|Intro|  |News|  |Threats|  |Alerts|  |Papers|  |Events|  |Reading|  |Links|  |About Me|  |Powered-by...|
Password: hang10
[Back to Main]

All the greatest technical controls and policies in the world can be nullified simply by someone glancing over the shoulder of one of your users while they're entering their password.  With the amount of work that's being done remotely now, this situation is getting worse.  Where do your users work from?:  Communal "work lounges", that coffee shop down the street from your major client, the airport terminal during a hellish layover, their home next to an open window or on the patio, on a convention center floor, in short, anywhere that a laptop can go.  Every time your users login with webmail they have to enter their password, and often for the establishment of their VPN connection, and various other things.

For this section, we'll focus on webmail since that is both a very common attack vector, and one which you can do something about.  The solution here is fairly straight-forward:  Don't rely on static, resuable passwords.  Certainly users should be educated on concealing their keyboards when entering a password, but with everything users have to remember these days, security controls are usually the first thing to go.

The technical solution to shoulder surfing is to implement some type of One Time Password (OTP) scheme, or some external token that generates secondary validation information that must be submitted.  RSA security has some very popular implementations of this, and there are various other products and projects that implement token generation, OTPs, or use smart cryptocards for secondary authentication.  Use of such solutions in addition to normal user passwords is highly recommend if and when you deploy webmail.  Just make sure those users don't lose their token devices!




This site © copyright 2003-2011 Brian Keefer.  Unauthorized republication is forbidden.