jump to navigation

Security 01/29/2013

Posted by TBoehm30 in Uncategorized.
Tags: , ,

I have a spreadsheet with over 150 passwords on it. I have to change my work passwords every 45, 60, and 90 days depending on the system. I ask myself ‘is this more secure?’

I’m no security expert, and sometimes the rules really bug me. Why do I need to change my password? Why should I have different passwords? What is the risk if I don’t follow the rules? I wanted to vent a little, so I started this article. Then I did my research to better understand the issue. Here is what I learned:

The security experts tell us to change our password often. The best reasons I have seen have to do with holding off the attackers long enough for the password to have changed. If an attacker gets ahold of a password file, from a backup tape, the trash, or breaking in; then they could use that to log onto any accounts that haven’t changed the password.

The nice thing about those password files is that they are encrypted, or hashed, so that hackers don’t actually put in your real password, they use the hashed version from the file. If you simply change 1 letter, or add a number, then the hash is different and can’t be hacked. The problem is that a hacker could break the encryption and actually figure out your password pattern. Then they could easily guess your next password giving them access to your account.

What are the odds that you or I would be singled out for attack? Hopefully, those odds are not very high, but how much risk are you willing to take? If your whole company system gets stolen, copied, shut down, or broken, how much blame do you want to take? It’s probably better to just suffer by changing your password.

Why can’t all my passwords be the same? The problem with that is that hackers can get passwords from the least secure system. Even worse, is that the people who run all of those other systems have access to your unencrypted password. Joe, at buycoolstuffhere.com, created the site simply to steal people’s password with a good username. He then uses those codes at every financial web site until something works. Then he has full access to your money.

Why do I have to answer security questions? The security questions are usually there in case you forget your password. The answers are usually pretty simple to find on the internet and are the most risky for casual users. People in the public eye are constantly having their email spilled to the public by people who figured out what street they lived on when they were growing up. Some advice from the internet is to have answers that are not really answers, but hints to your password. What was the name of your first pet? “My favorite song lyric”

Bad passwords and pins: American Express has an authentication pin that has to be 4 digits. When I tried to give them numbers I could remember, they told me it had to be a date. Why would they decrease the security possibilities from 10,000 down to 365?

I can see my payroll info online if I remember an 8 digit pin number. The problem is that I am running out of unique numbers that I can actually remember. For me to remember an 8 digit number, it must be a full date, or part of a phone number; I don’t have any other long numbers that are burned into my brain well enough to not forget.

Internal security is just as important as external security. Most companies won’t get hacked by strangers in a way that will cause them any material harm. It is the employees who pose the most danger. If your employees have access to everything, what’s to stop them from downloading the customer list and selling it to the competition? It is important to divide up all data, and only give access where it is needed for people’s jobs. Look at SOX requirements even if they are not necessary; they make sure that users don’t have too much access to the system. That may be why you are limited on your own system, and sometimes can’t even get data you actually need.

So, until a better security system is built, I’ve got over 150 passwords to remember. My spreadsheet doesn’t actually have the real password listed, just a hint to it. The file itself is password protected, heaven help me if I forget that one.

Do you have a good security story? Leave it in the comments below. Do you know that it’s a global world and Technology makes it happen?