When I heard about a study on password worst practices at social network app maker RockYou (which was hacked late last year), my initial thought was a very mature “I must be smarter than their users — because who wouldn’t follow password best practices?” Who chooses passwords like 123456 or password in today’s hack-happy, data-privacy-and-protection-focused tech world? I remember Sarah Palin’s Yahoo account getting hacked soon after she was named John McCain’s vice presidential running mate back in 2008, and experts surmised that it was because she used easily obtained personal data in setting her passwords.
But we all learned from her errors, right? Savvy corporate IT users and their CIOs don’t need to worry about such password faux pas, right? Wrong. Wait, what?
Because users tend to use the same passwords on most of all of their work and personal accounts, a hacker’s ability to infiltrate one can quickly lead to unlocking the rest. In a 2009 Twitter document hack, “once the hacker broke into a single employee’s Gmail account, he was running free and eventually got access to a lot of sensitive corporate information.”
Gulp. Maybe I need to stop patting myself on the back. Just because my passwords are more difficult to guess than iloveyou (another top choice), it doesn’t mean I’m not putting my own information — or, worse, my company’s – at serious risk of an IT security breach by selecting similar passwords for various corporate sign-ons.
We research and write a lot about the technical side of data privacy and protection — but what about the human side? It surprises me that there still may be many company employee manuals that don’t include a section on data privacy that stipulates password best practices and emphasizes that duplicate passwords are a no-go. Could it be that employees are just ignoring the rules or making information too easily accessible to potential breaches? My colleague Kristen Caretta once blogged, quite correctly, that dressing up as a Post-It note with a secure password could qualify as a scary geek Halloween costume, since one-third of most passwords are still being tracked that way.
Does your company maintain rules regarding data privacy and protection with regard to passwords? Do you have a good way of enforcing these rules? And what’s your favorite password? (Kidding, kidding)