BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Most common (or Most important) privacy leaks
- Subject: [Discuss] Most common (or Most important) privacy leaks
- From: kentborg at borg.org (Kent Borg)
- Date: Tue, 17 Feb 2015 11:06:22 -0500
- In-reply-to: <BN3PR0401MB12046B091F0FA6E67DDB34A2DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com>
- References: <BN3PR0401MB12046B091F0FA6E67DDB34A2DC2F0@BN3PR0401MB1204.namprd04.prod.outlook.com>
On 02/17/2015 08:42 AM, Edward Ned Harvey (blu) wrote: > As an IT person advising a business to be more responsible, what areas do you advocate securing most urgently? IT admin credentials? HR records? Financial records? Other stuff? Simply everything, bar none? I would lower the priority of worrying about risky e-mails with sensitive information in them. I think a higher priority would be the really big hole: insecure passwords. Insecure because they are: - Poorly chosen ("12345678", "password")--and passwords can't just feel random, they need components that actually are random; - Reused across different purposes; - Given to third parties to "manage"; - Typed in wrong places (in response to a phishing e-mail); - Typed on machines that have spyware running on them. Note that I don't worry about regularly changing passwords or writing them down. I also don't worry about whether they contain a "special character". For example "b3ea-griffin-tempo-opera" is a great password with at least 48-bits of entropy, pretty easy to remember and type. (Like it? I've got at least 281,474,976,710,655 more.) Yet people mistakenly think it is a bad password. Grrr. An only half facetious suggestion: write passwords down, but ONLY on $100 bills. Now guard them accordingly. It would be a large and ongoing education effort, requiring high-level buyin and major cultural change, but if you can get an organization to use passwords securely, you will have solved a large part of the problem. If you can get an organization to really reform, if you can get users to really think through passwords--then you have accomplished a LOT! Congratulate them for being elite (because no one does passwords well--just ask Central Command), and then you can move on to other things. (Including that an encryption key is very different from a password and needs to be created with special care.) Doing passwords right is not exactly low-hanging fruit, but it is key to everything else. Do passwords wrong and everything else is always breaking because of the bad passwords. -kb
- Follow-Ups:
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- References:
- [Discuss] Most common (or Most important) privacy leaks
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Most common (or Most important) privacy leaks
- Prev by Date: [Discuss] Most common (or Most important) privacy leaks
- Next by Date: [Discuss] Most common (or Most important) privacy leaks
- Previous by thread: [Discuss] Most common (or Most important) privacy leaks
- Next by thread: [Discuss] Most common (or Most important) privacy leaks
- Index(es):