Tag Archives: Weak passwords

Treat passwords like cash

How much personal technology do you carry around when you travel?  Do you use one of those carry-on bags with your notebook computer on top of the carry-on?

A friend who is a commercial pilot had his bag swiped literally behind his back while waiting on line to check-in to a 4 star Paris hotel. The hotel security cameras show the thief moving quickly behind his back, quietly taking the bag and calmly walking off.

Is your user password 123456?

The Wharton School at UPenn recently posted an article – is your password 123456?

As the article notes – “Hack attacks have recently hit government agencies, news sites and retailers ranging from the U.S. Justice Department and Gawker to Sony and Lockheed Martin, as hackers become more sophisticated in their ability to steal customers’ identities and personal information.”

But, you don’t need sophisticated hack attacks to know that many people use simple minded passwords like 123456 and thieves use simple techniques like grab and run.

So – why don’t we all use strong passwords?

Every Web site and business application you use has a  different algorithm and password policy.  For users, who need to maintain strong passwords using 25 different policies on 25 different systems and web sites, it’s impossible to maintain a strong password policy without making some compromises.

The biggest vulnerability is using your corporate password on an online porn site.  Since adult sites are routinely subject to attack and cheesier, more marginal adult sites – (mind you we’re not talking Penthouse.com or Playboy.com perish the thought) are frequently unwitting malware distribution platforms.

Here are 5 rules for safe password management :

  1. Use technical aids to manage your passwords.  Consider using Keepass password management
  2. Match password  strength to asset value. In other words – use a complex combination of letters and numbers for online banking and a simple easy to remember password for Superball news.
  3. Don’t reuse.   Don’ use the same strong password on more than one sites.
  4. Make passwords easy to remember but hard to guess.  Adopt mnemonics – like 4Tshun KukZ that you can remember
  5. Maintain physical security of your passwords.  Treat your passwords like you treat the cash in your wallet.  If you have to write passwords down, put them on a piece of paper in your wallet and treat that piece of paper like a $100 bill,  make sure you don’t lose that wallet.


Tell your friends and colleagues about us. Thanks!
Share this

Seven software development mistakes not to make in 2009

One thing that is burnt into my personal flash memory from 7 years at Intel is working in Plan 2009 in September/October. This time of year, I start thinking about how we can survive and grow the business.

We all like to think we learn from mistakes, however, recent experiences reminded me that the software development environment of 10 years ago is radically different today. Development tools are free, hardware is almost free (think about those $100k Sun Enterprise 450 boxes and $300 Sun Ethernet NICS) and programming talent is a global resource. Its  much easier to develop software today but that is insufficient. A development team can write lots of code but there is no replacement for a development lead that manages the team; keeping things simple, hiring the best people and keeping them challenged.

7. Don’t KISS

If my experience is any indication – the software industry billions of dollars a year by not Keeping It Simple. Complex 3 tier technologies with Java J2EE are probably not warranted for the majority of Web applications. While not fashionable,PHP is far simpler to program and maintain, and provides excellent scalability at lower cost than Java – witness the millions of Yahoo pages are served by PHP each day. Lack of KISS is the main reason for high-costs, late schedules, failed projects and unsecure software that no one can maintain.

6. Mismanage software development

The classic book,The Mythical Man-Month, written 20 years ago revealed that projects based on per-unit man-months usually don’t work due to the unique nature of software development. The difference in productivity between the best programmer and an average one is 100x. This means that 5 new college grads will be less effective than 1 talented programmer who knows what she’s doing. You are always better off with a few strong programmers than a large cast of cheap developers, a) because of individual productivity differentials and b) because smaller groups are always more effective.

5. Take a wrong turn with outsourcing

Don’t outsource something just because it’s too hard to understand or because your CFO reckons he can save money by selling your IT staff to IGS or contracting offshore. A U.S client we know went to India for software development. The Indian market was booming and job loyalty was low, like Israel and Silicon Valley in the 90’s. Due to transportation and cultural issues the work day was 8 hours not the 18 that most of us still remember. The client also needed direct involvement with the offshore team that required frequent travel to India. The client got marginal savings of less than 20%, longer delivery times and cryptic documentation.

4. Promote or hire the wrong people

I could write a book about this one. A common case is the excellent technologist who is promoted (desiring the job) into a managerial spot. He doesn’t have the people skills, won’t admit failure and can’t visualize going back to his old programmer slot. Another common case is hiring an ex-military guy to run a young engineering team. Six months later after the team has disintegrated, the board realizes that you can’t hand orders to programmers like soldiers and you can’t flirt with the lady engineers and ask them to fetch the boss coffee.

3. Decide based on religious beliefs

A client decided on Open Source and Linux, going with a leading commercial distribution, PHP and a large systems integrator believing that the combination of Open Source and reliable leading vendors would guarantee success. The integrator’s skill set was primarily Windows, the distro vendor could care less about the fundamental flaws in the client’s design, and the client was weak on Linux and PHP and couldn’t audit the integrator’s work. After a 12 month overrun, the project was scrapped and $300,000 was written off. Cool technology is not a substitute for know-how and good program management.

2. Ignore internal security threats

IT managers that focus on intruders get into a sense of false security. According to the FBI, 70 percent of security incidents that cause financial loss are inside jobs, making the insider threat arguably the most critical one facing the enterprise. In many cases,weak policies and human error can create a threat to the I.T operation, for example in the case of the computer operator who saved a file called server_passwords.xls in the MyDocuments folder of his PC in the computer room. For more examples read The Story of Insider Theft

1. Permit weak passwords

Threats such as worms get top PR but dont miss a basic IT mistake: weak authentication or bad passwords. Common password vulnerabilities include weak passwords (birthdays),publicly displayed passwords on Post-its, and Intranet and server administrator passwords that the whole firm knows. We recommend using long passphrases (like “Meeting attractive women with open source“), that resist dictionary attacks and are much easier to remember than traditional strong passwords (like “Xh67RC41“)

Tell your friends and colleagues about us. Thanks!
Share this