We’ve discussed password liabilities before:  Consider that many people use the same password (and often User ID) for multiple accounts.  This can include online bank credentials, work accounts, social networking sites, other critical sites such as ebay and PayPal…

A breaching entity can hack one account, gain credentials, and then spin them through all other associated user accounts they identify.

Of course, password liabilities also include easy-to-guess things, which are subsequently hacked – either by manual human activity, or password-breaking softwares that simply tumble random words/characters, through authentication mechanisms.  This morning, while having my auto serviced, I tried “password” in trying to gain access to a couple wireless networks in the vicinity – alas, no luck – but worth a try.  Consider:  About 5 years ago, Slovak hackers gained access to Slovakia’s National Security Bureau (NBU).  The NBU maintains a huge body of classified information, which is supposed to enjoy strong security.  However, the hack and breach wasn’t particularly sophisticated:  The respective login ID and password was nbu/nbu123.  

Might want to put a little thought into your organization’s passwords and their associated strength:  Set a minimum amount of characters, and consider making some measure of required special characters (!@%, etc.).  Also, see the four basic requirements at the bottom of this article for maintaining a solid password security posture.

Here are PC Magazine’s worst passwords of 2011:

  1.  password

  2.  123456

  3.  12345678

  4.  qwerty

  5.  abc123

  6.  monkey

  7.  1234567

  8.  letmein

  9.  trustno1

10.  dragon

11.  baseball

12.  111111

13.  iloveyou

14.  master

15.  sunshine

16.  ashley

17.  bailey

18.  passw0rd

19.  shadow

20.  123123

21.  654321

22.  superman

23.  qazwsx

24.  michael

25.  football

Finally, remember to employ four basic, yet critical, practices for maintaining secure passwords:

1)      Use unique passwords for each account.

2)      Change your passwords on a schedule.  How frequently is up to you, but anything from monthly to semi-annually.

3)      Don’t share your passwords.

4)      Avoid common passwords.

NP:  Hi Lili, Hi Lo, Bill Evans, jazz24.org

You may have heard about the man being prosecuted for using his wife’s password to access her e-mail account.  Many news reports indicate that he “hacked” in to her account.  However, the couple kept a small notebook of passwords next to the computer; he logged in.

Still, the man faces charges under a Michigan statute that, when boiled down, bars access to computers and associated resources without proper authorization.

Without going into the detail or merits of this specific legal case, it serves to remind us of something very important.  If you don’t want your information  read, breached, misused, or otherwise accessed and possibly disseminated, then don’t write your passwords down, and definitely don’t have them laying around for easy access.

Which brings us to the real concern:  I’m aware of several environments that have shared accounts – system accounts – for controls, setups, configurations, etc.  The accounts are shared amongst several, authorized, people.  Sometimes there are multiple shared accounts; each having its own class of personnel availing themselves of specific avenues of access and system influence via this means. 

Reasons for having shared accounts include:

1.     Fewer accounts (and passwords) to create and maintain.

2.     Personnel absences easily covered.

3.     Fewer instances of forgotten passwords and resultant resets…

…and so on.  Whatever the reasons, they are not good ones.  Shared accounts represent a problem on several fronts:

What if there is a data breach due to a human error that occurred within the domain of a shared system account?  Who is at fault and will they own up?

Suppose there is fraudulent activity… who is the guilty party?  This could even include embezzlement, or directing too much authority to a specific user, for example.

If there are setup or configuration errors, it’s important to readily identify the transgressing party for purpose of training, or discipline in the case of sloppy work.

Each person in the organization should have a unique account name and associated password.  Network supervisory roles and other special accounts (for the aforementioned setups, fiscal management programs, etc.) should be tethered to one specific person.  If additional accounts with similar roles and authorities are required, create them with unique names and passwords.

As to people who keep passwords in notebooks next to their computer, be advised:  You’re practically soliciting a breach.  Don’t share passwords, don’t write them down (unless they’re in a locked safe, with a discreet list of access), and for certain don’t have them written somewhere in the vicinity of data’s access point (the computer).

NP:  The Red Garland Trio, Manteca, original 1958 LP.  Wonderful album.