It’s always a good thing when people take my security advice; I do, after all, give them good stuff (like that password card over there, for instance). Over the years, I’ve amassed a large store of advice and tips that I continually promote to my clients. Yesterday, I was given a task that showed me at least some of them listen.
During an on-site call on Friday, the office manager approached me and said she had discovered that some of the staff were using extremely insecure passwords, things like their initials and birthdate, and at least two cases of “password.” She asked me what to do. I told her order everyone to immediately create secure passwords with a minimum length of 8 characters and have at least three of the following: upper case letters, lower case letters, numerals and special characters. (Note: this is a law office, so users are not allowed to change passwords on their own. The owners of the firm keep a secure list of everyone’s passwords so they always have access to employees’ hard drives.)
When I checked my email yesterday morning, I found a message with a spreadsheet attached. Yes, it was the list of passwords for me to change on the server; every password conformed to the standard. So, it looks like there will be no more insecure passwords at that firm. I consider that real progress
Now, maybe I can get them to understand and use email encryption so they won’t be sending me passwords in clear text.