News Stay informed about the latest enterprise technology news and product updates.

Password best practices: Why your company's data privacy is at stake

When I heard about a study on password worst practices at social network app maker RockYou (which was hacked late last year), my initial thought was a very mature “I must be smarter than their users — because who wouldn’t follow password best practices?” Who chooses passwords like 123456 or password in today’s hack-happy, data-privacy-and-protection-focused tech world? I remember Sarah Palin’s Yahoo account getting hacked soon after she was named John McCain’s vice presidential running mate back in 2008, and experts surmised that it was because she used easily obtained personal data in setting her passwords.

But we all learned from her errors, right? Savvy corporate IT users and their CIOs don’t need to worry about such password faux pas, right? Wrong. Wait, what?

Because users tend to use the same passwords on most of all of their work and personal accounts, a hacker’s ability to infiltrate one can quickly lead to unlocking the rest. In a 2009 Twitter document hack, “once the hacker broke into a single employee’s Gmail account, he was running free and eventually got access to a lot of sensitive corporate information.”

Gulp. Maybe I need to stop patting myself on the back. Just because my passwords are more difficult to guess than iloveyou (another top choice), it doesn’t mean I’m not putting my own information — or, worse, my company’s – at serious risk of an IT security breach by selecting similar passwords for various corporate sign-ons.

We research and write a lot about the technical side of data privacy and protection — but what about the human side? It surprises me that there still may be many company employee manuals that don’t include a section on data privacy that stipulates password best practices and emphasizes that duplicate passwords are a no-go. Could it be that employees are just ignoring the rules or making information too easily accessible to potential breaches? My colleague Kristen Caretta once blogged, quite correctly, that dressing up as a Post-It note with a secure password could qualify as a scary geek Halloween costume, since one-third of most passwords are still being tracked that way.

Does your company maintain rules regarding data privacy and protection with regard to passwords? Do you have a good way of enforcing these rules? And what’s your favorite password? (Kidding, kidding)

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Until two-factor authentication becomes the norm, we will continue to have the problem of easily guessed passwords - plain and simple.
SecurityDude is absolutely right. Passwords are not worth the post-it they are written on! Well, more to the point. Humans do things the easiest way possible unless conditioned otherwise. We have not been conditioned to remember complex things. Why is there speed dial on phones? Is it so difficult to remember a 10-digit phone number? Some frequently used numbers (parents, home, work) may be easily remembered but what about an infrequently used very critical number (doctor, tax professional)? Having 2 factor authentication takes the burden off of remembering a complex, frequently changed password and puts the burden on keeping synchronized the two elements used for authentication. Thanks for the great posting! In the IT trenches? So am I - read my [A href=""]IT-Trenches blog[/A]
I need 48 different passwords! Even getting in here to post a comment adds yet another password! There has to be a better way because at the moment where am I going to put 49 Post-It-Notes? I like the use of sync methods, but in a large organisation (Aussie spelling) are the bean counters going to hand out 5000 units? So i have seen smart phones with password lists and 2 levels of passwords to open the list. I have also seen a question and answer sequential system.