Friday, November 30, 2007

Change your passwords for Computer Security Day [Data Security]

Most people keep the same password for too long and use it for too many purposes. So if you do one thing to mark Computer Security Day, change your passwords. If you do two things, change your passwords and vacuum your computer.

These are among the tips from the US organisers of the global event, including Security Awareness Inc. and the Information Systems Audit and Control Association. Now in its ninth year, Computer Security Day exists to remind people to protect their computers and information.

The day is on 30th November each year and the organisers list 53 ways that offices can participate.

Suggestions include:

  • Check for viruses
  • Protect against static electricity
  • Vacuum your computer and the immediate area
  • Back-up your data
  • Post 'No drinking' and 'No smoking' signs in computer areas
  • Hold a discussion of ethics with computer users

Passwords-schmasswords

Almost two-thirds of people never change their passwords, according to a survey of 1,800 adults reported by the Department of Trade and Industry in June. One in five people said they use the same password for non-banking websites as well as their online bank. And over one-third recorded their password or security information by either writing it down or storing it somewhere on their computer.

Such behaviour is asking for trouble, according to US security guru Bruce Schneier.

"People should change their online access passwords regularly," Schneier. "The risk is that a password has been compromised, and changing your password regains security."

Microsoft suggests that a password that is shorter than eight characters should be considered "only good for a week or so," while a password that is 14 characters or longer (provided it follows Microsoft's rules and tips for passwords) can be good for several years. Others suggest that you can safely keep a password for 60–90 days as a general rule of thumb.

The HMRC incident has prompted many individuals to take protective steps. HMRC wrote to the families potentially affected by the data loss. Its letter addressed online banking risks and stated: "If your password uses any of your personal data, for example your child's name or date of birth, you may also wish to consider changing any passwords you use."

According to APACS, the UK payments association, 10% of Child Benefit recipients have since changed their online banking passwords. Six percent changed their PINs.

How to choose a new password

Andrew Moloney, a director at security firm RSA who specialises in the financial services market, offers the following tips:

  • "If your password is linked to personal data – e.g. a date of birth or child’s name – it should be changed.
  • The longer a password, the more difficult it is to crack. Thus, make yours of a decent length, say 10 to 16 characters if possible.
  • Replace words for numbers e.g. For = 4, to/too = 2, add punctuation like exclamation marks and change capitalisation
  • Consider using a phrase that includes both numbers and words and use the first letters/numbers from that. An example would be “On the 12 days of Christmas my true love gave to me = Ot12docmtlgtm”. This has a great combination of being hard to guess but easy to remember. That's the ideal scenario."

No comments: