A strong password is formed by at least 8 of the most random sequence of letters (uppercase and lowercase), numbers and special characters possible. So we can tell that 3k!0H9w# is a strong password. The problem is, in a world where we have passwords for almost everything, how can we remember this kind of character sequence?

There are  some techniques that might help you obtain a strong password and still make it easy to remember. A common one is to switch letters with visually similar numbers or symbols, something like “P0c4h0nt4$” (Pocahontas). To make it better try to not use single words, but small phrases like “!l1k3P0c4h0nt4$” (IlikePocahontas).

If you still think that this is hard, try at least repeating characters in a word, avoiding a basic dictionary attack. For example, “anacondda”.

People tend to use common words for passwords. You can find a lot of lists on the internet. Check then and if your password is there, I recommend you change it immediately.

A free and very good tool called Keepass can help you to safe store all your passwords. The app database is encrypted, and you will need only to remember a master password (keep this one strong) to access all the other ones.

Be safe!

Data Loss Prevention or DLP is an interesting and popular topic especially since the largest single incident of data theft recently occurred. Heartland Payment Systems discovered numerous systems were compromised and an estimated 130M consumer credit card numbers were at risk surpassing TJX Companies reported compromise in 2007 of 94M consumer records.

The implications of these incidents can be difficult to measure, but if you just consider the amount of resources to investigate, notify consumers and remediate an incident, the costs rise quickly. In addition if we try to account for any fraudulent activity that may have occurred or the time consumers must spend to monitor credit activity and/or dispute fraudulent activity this adds to the cost considerably. Will Heartland or TJX Companies disappear, fail or go bankrupt as a result of these security breaches? Well, not likely but is there a negative impact? If we look for a correlation between stock price and the reported incidences, it is inconclusive; TJX appears to follow the trend of the S&P 500, while Heartland does a nose dive. One thing is certain, the costs to investigate and remediate the data loss is significant having a negative impact on the bottom line in both cases.

HeartLand Payment Systems	TJX Companies

Obviously, these are high profile incidences and may have even affected some of you reading this, but probably nothing more than receiving a letter, a new card and asked to monitor your credit reports, and watch for suspicious credit card activity. The questions I have are we as a society just accepting this as the problem is too hard to control or is it merely a cost of doing business today? International boundaries, anonymity of the internet, millions of insecure computers primed for botnets, poor security architecture by software vendors, lack of information security budgets etc., all are significant challenges to protect our information.

I believe there is a personal and corporate responsibility to protect our information just as most of us trust our bank to keep our money safe and it is expected they will do so or more safe than tucked away at home. They also expect consumers to be diligent with access control. They issue ATM cards with user defined Pin Codes (two-factor authentication with limited authorization i.e. maximum daily withdrawal limits), credit cards with signature panels and identifiers or they deliver a battery of questions when we need to obtain any information on our account by phone.

I am interested in hearing your thoughts on:

1. Is the bank/consumer model or concept reliable? Do you think it works reasonably well?
2. Do you think there should be greater responsibility on users, or the organization to ensure data confidentiality?
3. Is Data Loss, a real concern for you or your organization? Why?

About Me:

Michael McKinzie, CISSP (Business Development Manager, SecurStar) – security practitioner for 12+ years, worked in IT management, consulting, casino gaming, and on the dark side with encryption and security manufacturers. Still a fan of the C Programming Language by Kernighan and Ritchie and know I will make some money from my autographed copy of Applied Cryptography on eBay some day.