The instructor of the first computer security class I ever took, told us that there is an inverse relationship between Security and Convenience. Translated that means, the more convenient something is, the less secure it is, and vice versa. In my roughly 20 years of computer-industry experience, I've found that rule to be fairly accurate.
Here's an example: Wouldn't it be much more convenient if you didn't need to lock your car door and use a key to start it up? Imagine never having to worry about losing your car key again! But you would never really consider leaving your car unlocked with the key in the ignition, would you? Of course not. Because if you did, you probably wouldn't have the car for very long.
On the other hand, if you really wanted to make your car secure, you could pull out the spark plugs every time you parked it. That'd make it much more secure, but it would be extremely inconvenient - not to mention messy.
Instead, most people choose to use other means to secure our cars, including:
- Keys
- Alarms
- Steering-wheel locks, like The Club
- Immobilizer devices
All of these require special devices and/or security codes to use the car. Thus, they all require some sacrifice of convenience. We use them because we find them less inconvenient than having our cars stolen.
And so...
And so, we wake up in the morning, get dressed, and then get into those cars and, after having disabled all our security devices, drive them to work, where we sit down at our computers and log into our systems using the same username and password that everyone in the office uses, and which we haven't changed for the last three years. In case we do forget it, it's written down on a Post-It note hidden under our keyboards where nobody would ever think to look. Not only that, but we use the same username and password for every website we've ever signed up with, including PayPal, which is used to transfer money over the Internet.
What can we do?
One fairly simple thing you can do to help protect yourself, and your business, is to improve your password policies. Here are some suggestions for improve your passwords:
- Use at least 8 characters
- Use at least 3 of the 4 types of characters (Uppercase, Lowercase, Numeric and Symbol)
- Change your password at least twice a year. More frequently would be better, but at least twice
- Don't keep your passwords where they could be found. Under the keyboard, in your desk drawer, or on your bulletin board all qualify as "where they could be found"
- Use character substitutions to help make passwords more complex, yet easy to remember
- a becomes @
- s becomes $
- i becomes 1
- o becomes 0
- e becomes 3
- WorkingNets becomes W0rk1ngN3t$
- Consider some of the following when making a complex password, to help make it memorable:
- Passphrases: OnceUponATime
- Misspellings: SkubaDyver
- Themes: MilesDavis, SonneyStitt, TheloniusMonk (old Jazz Musicians)
- Combinations: M1l3$D@v1$, 0nc3Up0n@T1m3, $kub@Dyv3r
- Wherever possible, don't share passwords. There are other ways to get into important data, if you have to.
