The hack? The student watched his teacher type in his password and then used the teacher’s password for nefarious purposes. Observing a person entering their user ID and password (collectively referred to as credentials) so that they can be reused without the user’s consent is a hacker technique known as shoulder surfing.
The prank? The student used the teacher’s credentials to remotely access the teacher’s computer and change its background images during an in-class presentation. These new images disrupted the class and embarrassed the teacher.
No real harm done, right? Wrong. Felony charges against the student have been filed and the incident widely covered by the mass media, such as USA Today, Time Magazine, and Tampa Bay Times.
So, could this happen to you?
While two-factor authentication (think: DUO for VPN access) provides excellent protection against this hack, two-factor is not required to log into every system you use (think: judiciary Webmail, your office computer, or online banking). Hence, not only is it important to protect your password, it’s important to be cognizant of your surroundings every time you use it.
To keep your information safe, incorporate the practices below into your daily routine.
Lock it up.
When you step away from your desk, remember to lock your screen. When the computer is unlocked, the shoulder surfer doesn’t even need your password.
Keep it private.
Protect your on-screen information from unnecessary views by using a privacy screen that limits viewing to just your field of vision.
Ask for space.
If someone is too close, ask them to take a few steps back while you are typing your password. People will appreciate your desire to keep your password safe.
Avoid a written record.
Passwords written on a piece of paper are an easy target for shoulder surfers. If you have a lot of passwords to remember, consider using an electronic password organizer (or vault). If you must keep a written backup copy of your passwords, place in a sealed envelope, sign across the seal (so you know if anyone has opened or replaced the envelope), and store in a locked cabinet to which only you have access.
Don’t select an easily guessed password.
Part of what made the student’s hack so easy was that the teacher’s last name was his password. Worse, this ended up being the case for all teachers within the school, making this an easy hack to implement against any member of the school’s staff.
Periodically change your password.
As was the case with our victim, you (like the teacher) may not know your password has been compromised. To limit the time during which a stolen password can be successfully – and surreptitiously used – change it periodically. And, do not use the same password on all your systems. Why? You don’t want one compromised password to serve as master key that unlocks the door to all systems for which it is used.
If you have any additional questions about password protection, contact your local IT staff, Circuit IT Security Officer, or ITSO for more information.
See Don’t Be the Weakest Link.
See Taking the Guesswork Out of Managing Multiple Passwords.