Password protection - II : Better late than never

Varun Kapoor *

Password protection is a necessity that should be adopted by all users and that too at the earliest, if safety of personal information is to be ensured. It was emphasized in the previous column the need to follow certain rules while making strong and secure passwords. Three of these rules were enumerated last week and the remaining three are listed here with:

4. Do not write your password anywhere – This is of utmost importance that we avoid writing our passwords anywhere. This is because someone, who need not know the password may get hold of a written password accidentally or by design and then proceed to misuse it.

If we visit any office or especially a Government one – which is the most likely place that we will find the password of the office computer of the officer written? Most probably on the wall next to where the desktop computer of the officer is located! Or it just maybe written on the backside of the keyboard!

All a hacker has to do is to flip the keyboard on its back – and “gwala” the password can be obtained! No complicated viruses and malwares required to hack into the system of such individuals, to obtain their most precious passwords.

Sometimes many citizens store their passwords and account details in their mobile devices in the notes or drafts section. This too is an extremely risky proposition – as their device may get misplaced, lost or stolen – in that event the password may fall into undesirable hands.

In a case that occurred in a college in Indore – one young lady went to the examination hall with her bag. She was advised by the invigilators to keep the bag outside the hall, this she did. Once she finished the exam and came out she found her bag missing. In the bag among other things was her mobile phone and her ATM card.

With only an ATM card the thief could not do anything. But while he was scanning the contents of her mobile phone – he found a four digit code in her drafts section. He immediately guessed that this was her PIN for the ATM card.

He immediately visited the ATM and using her card and PIN withdrew a sum of 60,000/-from the victims account before she could block her ATM card. Thus writing down our passwords, PIN etc in a physical or digital form is a highly risky activity and should be totally avoided.

1. Do not share your password with anyone – Sharing or telling our password to anyone else is a habit that should also be totally discontinued. Sometimes we our self give the passwords to our aquaintainces for carrying out certain tasks, though this too is an undesirable practice – sometimes it becomes imperative. In such cases the password should be changed immediately after the work has been accomplished.

In many cases cyber criminals make phone calls (Vishing) or send emails or sms (Phishing) to unsuspecting victims and try to obtain their secret passwords or other details from them fraudulently.

In such cases too it must be remembered that sharing of passwords or any other secret details with any unknown person over the digital space is a total taboo and must not be done under any circumstance, situation or temptation.

In addition whenever a user approaches an internet café or public computer to use the web – he/she should only use such terminals for the purpose of surfing the net. In no case should such accounts be accessed where passwords have to be inserted.

Like mail accounts, social networking accounts, bank accounts etc should never be accessed. Even if there is an emergency and the user has to access such accounts – he/she must change the password at the first next opportunity. This is because there is no guarantee that the internet café owner or the operator of any other public computer has not installed a software or hardware form of a Key Logger.

This device will copy all your keystrokes and store it in a temporary folder and once the user leaves the devious operator may retrieve the entire stored information and misuse the information obtained.

2. Setup your password recovery option properly -Password recovery option means the option of – “forgot my password”.

All accounts we create have this option because we may forget the password we created and in that condition we must have a means to recover it. If we select this option we are asked a security question and if we reply to this question successfully we can get access to our account.

The problem is that everyone believes that the security question being asked is like an examination and we have to give the correct answer – otherwise we will fail. And they always give the right answer.

An answer that any other person may know or come to know through social engineering or other techniques. Once the person comes to know the answer he can try and successfully get access to the users account.

As an example let’s consider the case of an online banking account of the State Bank of India. The standard security question asked is – “what is your mother’s maiden name”? Suppose I put the right answer to this question, then I am taking a big risk.

Because my mother’s maiden name is information that many people besides me will know. Even if they don’t they can try and find out through a variety of sources which may include my social networking sites and the information contained in them.

Once they know the answer, they can select the option of “forgot my password” and answer the security question successfully. In such a scenario they may gain access to my account.

That is the danger in considering the security question-answer as an examination. The learning point here is that whatever maybe the security question, the answer that we give should be wrong! An answer that only you should know and one that no one else can know or try to find out.

Like if mother’s maiden name is asked – then instead of the right answer a term like “Gulab Jamun” can be used. This kind of answer will ensure that no cyber thug can try to guess or find out. Such an answer only you will know!

Fighting crime thus boils down to only the use of our common sense. If we use it effectively and follow the six password rules enumerated in the two articles, then we can create, obtain and use strong and safe passwords. One which will ensure not only our security but the security of our data, personal information, finances and reputation.


[Views expressed in the column are of the author himself]