BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Most common (or Most important) privacy leaks
- Subject: [Discuss] Most common (or Most important) privacy leaks
- From: kentborg at borg.org (Kent Borg)
- Date: Tue, 17 Feb 2015 11:06:22 -0500
- In-reply-to: <BN3PR0401MB12046B091F0FA6E67DDB34A2DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com>
- References: <BN3PR0401MB12046B091F0FA6E67DDB34A2DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com>
On 02/17/2015 08:42 AM, Edward Ned Harvey (blu) wrote:
> As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently? IT admin credentials? HR records? Financial records? Other stuff? Simply everything, bar none?
I would lower the priority of worrying about risky e-mails with
sensitive information in them. I think a higher priority would be the
really big hole: insecure passwords.
Insecure because they are:
- Poorly chosen ("12345678", "password")--and passwords can't just
feel random, they need components that actually are random;
- Reused across different purposes;
- Given to third parties to "manage";
- Typed in wrong places (in response to a phishing e-mail);
- Typed on machines that have spyware running on them.
Note that I don't worry about regularly changing passwords or writing
them down. I also don't worry about whether they contain a "special
character". For example "b3ea-griffin-tempo-opera" is a great password
with at least 48-bits of entropy, pretty easy to remember and type.
(Like it? I've got at least 281,474,976,710,655 more.) Yet people
mistakenly think it is a bad password. Grrr.
An only half facetious suggestion: write passwords down, but ONLY on
$100 bills. Now guard them accordingly.
It would be a large and ongoing education effort, requiring high-level
buyin and major cultural change, but if you can get an organization to
use passwords securely, you will have solved a large part of the
problem. If you can get an organization to really reform, if you can get
users to really think through passwords--then you have accomplished a LOT!
Congratulate them for being elite (because no one does passwords
well--just ask Central Command), and then you can move on to other
things. (Including that an encryption key is very different from a
password and needs to be created with special care.)
Doing passwords right is not exactly low-hanging fruit, but it is key to
everything else. Do passwords wrong and everything else is always
breaking because of the bad passwords.
-kb
- Follow-Ups:
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- References:
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- Prev by Date: [Discuss] Most common (or Most important) privacy leaks
- Next by Date: [Discuss] Most common (or Most important) privacy leaks
- Previous by thread: [Discuss] Most common (or Most important) privacy leaks
- Next by thread: [Discuss] Most common (or Most important) privacy leaks
- Index(es):
