27 October 2010

How a Pas5woRd Can Sink Your Company

Back in the 1990s fellow science and technology journalist Charles Mann and I wrote a book uncovering the true story of how a lone, young, cognitively impaired hacker with relatively few computer skills managed to perpetrate what was then the most extensive and scariest series of computer break-ins ever — government weapons labs, dam control systems and ATM networks were among the hundreds of networks compromised. At the end of the book, we predicted that no matter how much effort was poured into making the Internet safer, hackers would always be able to have a field day, partly for technical reasons but also because companies and individuals would never get it together to take simple precautions critical to safe computing.

Sadly, Mann and I called it right. Viruses, trojans and spyware are bigger problems than ever. Employees unwittingly but routinely hand over their passwords to hackers who break into corporate databases to steal credit card and other information of thousands of customers. Private e-mail is rifled through and made public, and companies have their computers incapacitated by “denial of service” attacks. You need to ask yourself: Could your company survive an encounter with a hacker?

Don’t count on even the best security software or services to protect you — they’re always one step behind the latest hacking twist sweeping through networks. Even if you could afford to get a computer-security genius to come in and watch your company’s back 24 hours a day, he or she couldn’t fully protect you if you or any one of your employees were to slip up. I don’t have room in this post to cover everything you need to know — I plan to revisit the topic in future posts — but let me offer some essentials on the most common way people mess up and put their companies at risk: poor password practices.

Everyone knows by now, I would think, that you shouldn’t use a password that’s easy to guess.  Hackers use automated programs that can find any password if it’s a word in the dictionary or a proper name, even if it’s spelled backwards. Throwing in a mix of letters and numbers helps. But here’s the problem even tricky password users run into: Because we all need passwords for so many Web sites and accounts these days, people end up using the same password for many of them — or else write their passwords down somewhere. Both of these practices are disasters waiting to happen.

If you use the same password for many sites, all a hacker has to do is get your password at any one site — and some site out there somewhere is doing a lousy job of protecting your password — and he’s got it for all of your sites and accounts. So if a hacker or malicious employee at the place you buy shoelaces online lifts your password, he can get into your bank account and your company’s computers. If you use different passwords but write them down next to your desk or in your wallet or on a file in your computer then you’ve given thieves and hackers a convenient one-stop-shopping list for violating your entire electronic world. There are small gadgets that can solve this problem by constantly generating new passwords, but they can be expensive, inconvenient and vulnerable to theft.

Here’s a better solution: Come up with a simple formula for generating passwords in your head that’s based on the name of the site or organization you’re signing up with. For example, you might take the name of the site (tractortires.com), drop everything but the first six characters to the left of the “dot” (tracto), reverse the first three letters (artcto), add the number “5″ after the third character and a capital “Z” at the end (art5ctoZ). By this formula, “plan9movie.net” gets the password “alp5n9mZ,” and “cellphone.org” yields “lec5lphZ.”

You’ll also need a trick for dealing with site or organization names that have fewer than six letters, because you’ll want an eight-character password. You might, for example, just add in extra “5″s, so that the password for beer.net becomes eebr555Z. Make up your own formula, and don’t share it with anyone. It may sound a bit complicated, but after doing it a few times you’ll be able to do it in your sleep, and you’ll have a unique, impossible-to-guess password for every one of your accounts and sites without having to write anything down. The formula could be easily cracked, of course, but a hacker would need to get his hands on at least a few of your different passwords to figure it out.

Every single one of your employees has to get with the program on this. If they’re writing passwords down, or using the same password everywhere, then they’re not just risking getting hacked at other sites, they’re also inviting hackers into any of your company’s computers or accounts to which they have password access. You could force smart-password policies on them, such as requiring them to mix in numbers and change the password every 30 days, or you could even assign them passwords. But aside from your employees resenting the inconvenience and the slightly heavy-handed attitude, these policies won’t keep them from reusing their company passwords elsewhere, or from writing them down. So you might want to teach everyone in your company how to come up with his or her own in-your-head password-generating formula.

Unfortunately, having a great password isn’t much protection if you or an employee end up unwittingly handing it over to a hacker at a phony Web site (“phishing”) or to a hacker who has implanted a spy program in your computer. But that’s for another post.

The above article was originally published at:http://boss.blogs.nytimes.com/2010/10/25/how-a-pas5word-can-sink-your-company/?src=busln