|If Anything Can Be Hacked, How Do You Protect Client Data? Here’s An Ingenious Technique For Making Strong Passwords More Memorable And Less Hackable|
|Monday, June 11, 2012 13:09|
Computer programming professionals say anything can be hacked. It’s scary, but true. The best you can do is to make it difficult for hackers, so that they won’t bother you, or so that it will take so long to hack your system that you will detect an intrusion.
A One-Two Punch
While intrusion detection is a key part of online security, getting into the habit of creating strong passwords is more important to advisors in protecting clients’ personally identifiable information.
Advisors don’t directly purchase intrusion protection solutions because they cost thousands of dollars a month, but fiduciaries can ask vendors if they use an intrusion detection system, and which one. (Verify the information.)
Many vendors handle intrusion detection and prevention in-house. Because these apps are so specialized, however, outsourcing this solution is usually preferred — unless the host is Amazon or Microsoft or one of the other data giants. These apps put an independent, third-party vendor on the hook.
Intrusion protection alone is not enough, however. Strong passwords are also necessary. Used in tandem, intrusion detection and strong passwords strengthen security.
Advisors And Strong Passwords
Ironically, I’ve heard advisors complain about strong password policies. And when told why strong passwords are in their firm’s best interest, they don’t always agree, or they do so grudgingly.
As more consumers embrace apps like Box, DropBox, and other systems with consumer-level password requirements, advisors have an opportunity to be proponents for strong passwords. The battle for security on the Internet is an opportunity for you to be a good guy and do the right thing: educate clients on the use of strong passwords.
While it may be tempting to accommodate clients and use apps with easy or no password requirements, in the long run this would not serve clients well. In the long run, advisors want clients posting sensitive data to know about password strength. The right thing for advisors to do is to teach clients. The right thing is not to compromise on security.
By promoting the use of strong passwords to clients, you lessen your risk exposure as well as theirs. By conducting seminars and webinars about best practices for consumers and posting suggestions about how investors can protect themselves, you engage clients and prospects in a timely topic that’s important to them.
Moreover, teaching clients and prospects about protecting their data online also provides an way to get more clients using your online systems, which may unleash new efficiencies in your business.
Here are some of the facts to help you make a compelling case.
Scan this list of the 30 most popular passwords of LinkedIn users, 6.46 million of which were hacked last week. If you want to make your password “link,” “1234,” or everybody’s favorite, “god,” it’s not a problem on most consumer apps, as this LinkedIn list illustrates. Most document-sharing sites are not much better. Though some consumer apps do indeed enable an advisor to enforce strong passwords, you must correctly configure those features requiring clients use strong passwords to access their data your systems.
Apps for storing personally identifiable information (PII) that don’t enforce strong password policies are engaging in a cheap trick. Easy passwords are good for the apps because they get more users, but it’s bad you in the long run because you are obliged to protect your client data. As a society, we're all being encouraged to have sloppy security habits.
“Every password you use can be thought of as a needle hiding in a haystack,” says Steve Gibson, a computer security expert on Gibson Research’s website. “After all searches of common passwords and dictionaries have failed, an attacker must resort to a ‘brute force’ search — ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered. If every possible password is tried, sooner or later yours will be found.
“The question is: Will that be too soon . . . or enough later?,” says Gibson.
Best Practice For RIA Security
A strong password policy requires users — including clients accessing financial data you provide them as well as you and your staff— to make passwords that include at least one non-alphanumeric character, one number, and a capital letter, plus it should be at least eight characters, and preferably 10 characters long.
Obviously passwords like this are more complicated to create and remember. That’s why advisors complain about apps that make such requirements.
Gibson argues convincingly for strong passwords that include at least one non-alphanumeric character, one number, and a capital letter. But what’s fascinating is a technique he calls “padding,” which makes passwords long but easy to remember. It’s brilliant
Gibson uses this “trick question” to make his case:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
Gibson says the simpler password is stronger because it is one character longer than the far more complex randomly generated password.
How could the simpler password be strong? Because , Gibson says, a hacker doesn’t know how long your password is, whether you used upper and lower case and non-alphanumeric characters. Consequently, a brute force attack where a “dictionary” is used to generate random passwords until your password is found takes much, much longer to solve for the simpler password.
By using a simple word (or phrase) like “dog” with the “o” presented as a zero, your word is not real, increasing its randomness. And, by following that word with a single character — a period repeated 21 times —the possible characters a hacker must guess increases hugely. Gibson’s analysis is brilliant because he is saying it’s not complexity and randomness that matters as much as the length of a password. “Padding” passwords with a string of symbols or characters makes your password memorable as well strong.
Gibson says substituting a symbol for a letter in a word increases the time it would take to hack that password. But his technique for padding is a great way to make passwords longer but not more complex. Gibson’s post may be difficult to get through for non-geeks, which is why I’ve summarized it. But he deserves all the credit for coming up with the padding technique.
But do as he says by not using the exact same padding technique he has and use your own memorable fake word at the beginning or end of the password.
This Website Is For Financial Professionals Only