Savid Technologies

Tag Archives

Contact us
Categories
Blogroll

Ideas for Choosing a Password

June 10, 2009General, IT Security0

I know this is basic stuff, but apparently we still need education on choosing a good password.  It amazes me to know that if I ever wanted to log on to a client’s workstation,  I can usually do this by entering their last name, their spouses name, their pet’s name, or just type “password1.”  If these methods fail, I could just read the yellow sticky note attached to their computer or lying in their desk drawer.

post it smaller 300x225 Ideas for Choosing a Password










Want to have something like this at your company? We will send you a free set of “Don’t write your Password on this” Post-It notes for FREE. Simply, contact us and we will ship them out!

Forget worrying about genius hackers with brilliant techniques for breaking into your system.  Why would a hacker need to know how to break into a system when they could simply logon, and not even risk detection?  No matter how strong your security is, it can always be trumped by a poorly chosen password that is easily susceptible to brute force attacks or social engineering.  So let’s go over the rules again.

Your password should not be:

  • “password”
  • Words in any dictionary, English or any other language
  • Your name, names of people you know, or names of fictional characters
  • Any of these possibilities spelled in reversed (leahciM), doubled (MichaelMichael), or mirrored (MichaelleahciM)
  • Poor attempts to use numbers or symbols to replace letters in any of these possibilities (M1chae1)
  • A long, made up sequence of letters, numbers, or symbols that has no meaning and forces you to write it down, “7F+w3{fJ::3(nud<)jdka{h@pzu*n%%h[|ka”.  Such passwords are easy to recognize as passwords because they are so onerous.
  • The same as the other passwords you use for everything else.  It’s unrealistic to always think of a new password for everything you do, but passwords should at least be created depending on the category of risk.

What your password could be:

  • Way back in college they suggested we use the first letter of a song lyric such as “liaun” (Love is all you need).  Then throw in some capitalization, symbols, and replacement letters to make it stronger and throw off any attempts at social engineering, “{1i4uN}”.
  • A childhood imaginary friend with a fantastic name that you have never and would never tell anyone about, “mR.t&goo3y.”  You can’t hack the imagination.
  • You can use a mostly ordinary word or phrase, such as “friendsforever,” but move the position of your hands on your keyboard when you enter it.  For example, change your standard keyboard position so that your left pinky is on the letter “Q” instead of “A” and “friendsforever” becomes “r483hewr943f34”.

Why Be Secure When You Can Just Be Compliant?

June 3, 2009General, IT Security, Network security0

This is an issue I often encounter with companies who want us to make sure they meet compliance standards like HIPAA or PCI DSS.  They either think security and compliance are the same thing, or are only focused on compliance and not security.  While compliance definitely improves the security of an enterprise, it has the side effect of creating a false sense of security.  Being compliant is simply not the same as being secure.

Compliance is like a snapshot of good, not great, security practices.  But unlike compliance, security isn’t a goal, it is a process – and it is ongoing.  There is no secure place in the world; there are only constant efforts to make things as secure as possible.

Have we learned nothing from the recent breaches of Heartland Payment Systems, Inc and RBS World Play?  Those organizations passed their PCI audit scan, yet hackers were able to capture hundreds of millions of transaction records in one of the biggest breaches in history.  Were these organizations compliant?  Yes.  Were they secure?  Apparently not.

It’s often the attitude towards security that is to blame.  Enough money will be provided to meet each compliance requirement, but sometimes not a cent more towards the security budget.  If a security expenditure is not required for compliance, it is a low, or even nonexistent, priority. 

But security isn’t just about checkmarks on your compliance audits and ignoring practical security concerns along the way.  Here is a great quote from Bill Seiglein regarding the difference between being compliant and being secure:  “There might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one.”

The correct attitude to have is to focus on actual security first and compliance second.  Are sensitive data and systems protected?  Is each unique risk of the enterprise addressed and properly managed?  If so, then that’s great.  Now you can ask what must additionally be done to satisfy compliance requirements?  More often than not, you’ll find you have already done them.

News

More News →

Services
Industries
Recent Blog Posts
Latest Tweet
© 2013 Savid Technologies, Inc. - Privacy Policy
Top ↑