Ok. This post will be brief and to the point. I wanted to quickly address three (3) computer security misconceptions that we come across quite often in our business of providing IT support or management.
Welcome to the second and final installment of my two part post about password management. Let me prepare you now; this post may get a bit technical because I want to make sure you understand the need for strong passwords, and understand why and how your password may be vulnerable. Worry not, I’ll be sure to include links to additional information if you’re interested in learning more. Let’s get to it.
What Makes a Password Strong?
The very short answer to this question is length (no pun intended). Traditionally we’ve operated under the assumption that more complex password are more secure, but given the way most password cracking tools work what really matters is length not complexity. The reason for this is that “bay guys” aren’t sitting around guessing what your password is, they’re most likely using a tool that simply tests all the possible combinations of letters, numbers and symbols in a given length which means the longer the password the exponentially longer it will take to guess the correct combination. For a more detailed and technical explanation please listen to Security Now! Episode 303: Password Haystacks.
What this means, is that you want your password to be as long as possible but not necessarily so complex that you can’t remember it. Now there are some general rules:
How to Make a Strong, Easy to Remember Password?
Keeping in mind that what matters most is length, your main goal is to devise a scheme where you can create a long and easy to remember password with only just enough complexity.
My recommendation is that you devise a phrase that you will easily remember and modify it slightly for each system you use the password for.
Example: Let’s say you started your first job on April 24, 1998 then you might create a scheme that will use this information to generate a strong, unique password like:
“I started working @ gmail.com on 4/24/98″ (without the quotes even though you could use the quotation marks as well) for your Gmail account and “I started working @ wellsfargo.com on April 24 98″ for your online banking.
The first password is 40 characters in length and is just as strong as “C@&yP6l@fW!4^rf$k@QFLCV5#24MM#58LLh1G&85″ which is also 40 characters in length but as you can see the first one is MUCH easier to remember.
Keep in mind that not all services will allow you to create such a long password. Some websites or systems limit you to only twelve (12) characters or less which means that you need more variability. In these cases make sure you have at the very least one (1) uppercase letter, lowercase letter, number and symbol. Using the same example as above you may have gMail@042496 as your password or something similar. This way you’ll only have to remember your special date (only something you would know) and the website you’re logging into. The key is to develop a formula, once you memorize the formula you won’t have to remember individual passwords.
So now we’ve discussed using a password manager to generate and store the many passwords you have to use everyday and we’ve also discussed creating your own personal, unique formula for generating secure passwords when it’s inconvenient to use a password manager (to log into a computer or application for example). The main points to keep in mind are:
Disclaimer: Please do not use the exact schemes described in this post. They’re provided just as an example of how you can use your own personal information to generate easy to remember secure passwords.
GRC Password Haystack – See how longer passwords are generally better and that complexity is less important.
XKCD: Password Strength – A fun comic strip on this very subject and inspired by the above link.
This is the first installation of a two part blog post that I will use to help our readers be smarter about how they use passwords. This is by no means a definitive guide on password policy or management but rather some tips and suggestions on how to make your life a little easier.
Passwords are EVERYWHERE. These days we need a password for our e-mail, for our bank accounts, another for Facebook, LinkedIn, our cellphone, our home computer, our work computer and the list goes on. It’s safe to assume that we have a less than optimal solution for managing these passwords; maybe we write them down, or worse we use really bad passwords (dates of birth, or simple, easy to remember words). That being said this post is about how you can use an application or service to help you manage the growing list of passwords you’re forced to create and remember everyday.
I implore everyone to follow my simple two step plan to get your password life in order. If you’re already using a password management tool, congratulations, you’re already being smart about passwords and you’re ready for part two. For the rest of you, let’s get to it.
Step One: Choose a Password Management Tool
There are a lot of options out there for password management tools and I’m not going to list or review them all. What you should keep in mind when choosing a password management tool is; what kind of computer do you use? And do you need it to work on more than just your computer or also a smartphone and/or tablet? Here are some password management tools that I’ve used personally or at least suggest you check out.
Step Two: Use It!
Well, that was easy. Seriously, the tool is only useful if you use it, and all of the tools mentioned above make it very easy to offload the task of remembering all these passwords to a system that’s built to do so.
The good thing about using a password management tool is that you can use a stronger password for very important accounts (like online access to your bank account). Now instead of having to remember passwords for each individual account you have, you only need to know your master password.
Coming up in part two, we’re going to tackle how to create a strong easy to remember password for times when you can’t use a randomly generated password or you need to create a master password. Now go be smart about your passwords.
Ever since the CBS Evening News Special exposing the security and privacy risks associated with data stored on copy machine hard drives, we’ve received a number of inquiries from our clients about the safety of their office copiers. So just in case you missed the news, let us bring you up to speed.
Modern digital copiers or MFPs (multifunction printers) are the equivalent of a desktop computer. They come equipped with processors, an operating system, and have memory (RAM) and storage drives to handle document storage, job queuing and image processing tasks. So every time you print, copy, scan or fax a document using your copier that document may spend some (albeit short) part of its life on the copiers internal hard drives. Once your print job is done the typical copier will remove the data from the disk. Sounds pretty safe right? Maybe not.
The latest hoopla surrounding information security on copier machines is related to the fact that many machines never delete this data from the disk, or only do so when the hard drive becomes full (which many never do). So when your copier lease expires and you send it back to your vendor, you may unknowingly be returning the hard drives filled with data from every document ever processed by the machine containing sensitive information about your company and your clients. With enough malicious intent, free publicly available computer forensic software and a few extra bucks anyone could potentially retrieve all that information from the disks.
While the outcome of the CBS investigation was pretty scary with medical records, credit cards and social security numbers retrieved from copiers purchased at random, the good news is that many vendors (as part of their standard operating procedure) actually destroy the data for you. Notwithstanding, if you rather not entrust your data destruction to your vendor you can still ensure your data safety before the copier leaves your hands. Here a few tips that will help.
Many machines already come with security features that will eliminate the risk of data retrieval, but are often not enabled by default. Insist that your copier vendor or your IT consultant enable the data encryption and overwriting features on your machines.
Before returning or disposing of your copier, perform a secure data wipe of the machine’s storage drives. Some copiers allow you to do this with built in functionality and others may require that a hardware add-on be purchased in order to perform the task. It’s also becoming increasingly common for copy vendors to allow you to keep the hard drives and destroy the data at your choosing.
Avoid using copiers you have no control over (e.g. at someone else’s office or at a library) to scan/copy/fax sensitive information. There is no telling who has access to that copier or whether it is their policy to have the data properly destroyed. You may also wish to inquire about data security policies at copy centers your company uses.
So before you send your copier packing back to your vendor with your drivers license and tax returns, make sure you get cleaned up. If not, look on the bright side, your replacement copier might come loaded with secrets of its own.