As a follow-up to our special feature : 'Commonsense on passwords', we pass on the following hints on the dangers of using a single password for multiple utilities: a note sourced from global leader in information security, SafeNet and also point at a practical tool available in India for those hassled by having to remember so many different passwords:
People worry about hackers using sophisticated methods to hack into computers to steal passwords or otherwise compromise security. Such techniques are available but more often than not, security is jeopardized by simple and plain English words that's easy to guess or to find hence making your account vulnerable. Using your granny’s name as your password and writing it on a note pinned to your monitor is a perfect recipe for disaster.
It's a common practice to use the same password for multiple sites. If you use the same password for an social networking site that you also use for your bank, you are paving the way for hackers to steal your money. Even if you have one secure password for multiple bank accounts, one employee at one of those banks could exploit that information to break into your other accounts.
The twitter account intrusion being a prime example of this where the hacker know as CROLL was able to gain access to private accounts owned by employees of the Twitter website. The hacker successfully guessed password "secret question" recovery queries by gathering info from employee public profiles on Social Networking Sites, and intercepted password reset messages after gaining access to an employee’s public e-mail account. As a result, the hacker gathered further account information, including the users’ passwords, and gained additional account access to other sites, using stolen details to access other accounts, including online financial, e-mail, and e-commerce sites. The attacker was able to steal confidential business documents from these accounts and publish the information, including Twitter employee lists, along with credit card numbers and food preferences and confidential customer data, making this information publicly available on the Internet.
In India recently the armed forces issued an advisory asking its employee not to reveal personal information on Social Networking sites as hackers might use it to gain access to confidential information.
SINGLE SIGN-ON
One solution is to use Single Sign on services.
eToken Single Sign-On devices, sourced from Aladdin, a US security services and technology provider ( and part of the same group as SafeNet) are available in India. Users can securely store all passwords and logon credentials on a single, secure eToken device ( a USB thumb drive-like device). All a user needs to do when logging into any password-protected network, application, or website is plug in the eToken device and enter one eToken password. eToken Single Sign-On will then automatically detect and fill-in all the user credentials, providing a true single sign-on experience. http://www.aladdin.com/etoken/single-sign-on.aspx
Aladdin e-tokens are marketed in India by Inflow Technologies Pvt. Ltd, Bangalore www.inflowtechnologies.com and Capricorn Infotech India Pvt. Ltd., Delhi www.iSecurity.info
Rajjesh Mittal of Capricorn tells us that the tokens cost around Rs 1200 each and this is a one time cost for lay users who want to use it as a single sign on device. However the device is essential if you have a digital signature for corporate purposes.
Aug 8 2009