In Brief

Are your users' passwords a joke?

By Meg Mitchell Moore

January 09, 2003 — CSO — People use the "password on a sticky note" as an example of weak security practices so often that the image has become almost a parody of itself. But experts say such blatant disregard for company security is not unusual. Written passwords stored next to a computer is one of the most common ways outsiders gain access to a company's information, according to Razorpoint Security Technologies President Gary Morse. In addition, users are often quick to share IDs and passwords to allow others access into their files. "It's a poor practice, and it happens in almost every business unit I've ever seen," says Stacy Bresler, senior information security principal at Pacificorp, a subsidiary of ScottishPower. Thomas Luce, an independent security consultant, recalls a security audit he performed for a doctor's office in which the whole office shared a simple user name and password that a third-grader could have guessed.

According to Morse, any word that appears in a dictionary is easy fodder for a hacker with the right computer program; programs can run through colossal lists of words in mere seconds. To guard against such attacks, he suggests that CSOs share these tips with users:

1. Take a common word and substitute one letter with a number or symbol. Or alternate consonants with vowels to create a wordlike cacamathat isn't in the dictionary.

2. Create a password you will remember without writing it down.

3. If you have to share your password for any reason, change it immediately.

4. Understand the particularities of the system your company usessome programs are case-sensitive, but others are not. For those that are, consider alternating uppercase and lowercase letters.

5. Never use personal information that can be guessed easily: your or your spouse's name, your children's names, your birthday.

6. Never use the word password. (Don't laugh. People do it all the time.)