Whether we’re talking about an individual or a business, the number one task when it comes to protecting your “stuff” is to keep the bad guys out completely and the frontline of your defense is the humble password. No matter what other protections you may have in place and no matter how locked down you might think your systems are, if the bad guys can crack your passwords it’s game over.
In my first article of the year I laid out the Azstec’s Seven Security Must-Do’s for 2016 and at the top of this list was the need to get smart about how we create and manage passwords. As computer security experts including Bruce Schneier and Graham Cluley have pointed out – frequently and at length – at the heart of computer security is the problem of dealing with users’ behavior.
Instead of trudging through a litany of the unwise things users do where computer security is concerned (such as writing their passwords on Sticky Notes hidden on the underside of their keyboards and clicking on links in email messages from unknown senders), we’ll go focus on the most effective and simplest way to make your organization’s security much more robust: Better passwords. Moreover, rather than dwelling on complex, expensive, top-end solutions, we’ll focus on what’s easy, simple, and effective.
Now you might wonder why it’s so difficult to get users to put together some letters, numbers, and symbols in a memorable way that can’t be easily hacked. The answer is that without a system, good passwords are too complex to remember. The average user has 30 or more passwords and keeping track of them is a job in itself and when you’ve got to crank out invoices or do whatever is your real job, it’s easy to use the same simple password for every login. If you want some entertainment on the subject of passwords, SplashData just released their worst password list of 2015, so feel free to take a look at how stupid people can be when it comes to computer security.
Once you convince your users that this is behavior is dangerous you need to give them a system, a way to create and manage passwords that is easy to use.
The first strategy is to develop your own personalized algorithm that generates passwords that can’t be easily hacked (what cryptographers refer to as having sufficient entropy). Developed by Manuel Blum, a professor of computer science at Carnegie Mellon University, the technique allows you to generate a custom password for each site you log into. Network World has a nice summary of the system and Blum’s full video presentation of the technique is available online. Blum’s technique is straightforward though it does require a bit of commitment and about four hours to learn.
Now, in common with most computer users, I’m a really busy person (and somewhat lazy) so I decided that instead of getting to grips with Blum’s technique, I’d use computer technology to do the heavy lifting instead (okay, it’s not really that heavy but it is a pain in the, er, access). For websites, I use a browser-based password manager that not only “remembers” my logins but can also generates robust passwords. There are plenty to choose from and they range in price from free to around $40 (PC magazine has a good review of password management products) but my favorite password manager is LastPass, which is priced at a measly $12 per year.
For website logins, a password manager is an excellent way to get much improved security but websites aren’t the only thing that requires password: When it comes to encrypting documents there really aren’t any management tools that fall into the simple and easy to use category … or at least, there weren’t until my company, Azstec, created docNCRYPT™.
docNCRYPT™ – MS Outlook Plug-in
docNCRYPT, which works with Microsoft Office, has an encrypted database that stores all of the passwords you‘ve used for email messages and attachments and we’ve built in a powerful password generator (see the screenshot below). We also have a publicly available password generator and password strength checker available on the Azstec website so anyone can check out whether the passwords they use are “good”.
Security is a Process
As security expert Bruce Schneier has pointed out, security is a process, not a product and when it comes to passwords, giving your users (and yourself) a system for generating and managing robust passwords for websites, email messages, and documents should, arguably, be your number one concern. Once you’ve got passwords handled every other security problem looks a lot less worrisome.
When not beating the drum over password security David Griffith is the CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.