Batting Cleanup...before March Madness

My last Blog post was at the end of January. Now, in late February - as the baseball teams get into the swing of Spring Training (see what I did there?) - and after Shawn, Chris, and Richard posted excellent Blog articles in February, I’m in the #4 spot. I’m “batting cleanup.” Don’t worry, I think the Astros are in good shape with a talented set of choices; it’s merely a sports analogy from a geek. We’re not going to compete in Minute Maid Park, but we will be there to cheer on the team when they start home games in April.

But I digress…back to late February and my thoughts for this riveting post.

Hmmm…so many passwords, so many post-its!

Hmmm…so many passwords, so many post-its!

Adding a key point to Shawn’s insightful post about Passwords, and combining with Chris’ thoughts about small business security, PLEASE STORE YOUR PASSWORDS IN A SAFE PLACE!

In January we blew through the 1-year anniversary of Hawaii’s bizarre “2018 end of the world” panic, prompted at the time by an emergency management signal that warned (falsely, it turned out) of inbound ballistic missiles from North Korea. In Houston it went largely unnoticed for several reasons, primary of which is that it didn’t happen here. However, in preparing discussion topics for an upcoming talk, I dug into the details to refresh my memory. My research (searching “hacked credentials: password in photo led to Hawaii emergency alert, north korean missile inbound”) centered around a key point: a password critical to the process had been compromised.

My time in government service, predominantly in the Army but in a wide variety of joint-service and civilian-heavy organizations, spanned a 30-year career that began in 1984. Over that period I saw more than a few changes in IT and our use of computers, electronics, gadgets, and other tech toys. I also worked in restricted access areas requiring secret and top-secret clearances, most obviously denoted by wearing a “Blue Badge.” This backdrop prompts me to note several disturbing aspects of the Hawaii incident:

1) A password was written on a post-it note and stuck to the monitor of the alleged source of the incident.

2) The post-it note with password was photographed in July 2017 and published on social media.

3) The photo was published by a proud government civilian, who wanted to share his great work environment with friends and family.

Sadly, the 3d item should never have happened. TOTALLY INAPPROPRIATE, and obviously the #2 and #1 items ALSO would not have happened had #3 never occurred. So it begs some questions: Why was the photo taken? How did a restricted space with a “blue badge” employee even allow the photo to be taken? If the photo was sanctioned, why was the area not “sanitized,” i.e., why did he show his access badge and post-it note, along with a host of other items and physical cues to what goes on in the command center? It is THE STATE of HAWAII’s EMERGENCY MANAGEMENT Command and Control Center! Can you imagine walking into the Pentagon, the White House Situation room, or Jack Bauer’s CTU crisis center and just taking a happy-snap for your Instagram post? I cannot.

Circling back to both Shawn’s and Chris’ posts, here is my point: just like not leaving keys in the ignition to your car with the windows down and doors unlocked, it REALLY is NOT SMART to write your password and store it in an obvious place near your computer. At Envision, we have fantastic tools to help individuals, small businesses, non-profit organizations, government entities, and even large corporations manage their information. You can trust me - in my life I have served at various levels of each of these types of organizations.

Pointing out Richard’s #3 Blog post of February, we have developed great loyalty and trust with our existing clients. Our amazing clients have helped build Envision Design into Houston’s oldest member of the Apple Consultants Network. We specialize in securing and monitoring their computer systems 24x7. And we are doing it in diverse situations, including the very restrictive, high-penalty world of HIPAA compliance and regulation. I’d like to highlight a key point of Richard’s “How to become an "En-Visionary"...” rewards program: because our clients TRUST us with the life-blood of their businesses, and because we have to earn their LOYALTY and retain it monthly, we understand that every customer matters. Chris pointed it out with his question of “So why should small businesses partner with a MSP?” EVERY business should have protection in place. We all owe it to our own patients, clients, customers, and business/practice/firm team members. The price of failure could be…well, failure.

In looking ahead to March, the elite teams will emerge in the NCAA basketball tournament. Another sports reference from Tom: March Madness is on the way! Love it or hate it — or even for those just indifferent to it — March Madness frenzy is measurable, and HUGE. Reflecting on our Blog posts, we’d love to see a frenzy of referrals in March, fueled by true passion to help each other secure, safeguard, and monitor sensitive information. As much as it’s about “NCAA tournament brackets,” I’d love to see March Madness become a business referral principle, as well. Send me your thoughts!

Password Length Trumps Complexity

I came across this XKCD comic the other day.  It's an old one, but a good one that teaches an important lesson.  Most people are under the impression that when creating a password a complex word with a bunch of random characters is super secure.

Unfortunately, the truth is 4 random words like mentioned above in the comic is WAY more secure and would take longer to crack then a short complex one.  I think the best thing to remember is try to create a passphrase vs a password.  Just a friendly reminder!

How I became a password cracker

password-cracking.jpg
At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn’t know it was ridiculously easy—well, ridiculously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing.
— http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

This is an excerpt from an interesting article I stumbled across on arstechnica.com the other day.  It will really open your eyes about how easy it is to crack passwords.  Click here to read the full story.

A good password strategy.

Here are a couple of suggestions for creating a more secure password. There are two crucial steps for creating a more secure online identity. 1. You need to have well crafted passwords, and 2. You must use different passwords for absolutely every login.
1:
What constitutes a good and secure password? To answer this question you need to take a step back and think about what a password is used for. A password is supposed to prove that you are the person that you say you are. It is a type of key that only you are supposed to have. The problem is that everyone has the same set of building blocks that you used when you created your password. Because of this, anyone with enough knowledge, time and hardware can try to break your passwords.  Because hardware is getting faster, so is their ability to break passwords.
It is now recommended that to create a secure password it should be at least 10 characters long. My personal preference is to have at least 16 characters and many times I have over 20-character passwords.
The current thinking is to create strings of 4 or 5 random words. It is better if the words do not make sense, so "hexphonepigcurry" might be a good choice for a password. I then like to sprinkle in a random number, special character or capital letter to make things even more difficult, so "H3xphonepigcurry?"would be even better.
2:
The second step to a more secure password is to have a separate password for EVERYTHING. I never use the same password twice, but I also find it entertaining to build new passwords. For those of you have don't enjoy such things, I strongly suggest getting something like 1Password, or some other password vault, and use that to both create secure passwords and store all of your passwords.
Click the above image for more information on creating secure passwords that are easy to remember.