department to prevent