Side effect of the OPM breach: Protecting your passwords, beyond password complexity

— from my colleague Frank Briguglio at Dell Software…

By Frank J. Briguglio, CISSP, Security Architect, Dell Software

The Office of Personnel Management (OPM) has stated that any government employee, contractor or military service member that has filled out the “Questionnaire for National Security Positions SF-86” since 2000 (and possibly prior) is at risk of having the data collected comprised to the attacker.

The data collected on the form contains every bit of Personally Identifiable Information (PII), or Sensitive Personal Information (SPI) and life event that we have encountered, personally I first filled one out in 1988 and have updated every five (5) years since, that’s a lot of data.

Think of that data, places you’ve lived, place of birth, schools attended, countries travelled to, spouses information, mother’s maiden name, etc.

Now, consider each of the accounts where you use a password, at work – privileged accounts, email, financial institutions, utility companies, social media, schools, etc.

Here is the recommendation from OPM’s website;

“If the information in your background investigation forms could be used to guess your passwords or if you are using the same password that you did when you filled out your background investigation form, change them. Use complex passwords of 10-12 characters, combining letters, numbers, and special characters. Don’t use something that is easily guessable for someone who knows you or has information about you. Don’t repeat passwords for several accounts.”

Something’s missing, more than ever we need to be more vigilant about the responses we provide to the Challenge Questions used to manage an account. Typical Challenge Questions usually include mother’s maiden name, schools attended, place of birth, favorite country you’ve travelled to, where did you meet your spouse, where did you get married, etc., all easy to remember answers, but they were all included on or could possibly be derived from compromised data!

I suggest reviewing each of your accounts for stored responses to those Challenge Questions, if you have used any data that could have been compromised or derived from compromised data consider changing those answers.

I might be stating the obvious here but so often we don’t consider those obscuring the responses to the Challenge Questions to protecting our assets but we sure need to now.