Daylight savings, spring cleaning, getting your oil changed, and replacing smoke detector batteries -- all have something in common; they all are completed on a schedule. So it’s about time those of us brandishing iPhones, BlackBerrys, and other PDAs like they are body parts start to embrace some scheduling that can protect our identity and build a more secure Internet environment.
I will not take full credit for the following idea, because I was inspired by a Twitter friend, @IBMFedCyber, who tweeted over the weekend: “We need a holiday(s) associated w/ changing important passwords, just like how Halloween is with changing batteries in smoke alarms.”
I responded that instead of remaking the wheel by creating a new holiday, why not leverage the changing of the clocks as the time of year we all strive to change our passwords?
Now, I am sure many of you have heard a lot of “experts” say you should change your password every 90 days -- or even more often, depending on the criticality of the information you are accessing. And I am willing to bet that unless you are reading this on a work computer, most of you can’t remember the last time you changed your personal password.
After being in this business for over 17 years, I am done with “best practices.” I honestly believe the problem is not that people don’t want to be safe, it is that password management is a royal pain in the... anyway, you get the point. However, like all scheduled events in life, changing passwords is much easier if we plan and prepare.
Though we have already turned the clocks back, I would like to suggest that you take this opportunity to change at least one important password. To make it even easier on you, I have compiled a few “free” recommendations that should make this so easy you actually look forward to daylight savings beginning again on March 14, 2010, so you can change your password again.
First of all, I recommend that the average user create between two and three passwords for all personal Internet activities. Everyone uses the Internet in different ways, and only you can determine how many and what kinds of passwords you should have. Everyone should do an assessment of the sites they surf (locations) and what they surf (sites) to determine the level of security required, according to the following list:
1) Low Level - Identify sites you visit that require a user name and password that if compromised would cause minimal harm to your identity and no financial impact (e.g., usenet groups, blogs, news sites, etc.). At a minimum, I recommend a password at least 6 characters long that contains at least a mixture of capitals and lowercase letters.
2) Medium Level - Identify sites you visit that require a user name and password that if compromised could cause significant harm to your identity and possible financial impact (e.g., non-brokerage investment sites, health sites, personal email, etc.). At a minimum, I recommend a password between 6 and 8 characters long that contains at least a mixture of capitals, lowercase letters, and numbers.
3) High Level - Identify the sites you visit that require a user name and password that if compromised would definitely cause serious harm to your identity and financial well being (e.g., banking, brokerage sites, online shopping with registered credit cards on file, etc.). At a minimum, I recommend a password at least 8 characters long that contains a mixture of capitals, lowercase letters, numbers, and at least one special character.
In addition to the minimum requirements above, I have some additional recommendations when creating passwords for all of your sites:
1) Use no word in any language in its true form. (If you replace at least one character in the word, it is no longer in its original form.)
2) As stated above, length should be dependent on the level of risk you are willing to accept. I do not have a problem with a five- or six-character password that is complex. However, I would recommend that you create a password you can remember.
3) Lastly, I like special characters, but they are not for everyone. Additionally, all of my passwords are either a word completely randomized, or I use the first letter of a phrase I like and then customize it to my liking and memory capabilities.
It is obvious that any security implementations to make the Internet safer are not going to be driven by the federal government or even our jobs. They will have to be “grass rooted” by the intelligent people on this site and elsewhere.
— Tom Stamulis, Manager, Governance, Risk & Compliance Group, for a major service provider
Good idea. I actually like taking a few letters from the website I'm on and add it to that special password, makes it even more difficult. if my password is M0use I could make the one here, the first 3 letters of IE is "Int" so I would use: Int_M0use -- thus I have a pretty strong password :)
The BEST practice is to get rid of it all together and use 2 factor. I wish that Paypal would open their API so that vendors could just have a user check their paypal token for any login...$5 is a small investment to make for piece of mind. Barrin that, best corporate practice is to set a policy ad force change periodically with enforced length and composition rules.
