One of the first things every organization focus on is password complexity. I see organizations moving to 12 character passwords with one CAPITAL, one number, one symbol, and changed every ninety days. In a previous blog post I argue this may be overkill, we are potentially doing more harm and good. I feel we need just as much focus, if not more on these additional topics.


Often employees feel comfortable sharing passwords with other employees or supervisors. This is a dangerous practice. First, you lose accountability, you cannot track who did what because people have shared accounts. In addition, once a password is shared it may become more shared then expected, including with unethical employees.


Many users will use the same password for all their accounts. While some sharing of passwords I feel is acceptable, it should be only for non-critical accounts. If your Facebook, Flickr and Blog commentary passwords are the same, that is perhaps acceptable risk. What is not acceptable is your Flickr login and password being the same as your work or online banking login and password.


Another one is logging into confidential networks but from public computers, such as at an Internet Cafes, hotel lobbies or airport terminals. These computers may be infected or at the very least residing on compromised networks. End users should authenticate only on trusted systems they control.


No one should ever ask an end user for their password. Reinforce this lesson. If someone asks for a password assume they are an attacker. This is a simple lesson that should be continually reinforced.


Finally, if you think about it most compromised passwords happen from keystroke logging malware, not brute forcing. If you truly want to protect your passwords, then protect end user computers from getting infected!


The Dark Web and Your Email Address

Major data breaches at banks and sites like Yahoo, Facebook and Yahoo, where 3 billion accounts were comprised, mean that your personal data can travel to the dark web, the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable and also conduct criminal activity.

When massive data breaches happen at businesses at which you have an account, you can assume that your personal data has likely made it to the dark web. That could mean, for instance, your user name and password at a bank or credit card institution have been compromised.

The free site “Have I been pwned” provides a comprehensive list of major data breaches. It allows you to check if your email address has been hacked and which sites it has been breached on.

Once criminals get your personal data, it’s immediately copied multiple times, so don’t expect to get your compromised data back and out of the criminals’ hands.

Again, the best protection for an individual is good password etiquette. This includes changing your password often and making sure you have different passwords, which cannot be easily guessed and are reasonably long, for each account.