Tips for Creating a Strong Password
Correct risky password behavior and reduce your chances of being hacked.
If you need a reason to question your company's password policy, I recommend you take a look at what is happening in Utah right now.
You probably heard about the breach of hundreds of thousands of Medicare and Children Health Insurance Plan records - a number that seems to be increasing with every article I've read.
This story is worrisome on so many levels, but especially so as the rise of child identity theft has been in the headlines recently. All identity theft is bad, obviously, but when a child's identity is stolen, it is usually not detected for years - until the child is an older teenager or an adult trying to get a job or get a credit card or even enroll in college. By then, the damage is significant.
And how did this breach happen? Allegedly due to a weak password - or as the folks at the Utah Department of Health have claimed, a configuration error in an authentication layer. As Computerworld pointed out:
Many security analysts see that as a somewhat euphemistic admission by the state that the breached server was using a default administrative password or an easily guessable one. By taking advantage of the error, the attackers were able to bypass the perimeter-, network- and application-level security controls that IT administrators had put in place to protect the data on the server.
I've talked about the importance of strong passwords many times, and that one of the worst offenders of the easy-to-guess password issue is not changing the default password as soon as possible - it is indefensible at this point.
Now, there are thousands of people in the state of Utah who have to worry about whether or not their lives are going to be turned upside down. And the Salt Lake Tribune is warning of the inevitable con artists waiting to feed on the woes of others by pretending to represent official agencies looking to "help" the victims when the goal is to just steal even more data. And as Harry Sverdlove, CTO of Bit9 - a victim of a breach himself - told me, even the legitimate agency calls are hard to detect as legitimate.
Officials in Utah now have to rebuild the trust of a citizenry that was likely already wary of the way government handles things.
All this damage from one employee's weak password. If that isn't a reason to reassess your company password policy, I don't know what is.