If you're a home user, I would strongly suggest an Single Sign On (SSO) wallet http://keepass.info/ seems to be a reasonable one (of many).
Some are suggesting that you isolate your interactions on the net and not use a net connected computer for your financial systems at home (such as Quicken, etc.). I tend to agree. Netbooks are cheap and you can restore em if they get corrupted, pwned, etc.
To be perfectly honest with you, I am a proponent that not everyone should use the Internet. If a person does not have the aptitude to remember their password after changing it, they are probably contributing to the other problems plaguing internet security.
I like this post because it simplifies things for people. I think people are so used to hearing that they have to have super complex passwords and change them every 42 days etc, that they feel they could never keep up. While what you are suggesting here isn't going to fix every password related problem, it will make a dent. Getting people to change their passwords 2x a year is probably 2x more than they are currently doing it and that can only make things better.
Tom, this is not an issue that you will be able to brush aside.
Certainly it is not the case that an individual will have to conduct his/her business personally over the net; the regular US mail is still working.
sadly: for most of us: if we don't put our data over the net: someone else will.
perhaps that is a topic that needs to be looked at as well. and the reason I write these notes is because Internet Crime continues to get worse -- up 585% this year -- according to a report I referenced recently
how long before the attackers render the Net useless?
=" if we can just start to get people to change their passwords on a regular basis"
See the two notes I wrote for you earlier:
If you are using an effective password -- and keeping it properly secured* -- an attacker is not likely to get to your data via an un-authorized logon.
If you are not using effective passwords -- or if you have malware -- your password will be INEFFECTIVE.
If you use a weak password such as "secret", "Yankees", "password", "7777", "hope", "love", "letmeon", "1234567", "hello" etc an attacker will GUESS your password rather quickly
If you have malware in your computer it doesn't matter at all how good your password is or how often you change it: the malware waits for you to log on and then helps itself to the use of your computer -- and your userid/password
3EHr90573FF29c
*if you leak your password -- or if someone you communicate with leaks your password -- then the password is compromised -- as soon as that happens. how much do you trust that other guy? what if attackers steal his entire user-id/password database? such things have happened, and then the data is sold on the black market. changing your password would help -- if you got it in time -- and if the attackers only raid the site once -- or once in a while. but malware can operate real-time. if it is your new password can be stolen within a few seconds. that is why malware is such an issue. until that problem is solved, best practices for password management arn't going to help they way they should.
I appreciate your comments on Malware and think this is a necessary pursuit. Perhaps you can start a ground swell here on IE to get Microsoft to address this by Win7/SP2. However, suggesting people not to use the Internet to conduct business is not realistic.
Regardless of the fact that there are signficant issues with Internet security as well as browser insecurities, it has become a necessity to the point that some countries have identified Internet access as a "human right". So as we continue to request/force better security from all participants, we as users have a responsibility and if we can just start to get people to change their passwords on a regular basis and understand the dangers associated with not at least doing this simple task, we will have more support to then get software companies to write authenticated code.
A rootkit typically hijacks "hooks" in the operating system -- basically the control data in the kernel used to augment or extend the features of an OS -- in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system's data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system.
"Then the rootkit can hijack and manipulate the results seen by the user applications ... only allowing a user to see what it wants them to see," says Xuxian Jiang, assistant professor of computer science at NC State and a member of the research team.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Do you remember that famous cartoon from The New Yorker in 1993 with two dogs in front of a computer, one saying to the other, “On the Internet, Nobody Knows You’re a Dog”?
Being from Boston, I hold a special place in my heart for Paul Revere, who famously rode to alert the countryside of impending British attack. Since Paul can no longer raise the alarm, I feel it my duty to do it myself -- this time to warn the information security professional that the lawyers are coming.
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year? Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Is there such a thing as complete anonymity on the Internet? It is something of a philosophical question, but the consensus among experts seems to be 'No.' However, there are degrees of anonymity, which might be more practical for most people – and more necessary than ever before.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
