In reality, the weakest link in password security is the user. From weak passwords, to passwords that can be inferred (think birthday, spouse or children’s names), to sticky notes left on screens, to susceptibility to social engineering – in many cases, it is easier for hackers to obtain system passwords directly from the user rather than some type of hack.

Unfortunately, no matter what you do from a system perspective you need to continually educate and remind your users of their responsibilities and to be on the lookout for the various means that could be used to obtain system passwords.

Social Engineering is a common tactic because it is easy to exploit since it is human nature to trust. Common types of social engineering include:

• Phishing attempts where some type of communications appears to come from a legitimate source such as a business or institution. Phishing attempts many times ask for help, ask you to verify information or notify you that you are a winner of some sort an get you to divulge personal information that can be used by the hacker.
• Response to a question that you never asked. In this scenario what appears to be a legitimate business that you use responds to a question you did not ask. When you respond your authentication is subsequently used by the scammer.
• Free or too good to be true offers. Free downloads may be infected with malicious software that can cause more harm or your payments never result in a delivered product.
• Email from a friend whose account has been hacked. A link or download in this email can infect your machine with malware potentially giving access to everything on it to the hacker.
• Hackers just ask! In a very simplistic approach hackers will merely call a user and tell her some story for which they need a password and/or personal information. Again, trusting the caller, the user gives the hacker all the information they need.

There are other common techniques including:

• Shoulder Surfing – looking over a user’s shoulder or reading sticky notes attached to the user’s monitor
• Inference – Using personal information such as family names or birth dates to guess passwords

The user is usually the weakest link in any system security. Train your users to spot attacks and respond appropriately.