I love to train employees on data privacy and security. It tends to be rather entertaining as I can tell crazy stories about real life scenarios about data breaches or compromises. The stories are quite beneficial, as most employees say “I would never do that!”
One of my favorite stories to tell, as it is a common mistake and people in the audience always nod when I tell it, is of an employee of a vendor who downloaded the names, addresses, dates of birth, and Social Security numbers of all of the employees of a company onto a laptop and took the laptop home to work on the data over the weekend.
The employee’s apartment was broken into over the weekend and the laptop was stolen. I got the call on Monday morning asking what they needed to do. My first question was “Was the laptop encrypted?” The answer was “No, but it was password protected.” The employee couldn’t remember the password so they wrote it on a yellow sticky note and stuck it in the inside of the laptop. Ugh. So the thief got the laptop, the password, and all of the employees’ personal information, including their Social Security numbers. That, folks, is a reportable data breach.
The point is that passwords are a pain in the you know what. No one can remember a complex password, and they have to be changed every 60 days. It continues to be a thorn in all employees’ sides.
My favorite password tip is to use a passphrase instead of a machination of different letters and numbers. For instance, “Myfavoritecolorisred!” My favorite color IS red, and I can remember that when I sit down at the computer. It has a capital letter, is long and complex, and has a symbol at the end. Most security guys approve of it. And if I can remember my password, I won’t be dumb and write it down on a piece of paper and put it in my top drawer (really, do you think that is such a trick?) or on a sticky note on my desktop.
I have been giving this tip for years, and now a new study from Carnegie Mellon University has confirmed the tip by saying it is a best practice.
So when you get to work tomorrow, change your crazy password that you can’t remember to a passphrase that you can remember. But don’t use the same one at work as you use at home. Use another phrase that you can remember from your personal life, like “Mydog’snameisRover”. Um, but don’t use your real dog’s name as hackers can figure that out from your Facebook page…