UC InfoSec

UC Home

Maps

A-Z Index

Web Search

People Search

Blackboard OneStop Libraries BOL E-mail UCMail

UC Tools

From the Director
Events
How To...
Top 10...
Threat/Countermeasure
Software Guide
Training & Education
Media - RSS Feeds

Applicable Laws
InfoSec Policies
Projects
Risk Management
Standards & Guidelines
Services
Meet the Team

InfoSec Home
UCit Home

Threat: Someone else gets (or guesses) your password

How could this happen to me!?

There are a number of common ways that a password can get out

Picking a simple or easy-to-guess password.
Writing your password down and leaving it where it can be found (i.e. a sticky note on the monitor—yes it really has happened)
Telling someone your password!
This is the most common way for your password information to get out.
True story: the first day that the Director of InfoSec began at UC, he was riding the Bearcat Shuttle and a girl behind him was talking on her cell phone and told someone her system AND email passwords. Someone in that bus—or out on the street if this had happened there—could have easily written that information down and used it for all sorts of nefarious ends.
Someone watching as you type it.
Entering your password into an untrustworthy web site (esp. if you got there through a link from a spam email message)
Writing passwords in an unencrypted file kept somewhere on your system. If your lend your computer to someone, let someone use your account or walk away from your computer without locking it or logging out, this file may be found and the information copied.

Three can keep a secret if two are dead. - Benjamin Franklin

Best Case Scenario

The inadvisable conversation you are blithely having in public is not, in fact, overheard by any practical jokers, persons that may for whatever reason want to “teach you a lesson”, identity thieves, or other agents of darkness. You continue through life blissfully unaware that you just brazenly offered your personal Sword of Damocles to a pool of strangers.

Worst Case Scenario

One of the people near you happens to remember what you said and that Friday, while relaxing in a restaurant with friends happens to say something like: “You wouldn't believe what ---- did yesterday! We were on a bus surrounded with people and she told someone on her cell phone that her email password was “Dragonfly” with a zero for the o. Then she went on to say that she uses the same password for everything. I couldn't believe she would say something like that in public” …or something to that effect.

This person is overheard by someone else in the restaurant. This third person, having strong political view that oppose those of the current administration of our country, suddenly realizes that they have a way to tell those in charge exactly what they think of the job they are doing and the message would be traced to someone else...

Unfortunately, in the heat of composition, this stranger makes a few threatening statements of the sort Handcuffs that the secret service takes very seriously, and next Tuesday—right in the middle of Calculus—4 very large people in conservative gray suits ask you to step out of class with them, making it very clear that asking them to wait is not an option. For days you are interrogated, your background investigated, your friends, family and classmates questioned until the secret service is satisfied that you were not involved in the sending of that email and are not indeed a danger to anyone.

As you walk out of the federal building, you are besieged by reporters that apparently didn't yet get the word that you have been cleared. Microphones are shoved in your face. Lights sear your eyes. Through the cacophony of questions, you hear, “Why did you write that email?”, “Who exactly did you threaten?”, “What are you going to do now?” You try to answer that you did nothing and that you have no idea how this got started, but on the 11 O’clock news you see that you just look surprised, frightened and—undoubtedly because of the camera angle—a little guilty.

The next day you get a phone call from your aged great-grandmother. You hear the quavering note of disappointment in her voice when she asks you where you went wrong…

Countermeasures

Select a strong password
Don't tell anyone your password. Ever.
Awareness. When entering your passwords, be aware of other around you. Standard netiquette requires people standing around you to look elsewhere as you enter password.
Don't leave your system unattended. Either lock it or log out before you walk away.
Don't use the same password on the net that you use for your personal systems. In fact, it is best to have a different password for everything. Especially if that system contains sensitive data like financial, medical or personal information. There was to do this that are not a tough as you think. Check out the advice in the password selection article.
If you must write your password(s) down, make sure they are locked securely in a safe if physical or in an encrypted file if virtual. DON'T leave them on a post-it or in a file on your palm pilot...