Agency Technology: Security starts with good password procedures

While most agency employees welcome the benefits of modern technology, the passwords needed to gain access to it are reflexively viewed as a nuisance, the workplace equivalent of tossing a quarter into a toll booth. We’re accustomed to convenience, and it’s easy to forget the damage a security breach can wreak on an agency and its customers.

It’s essential that your staff understand that the most common reason for successful computer attacks is poorly chosen passwords. A single bad password can allow a “cracker” (the new slang for hackers who specialize in breaching network security) to not only compromise the performance of your network but also put your clients’ private data at risk.What makes a password poor?Your procedures for handling your house keys illustrate the importance of passwords. Would you scatter house keys around your neighborhood–along with directions to where you live? Needless to say, you would never consider such a thing. But having a poorly chosen password is much like losing control over your house keys.Just like keys, passwords have two functions: making access as easy as possible for you and as difficult as possible for anyone else. The more predictable the password, the greater the chance that a cracker will gain unauthorized access to your network. The more difficult the password is to remember, the greater the chance that an employee will write it down and leave it “under the mat,” where a cracker can readily find it.Here are some “don’ts” when deciding on a password:Don’t share a password with someone else. Passwords should belong to one user, and one user only. Never tell anyone your password. No exceptions! The same rule applies if your agency is large enough to have a system administrator or IT person. These personnel have access to the server and can perform all their duties with their own logins.Don’t use a dictionary word. If it’s possible to find the word you choose as a password anywhere on the Internet–such as in a dictionary–it’s possible to get into your system. Crackers are very skillful at creating programs that sniff out poor passwords. These programs search for dictionary words in any language, so you’re not safe by using Korean or Chinese or even some entirely obscure language.Don’t use your computer system’s user name or the user name of anyone on the system. Also, users often try to simplify passwords by using the same one for all applications, such as for your agency management system and company sites. While it’s important to choose easy-to-remember passwords, using the same one means that once a cracker has found his way in, he’s in for everything.Don’t use a password based on anything that can be found out about you. Even skillful users of technology can lose sight of how much information is readily available on the Internet. Avoid using passwords based on people, places and things in your personal life, such as your home address, birthday, kids’ names and birthdays, license plate number, Social Security number, phone number, the first line of your favorite song, your favorite quotation, etc. You may think that your personal information is private, but always remember that you give information to most of the Web sites you visit.Don’t use common passwords. You may think you’ve hit upon an original technique for choosing a password, but first see if it’s included in this list below. There are many ideas that are surprisingly common:o Movie or song titles.o Passwords composed of all digits or all letters.o The host name of your computer.o Clever-seeming “magic words” from computer games (e.g., xyzzy) .o Simple keyboard patterns like qwerty.o Any of the above spelled backwards.o A password you’ve used before.Other commonly used passwords include God, love, sex, money, abc, baseball, football, iloveyou, myspace, monkey, princess, soccer, superman and 123456. If it’s a password that you can easily think of, so can a cracker.Choosing a good passwordWhen choosing a new password, remember that it’s the only thing standing between your clients’ personal data and a cracker using, selling or destroying it. Not only do you have a moral obligation to your client, but your agency also has a legal one. The failure to protect non-public information about your clients is a violation of privacy laws. (See my column in last month’s issue.)To demonstrate your agency’s commitment to protecting staff and clients, create password-selection standards for all employees to follow. Here’s a simple two-step process for creating safe passwords:1. Create a sentence that can be easily remembered. For example:o I have two kids: Jack and Jill.o I like to eat Dave & Andy’s ice cream.o No, the capital of Wisconsin isn’t Cheeseopolis!2. Then make a password from the first letter of each word in the sentence, and include the punctuation marks as well. You can throw in extra punctuation or turn words expressing numbers into digits for variety. The above sentences would become:o Ih2k:JaJo IlteD&A’ico N,tcoWi’C!Also, consider the number and type of characters when choosing a password. Here are some additional guidelines:o The password must be at least seven or eight characters. Longer is better.o Use both uppercase and lowercase letters.o Use digits and/or punctuation signs in additional to numbers and letters: i.e.,