INVITATION TO CYBERSECURITY 190 to writing down their passwords and keeping them near their desks. In those cases, password expiration policies backfire by increasing the likelihood of password compromises. As we become more dependent as a society on a secure cyberspace, sheer password-based authentication is on the decline. It has long been known that passwords are a major cybersecurity vulnerability. However, because of their convenience, they will not be going away completely anytime soon, so we must educate ourselves and others on the risks of passwords and how to choose and manage passwords wisely. Chapter 9 provides practical guidance on creating and managing passwords. 8.1.1.2 PINs In addition to passwords, personal identification numbers (PINs) fall under the something you know category. PINs are designed to be easily remembered. PINs are short passwords, and despite the name, are not always numeric. Because PINs are short, they should never be used as the sole means of authentication, and they should always be used with an authentication mechanism that limits login attempts. PINs have traditionally been (and many still are) four numeric digits. There are only 10,000 unique PINs in this range—the values ranging from 0000 to 9999. Computers can attempt every PIN in a tiny fraction of a second, and even humans can attempt every PIN manually in only a couple of hours. For this reason, users usually only get a few attempts to enter their PIN. After this, the account is either locked, requiring a different form of authentication to unlock it, or a login timeout period is imposed to slow down further login attempts. Some smartphones have a setting that deletes all the phone’s data after too many failed PIN attempts. The assumption behind PINs and passwords is the same—it is a piece of information that only the genuine user knows, and like passwords, they can be attacked. 8.1.1.3 Security Questions One last category of “something you know” is usually referred to as security questions. These are sometimes compiled during the account registration process, and are used as either an additional or alternative authentication token. Typical questions are the name of the elementary school you went to, your mother’s maiden name, or the name of your first pet. Unfortunately, security questions almost always fail the “only you know” assumption because they are based on real world facts that others may also know or be able to find out. Basing them on facts is by design so that users are more likely to remember the answers since they are based on their real life history. Security questions are sometimes used as part of the password reset process. Usually multiple security questions are asked to make it more difficult for attackers to impersonate their target. Sarah Palin was the Republican United States Vice Presidential candidate in 2008, and her personal Yahoo email account was famously hacked and exposed in the run-up to the election. The hacker bragged that it took him only a few minutes to gain access to her account. First, he found her Yahoo email address—this was not difficult since email addresses are not usually secret and can sometimes be guessed or seen posted
RkJQdWJsaXNoZXIy MTM4ODY=