Your Weak Password Is Putting Your Business At Risk
January 8, 2009
There’s been a string of reports of various hacks of web 2.0 services, or individual services. Whether it’s Twitter, Ning, etc, I’m hearing many reports that, as I had in a Twitter conversation with @kenburbary, It’s “the year of the miscreant.” (By the way, if you want tips to avoid Twitter phishing, jump here to his blog).
So let’s get very serious about passwords BECAUSE 2009 IS the year of miscreant. Deadly, business serious, and I’m going to sound tough but the message HAS to sink in.
With all of this sharing comes a responsibility to yourself. I know, it stinks you need to have a more difficult password, but here are some facts:
1) If your password is ANY word in the dictionary or a name alone, it is much easier to be hacked. There’s a thing called dictionary attacks where robots/scripts/etc try every english word.
Knowing this information now, you are being negligent to your business if you use a dictionary word password (especially without anything to mess it up, like numbers or special characters interspersed) and putting your business and your personal brand at risk of hackers; not to mention the time to re-create any assets that live there.
2) Depending on the age or software of the online service, some passwords are case sensitive, some aren’t. If you can, USE CASE SENSITIVE passwords as well to increase your security.
3) The longer your password, the better. Seriously. Do nothing under 8 – nothing we have is less than 16 characters. Mission critical stuff is 64 characters (we have a CD for that – after all, if a hacker/miscreant has physical access to your machine, you’re probably toast anyway).
4) User gibberish. It’s hard to remember, but like a bank account number, you’ll eventually get it. Go to http://www.grc.com/passwords and get yourself a unique, up to 64 character one.
5) Don’t give out your password to anyone. I don’t give out my password to any of the Twitter services; sure, it’s just Twitter, but it’s a very bad habit. Some of these things could easily be started knowing that many times, people’s passwords are the same for everything they do, including more serious things like their online banking.
6) Every time something wants a password, question it, even briefly:
- What is this service asking for my password?
- Why is it asking for it?
- Is it really the service or program I think it is?
- Do I trust it? And how do I know I can trust it?
Unfortunately, even with all of this, you not alone can prevent these things. As the hack of Twitter showed, bad security practices are done even at the top level of many sites. Listening to podcasts like Security Now! (where many of these tips are adapted from), I’ve learned that some banks, because their websites are only web front ends to an ancient mainframe, are only 8 characters, non-case sensitive, even if you put in more!
But doing some practical things, like outlined above, can significantly reduce your chances of being hacked. Compromising sites today is less about technology and much more about social engineering and taking advantage of the trust we seem to have.
