The lessons to be learned from data breaches are often numerous and not always apparent on the surface. The most recent example is the RockYou.com hack that occurred in December. And what a hack that was.
Briefly, when RockYou.com was hacked into, the hackers walked away with 32 million usernames and the corresponding passwords. While the number of usernames and passwords (and let’s be honest, the number of users of this service) is a shockingly high number, the unforgivable transgression is that RockYou.com apparently stored these usernames and passwords in plain text format. In other words, while industry standards dictate, and competent legal advisors and IT consultants strongly recommend, that all personally identifiable information be stored in an encrypted format, RockYou.com apparently stored the usernames and passwords in a format as readable as this blog entry. Yeah, seriously.
But while the media is focusing on the revelation of what passwords are most commonly used by users, the less obvious takeaway may be the most interesting. Starting with the premises that people are people, people use blatantly obvious passwords, and people create the passwords for your business computers and networks, it is not hard to reach the conclusion that there are also many businesses out there that are one simple password away from a data breach featured in the Wall Street Journal, like Heartland was featured.
The security firm iMPERVA published a detailed analysis (PDF link) of the passwords obtained through the RockYou.com hack. The above analysis is a good read, and has many suggestions for best practices that you can read there.
The analysis reveals that the top three passwords are 123456, 12345, and 123456789. The fourth must common password? It is Password. It feels odd even writing the foregoing two sentences.
But you are not a hacker, you run a business. You run it well. You do not ignore the details, and you make sure you exactly what every contract says before you sign it. But you probably do not select the “Administrator” password for your business. If your business is named Competent, what are the chances that password is Competent1? You are probably not responsible for ensuring that the password on the router/firewall between your customer’s personally identifiable information (and your proprietary information) has been changed, and changed to a strong password. You have people that do that. That being said, people are people, etc.
So, what is a strong password? Well, strong passwords are a lot like the way Justice Potter Stewart described pornography: I know it when I see it. There are suggestions about the use and intermingling of letters (uppercase and lowercase), numbers and punctuation, 12-14 characters and non-English words. 3d4$d@Ga1GhS3p is a quickly mashed out password. Yes, nearly impossible to remember, but very difficult to hack and in an era of doing all reasonable things to prevent hacks, a terrific first step. Wikipedia has an easy to read primer on strong password selection here.