Tips on Password Security
Never give out your password!
This has been briefly mentioned previously, but it is worth reiterating. Unless a court order specifies otherwise, you should never, under any circumstances, give your password to anyone. This surprisingly, but especially, includes your help desk or IT staff. One common trick employed today by attackers to get your password is to just ask you for it. This takes advantage of the natural desire most people have to be helpful and is known as social engineering.
Using social engineering, an attacker can call you, tell you they are with the IT help desk, and voila! Most people will hand over their password without hesitation. The truth is that the real help desk and real IT staff should never need your password. If they need access to your files, they have the administrative ability to gain access with their account.
The same is true of e-mail and anything else to which you have access. When they use those administrative privileges, it leaves an audit trail which ensures that their activity is legitimate. By using your password, there is no audit trail. All actions on your account with your password are, in most places, legally your actions. By handing over your password, you are, in effect, granting whoever has your password power of attorney for your account.
The only reason anyone would need your password is if he is too lazy to do his job correctly, inept and unaware of how to do his job correctly, or up to no good. In conclusion, the next time someone asks for your password, ask yourself if you trust someone who is lazy, inept, or up to no good with what could be your career.
Written by:
Ben Howard - MCSE, Security+, CCNA Security, NSA 4011
Picture Courtesy of: Economic Crime Intelligence