360 Degree Cyber Security, LLC

Tag Archive:password complexity

Do you KISS? I do!


I am all for the KISS methodology.  Keeping Information Security Simple (KISS) has to become a basic tenant.  It is how we as information/cyber security professionals can help small businesses, municipalities, and non-profit organizations realize some measure of information security.



Here are some simple methods that won’t deplete your profits and apply to businesses of all sizes (1 person to 100,000 employees).

1.    Encrypt your mobile devices.  Laptops, tablets and cell phones are treasure chests full of goodies.  We store everything on them.  The days of the rolodex and the personal organizer/binder have given way to the electronic organizer.  It used to be that if we misplaced or day planner we would feel lost and maybe even anxious as a lot of information was stored in that book.

All that information has migrated into the digital age and is now present on all sorts of mobile devices.   Newer phones have enough processing power in them to encrypt the contents of the phone until the device’s owner enters a password to decrypt them.  The encryption is part of Android and Apple IOS.  It is also possible to encrypt the hard drive of your laptop in a similar manner.  If you use Microsoft Windows, spend a little extra money and purchase the professional edition.  It includes BitLocker, Microsoft’s utility for encrypting hard drives.

If you lose the mobile device, you are not likely to lose the encrypted information to unwanted eyes.

2.    Use complex unique passwords for every account.  I know, I know!  I hear it all the time.  I have this large number of accounts that I need to remember, how do I do it?  There are number of articles out there for crafting complex passwords that are easily memorized.  However, I offer that you only need to remember one or two.  Use technology to help you create and remember the rest.

Use password managers such as Sticky Password, LastPass, KeePass, etc.  Each offers certain capabilities that should fit with your business model.  Check out http://lifehacker.com/5529133/five-best-password-managers for a review of some popular ones.

For the one or two passwords you need to remember, create passwords that really have nothing to do with you.  One of the first things an attacker will do is profile their target.  Anything on the Internet about you can be used against you to build a list of words.  So when you choose a password, don’t use your favorite team, vacation place, family member names, etc.  For example choose three or four letter character unique nouns that are some related, but not directly.  Maybe you have three foods you don’t like, lasagna, buffalo wings, and prunes.  These three items make an excellent password as it is something you are not likely to write to the world about.  So let’s make a password out of it….


or plainly buffalo prune lasagna. (sounds nasty!) But it is a set of words that when in plane text don’t make sense and if you apply some character substitution to them it becomes a long (in this case 19 character) complex password.  Come up with a consistent method in changing the letters.  In this example I:

  • when there is two of the same letters next to each other, I only put one and follow it with a 2.  So Mississippi would be mis2is2ip2i
  • I chose that the second letter of the second word must be capitalized making prune into pRune
  • Finally in the final word I use character replacement.  I replaced the a with an @, I replaced the s with a $ and I used ‘u’ for the letter ‘n’

Choose a similar way to develop your own password and apply your own password style and use that password to control access to your password manager.  Then let the password manager create complex random passwords for everything else.

These are just two quick examples of KISS that improve information security and don’t require a lot of cash.  I will write more examples in later posts.

Guest Blog – Are you really going to use that?

by Peter Lipa, Regional Director for the Americas for Sticky Password

Talking with small business owners, all too often I find that they have an authoritarianmentality in regards to their customers, as in: “the more customer data I have, the greater control I have over them!” This is particularly true of online businesses, where customers (and their money) are hidden behind the virtual invisibility of the Internet. (I intentionally do not use the word anonymous, because the Internet is anything but anonymous!) The thinking being that more data/information will hopefully translate to more opportunities to monetize all those contacts.

The desire to create ties that bind is understandable, but is it even effective in today’s online world of permission marketing (i.e. where customers and potential clients sign up to receive specific email notifications from businesses they like, in the hopes of minimizing unsolicited spam from brands and organizations they don’t care about)?
I don’t know about you, but I don’t consider my home address, or even my date of birth, as an appropriate cost to receive an email telling me a new blog is up. Why isn’t an email address – entered twice, to make sure it’s correct – enough to ensure that I’ll get the latest news and offers from Acme Widget Company?
Given all the options available online to customers today, why do some businesses still think it is acceptable to require potential customers to create password-protected accounts just to read a blog? While undoubtedly interesting, is the information being shared in the blog so sensitive or valuable that I have to create another password-protected account to read it? That’s not a hypothetical question. If it’s the information in your blog that you’re charging for – i.e. that’s your product – then by all means go ahead and tie it to private accounts. But, if your blog is basically a marketing tool, then don’t do it.
But beyond the annoyance factor – which is no small thing – the issue of security is much greater.
The frequent news of cyber attacks on huge corporations is a strong reminder to all businesses that they are responsible for all customer data that they ask for. Businesses sometimes downplay the threat to their small business and neglect important aspects of Internet security because they think their business is under the radar of hackers. In reality, there is no under the radar for bad guys.
Let’s take a look at 5 best practices for taking care of customer data:
1. Have a privacy policy. In addition to informing your customers that they can trust you with their data, the process of creating a privacy policy will help you decide what customer data you really need.  
Even though customers may be willing to give you their personal details, ask yourself if you really need specific data before you start collecting it. Don’t ask for information unless you have actual plans to use it. If an email address will do, then don’t ask for a home address or telephone number.
2. Limit access to the data. Make sure that only colleagues and employees that have a ‘need to know’ are able to access your customers’ data. No exceptions.
3. Don’t ask visitors to create password-protected accounts unless it’s really necessary!
Customers who don’t think there’s a valid security reason for having a password for a site tend to use silly authorization credentials or to re-use passwords from other sites.
With so many password accounts, it’s easy for people to get lazy about using strong unique passwords. Not only does that put the customer’s accounts at risk, it also becomes a weak point in your security.

If you really do need passwords to restrict access to your website, then make sure you require customers to follow best practices in creating their passwords.

Implement an automated password system that:

  • disallows obvious notorious weak passwords like 123456, qwerty, Princess and other dictionary words
  •  requires a minimum of 8 or more characters
  •  requires that each password include a mix of letters, numbers and special characters
  • never sends passwords to your customers in plain text in an email
  • supports a limit on the number of failed attempts to access an account
  • notifies you of unusual activity
  • supports automated password resetting
Even if you are the owner of the business, you should never know or ask for a customer’s password!
Let your customers know that you take passwords – and the security of their data – seriously.
4. Be responsive and make it easy for your customers to get in touch with you when they have a security question.
5. Don’t go it alone. Unless you’re in the business of online security, you shouldn’t try to wing it when it comes to the security of your customers’ personal data. This isn’t an area where you should try to save a few dollars by hiring your neighbor’s son or daughter who’s a wiz with computers. The potential risk isn’t worth it. Make sure you engage a responsible service that will be able to help you if something goes wrong.
About the author:
Peter Lipa is Regional Director for the Americas for Sticky Password, a password manager (https://www.stickypassword.com/). Find out more about passwords, privacy and security on the Sticky Password blog.