[Discuss] Most common (or Most important) privacy leaks

Kent Borg kentborg at borg.org
Tue Feb 17 11:06:22 EST 2015 

On 02/17/2015 08:42 AM, Edward Ned Harvey (blu) wrote:
> As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently?  IT admin credentials?  HR records?  Financial records?  Other stuff?  Simply everything, bar none?

I would lower the priority of worrying about risky e-mails with 
sensitive information in them. I think a higher priority would be the 
really big hole: insecure passwords.


Insecure because they are:

  - Poorly chosen ("12345678", "password")--and passwords can't just 
feel random, they need components that actually are random;
  - Reused across different purposes;
  - Given to third parties to "manage";
  - Typed in wrong places (in response to a phishing e-mail);
  - Typed on machines that have spyware running on them.

Note that I don't worry about regularly changing passwords or writing 
them down. I also don't worry about whether they contain a "special 
character". For example "b3ea-griffin-tempo-opera" is a great password 
with at least 48-bits of entropy, pretty easy to remember and type. 
(Like it? I've got at least 281,474,976,710,655 more.) Yet people 
mistakenly think it is a bad password. Grrr.

An only half facetious suggestion: write passwords down, but ONLY on 
$100 bills. Now guard them accordingly.


It would be a large and ongoing education effort, requiring high-level 
buyin and major cultural change, but if you can get an organization to 
use passwords securely, you will have solved a large part of the 
problem. If you can get an organization to really reform, if you can get 
users to really think through passwords--then you have accomplished a LOT!

Congratulate them for being elite (because no one does passwords 
well--just ask Central Command), and then you can move on to other 
things. (Including that an encryption key is very different from a 
password and needs to be created with special care.)

Doing passwords right is not exactly low-hanging fruit, but it is key to 
everything else. Do passwords wrong and everything else is always 
breaking because of the bad passwords.

-kb

More information about the Discuss mailing list