Online Security

This afternoon I spent several hours reading through computer and online security policies for my company. They are not different from what you would find at any company concerned about making sure sensitive information remains so. While there is a lot that I read, the interesting point I would like to share today is with passwords.

I am going to start by saying that I hate my company's password policy. My company laptop password has to be a minimum of 12 characters, contain upper and lower-case letters, contain at least 1 number, and can optionally contain symbols. Furthermore I have to change the password every 90 days but cannot change it within 2 weeks of creating a new one. Why? So users don't just cycle through difficult passwords until they get back to their familiar one. We cannot use the same password again for a really long time. That means our password system remembers quite a few of our old passwords and won't let us re-use them. Of course, we are not allowed to write our passwords down. While this all sounds cumbersome to me, it actually has merit and should be adopted by others concerned about security.

Instead of looking at long passwords as being difficult to remember, I now look at them as ways of creating short sentences. For instance, when I have to create a password for someone and give it to them with the instruction to change it immediately, I always use something funny like "MattIsT0tallyAwesome!" It is longer than the 12-character minimum and is filled with upper and lower-case letters. I have also replaced one of the letter O's with a zero so I get a number in there. Then I end with the exclamation point which is an optional symbol.

The other thing that can get confusing is having to change my password so frequently. While I have come up with a short sentence for my first password, in 3 months I will have to change it again. Instead of coming up with a new password, I simply create a follow-on sentence. One example might be "YesHeReally1s!". Notice how all the rules are followed again with the number one replacing the capital letter I in the word "is". Once again I have used an exclamation point at the end but could have used another symbol just as easily. By the time I have changed my password 10 or 20 times, I have a fairly funny dialog that has been going on. The only trick is remembering which sentence I am on for my current password, but that is much easier than remembering a bunch of random characters.

For the record, I have never used either of my example passwords and they only serve as ideas. After all, what good is having a clever password if you post it somewhere for everyone to read?

Be Careful What You Write

A few weeks ago, I attended a presentation on Internet Security. The purpose of the talk was to expose the dangers of putting too much personal information on the Internet. With the advent of Twitter, MySpace, and Facebook, there are a lot of ways to keep all of your friends up-to-date with your latest activities. However this can be a bad thing. Perhaps you mention that you have just acquired that rare item on e-bay that represents the bulk of your net worth. Then a few weeks later, you mention that you are on vacation. Any thief with Internet access and a willingness to do a bit of research can figure out how to unburden you from your prized possession.

For some in the audience, it was difficult to see how one could make the jump from reading a blog (like this one) to knowing the exact location of a person. The speaker then gave an illustration of how a teenager was befriended by an online predator. The teenager was smart enough to know better than to give out personal information but that didn't stop the predator. He was able to discover her e-mail and did an Internet search. He was able to find a post on a collectibles website where she gave her mother's phone number. The predator was able to do a reverse telephone lookup and get her address. It was only a matter of luck that the authorities were able to apprehend the predator before any damage was done. When they caught him, he had a map with driving instructions to the teenager's house.

At the end of the presentation it became very apparent that the speaker was against any type of online presence. While that may be a bit drastic, he did have some good points. First, make sure you have a valid reason for posting information. Second, be careful what you post as it may become a lure for tragedy. Finally, be aware of what your children are posting. While I may be upset if someone were to steal my favorite pair of skis, I wouldn't cry too long. If someone were to harm one of my children, it would be a much different story.