Steal This Data

 A lot of small to medium sized companies use shared passwords to access information in their internal IT systems or managed using remote managed services. They do this to subvert internal IT groups that may be too slow to enable information access or to reduce licensing costs with external providers who price their services using a per user cost.

From an information security standpoint, using shared passwords is a bad idea for several reasons:

• It will cause you to fail a security audit. Almost all state regulations on personally identifiable information and industry regulatory standards such as PCI DSS, HIPAA, Sarbanes Oxley, or Gramm-Leach-Bliley prohibit the use of shared user names and passwords.
• It causes more work for your IT group, particularly when an employee resigns or is terminated, because the shared password must be changed and everyone using it must be informed.
• If any information is inappropriately changed or stolen, you have no way of determining which individual is responsible.
• The use of shared passwords will likely increase your liability if you are sued for an information security breach.

Here’s what you have to do to:

1. Identify every internal or outsourced service that your company uses to manage information. This can be an eye opener: you may use a lot more systems for this purpose than your realize. 
2. Identify each individual who must have access to information in each internal or remote system. Your IT group should keep this information up to date in a matrix so that it can be easily referenced in the event of an employee termination, transfer or during an security incident investigation. 
3. When an new employee is hired, determine which information systems they need access to. Incorporate this into your new employee IT provisioning process. In addition, channel all new requests for information access through your IT group so that they can keep their records up to date.
4. Create an information systems acceptable use policy, distribute it to all of your employees, and have them sign it. Include provisions in this agreement that prohibit the sharing of user names and passwords between employees or 3rd parties.
5. Systematically create new user names and passwords for individuals who have been sharing them and distribute them.

Do you have trouble remembering every online password you have? I have hundreds that I use, just in my personal life, and that number is growing daily.

For a long time, I’ve tried to reuse the same few passwords on each site or application, just so I could remember them. But this weekend, I read a blog post from one of my friends where he describes how his wife, a professional security pro, got hacked doing this.

She had the bad luck to use one of her common passwords on a Chinese web site, where someone stole site her password and used it to log into another site she uses. They assumed her identity, and sent her husband and some of her colleagues a spam email message. If someone were to steal one of my common passwords like this, and they knew a little about my habits, they could get into many different services that I use, steal a lot of my personal data, and potentially damage my reputation.

This isn’t that far fetched. It could easily happen to you.

The morale here that you really need to have a different password at each site or commercial service you have an account at, you should use strong, unguessable passwords at each, and you need an automated, portable agent that you log into once that remembers all of these unique passwords and can automatically look up the right password and log into your services for you.

The good news is that Personal Password Agents are available commercially and they do a pretty good job of managing password overload for you. I started using one this weekend that seems to be working fairly well so far, called RoboForm.

RoboForm performs a number of very useful functions that have already vastly improved my password security discipline and have even increased my productivity.

1. RoboForm includes a strong password generator that I am using to replace the shared passwords that I currently use to login with at all of the online services I use. I’m creating a unique password for each service in order to eliminate the ability for anyone to steal a common password and log onto another one of my services.
2. RoboForm keeps a list of all of the services I use and automatically fills in the password form with the correct username and password combination when I switch between services, so I don’t have to remember all of these new passwords. That’s not so different from Firefox, except that this information is stored in an encrypted form on my computer and portable between the five or six computers I use every day.
3. The only password I have to remember is the one password that I need to login to RoboForm when I open my web browser and try to connect to a password-protected service.
4. RoboForm also helps automate form filling for credit card purchases and other forms and eliminates the ability for anyone to hack my computer and record the keyclicks I use when I normally fill out this kind of information online.

The version of RoboForm that I’m using is FREE, but I will upgrade to the PRO version which lets you store your passwords on a USB thumb drive so you can move them between computers. RoboForm is also available for mobile phones on Palm, Symbian, Windows Mobile, and Blackberry operating systems.

Here are some other commercial password management and form filling applications available online. I haven’t tried all these application yet, but if you do, please leave a comment describing their effectiveness and ease of use.

1. TraySafe
2. MySecurityVault Pro
3. Password Safe
4. TK8 Safe
5. Password Vault