Password Protection

When it comes to security, a password just isn’t enough. They can be lost, stolen, guessed and hacked. But they’re also the most cost- effective access solution, and don’t require an investment in hardware or software. How does the prudent company walk the fine line between implementing enough security and moving into overkill?

By using strong passwords at a minimum, says this week’s interviewee, NuSphere CEO Lorne Cooper. He’s an expert in dealing with network security, and to hear him tell it, any company not using a strong password system is practically inviting hackers in to play.

Password Roulette

One of the major problems with passwords is that the average person has so many to remember.

“The first problem is keeping track of all those passwords,” says Cooper. “You could just use the same password everywhere in spite of the fact that it wouldn’t be as secure, but many systems come back and say you can only have a four digit password. My ATM says it has to be between six and eight characters. Somebody else may say it can only be four, and it has to be all digits. Somebody else can say it can’t be all digits. So you’re pretty much stuck. Almost all of us now have 41 passwords.”

It’s a real nuisance – and many people combat it by using the same passwords over and over.

“A lot of people use the same password with just variations. One of the things that’s very common is that people will have a short password and if they have to make it longer they’ll just double it, or they’ll just use some characters from it. This means if you can break into one part, you can get all of it,” he says.

And breaking into that password may not be so difficult.

“You may decide to use this password, and if you need a password on some website that just gives you news or something; you use this password there,” he says. “But you don’t know what’s going to happen with that information. It may go up in clear text through the Internet. Somebody may break into that little website and steal those PINs (personal identification numbers). Once they have that information, they know what machine you came from and what your PIN number was, and they’ll try that on a more secure place like your bank. If they try that on your bank and they get in, they’ve compromised your piece of security.”

Changing Your Password Correctly

Once people find out just how insecure using the same password for every task is, they immediately think of changing it. Right move? Well, maybe.

“A lot of people change passwords, and they go from mediocre to terrible,” says Cooper.

You need to change your password to a strong password, which has several attributes. The first is length.

“Length matters. If you can make a password six or eight characters, an eight character password is - and I don’t remember the exact numbers - about a thousand times stronger than a six character password,” he says.

Password owners also frequently make their passwords guessable.

“There are programs that hackers use that try typical things. They try proper names. People love to use proper names. Then they’ll try combinations of names. They’ll try dates. So you might use the date your first child was born. That’s a very simple thing, and it cuts down the possibilities. Then they’ll try names like 'Andy123.' If 'Andy' doesn’t work, maybe '123' works, maybe 'Andy1' works. Those are the basic ways that people guess,” says Cooper.

Password-users must have a long password that’s not a proper noun or a word in the dictionary. For instance, the common password “love” could be transformed into “L1O3V5E9.” That’s a lot harder to guess. And if you’re in charge of your company’s security and you ensure that each employee has a lengthy, unguessable password, you’ve shored up that security loophole.

“You have to verify as a policy or security strategy within your company, that people use un-guessable passwords. We can do that. Our software will go check and they’ll say, ‘I’m sorry. Your password’s too easy. You have to change it.’”

Now that you have the long unguessable password, you’re safe, right? Well, almost.

Don’t Write it Down

The main problem with formulating nonsensical passwords is that people forget them. And in order to remember, they write they down somewhere.

“I talked to this guy who was traveling in Europe when he was robbed and lost his wallet. When he lost his wallet, he also lost his drivers license - that was replaceable, credit cards - no problem, easily replaced. He also had a little piece of paper on which he had written three or four different passwords because they were so darn hard to remember. When he finally got back to the States, he found out that someone had broken into his bank account,” says Cooper.

Insist that your employees not write passwords down. You may even want to look into a more secure type of password, such as RSA’s SecurID system. That system provides a token that displays six-digit number that changes every 30 seconds. The number must be appended to the end of any password for it to be accepted. It’s an outlay on hardware and software that may be worth it for security-conscious companies, as may stronger security systems such as firewalls, intrusion detection systems and other techno security solutions.

Others will simply wish to make passwords longer and guess-resistant. It may seem like a small point – but a password that’s easy to break or guess is almost like using no security at all. And that’s a very bad idea for any company that wishes to keep its private information just that.

Browse Articles

eBusiness

eCommerce

Business Planning

CRM & Communications

Management

Marketing & Advertising

Publishing

Technology

Venture Capital

Web Design

Contact Us

Strategyweek.com | Privacy |Contact

This site is up for archival purposes.