Corporate Security in the new millenium

Want to crack into a system? Find a password? Piece of cake. I'm going to tell you how most businesses operate, and how to get to someone's password. Want to avoid weak passwords? I'll fill you in on that as well. I'll also suggest a way to create tough passwords that are easy to remember. Mostly, I hope to protect you from the traps that people fall into when creating passwords.

First, start with password. Yes, I know it sounds tired, but security experts suggest that a high percentage of passwords are still password. The others are common words such as god, money and love, along with people's names, such as the name of a spouse, pet, kids, etc. Common numeric passwords are normally 123456 or dates such as birthdays, anniversaries, etc. It is estimated that 20% of all passwords can be guessed this way. Stay away from them, as well as dictionary words.

A few years ago I went to a client to work on their server. However, no one in the office knew the password for the system. Good security, I believed. I was finally able to speak to someone in charge. The disgruntled IT person left and the password was not known. We went from good security to bad business. So I'm back in the closet, and I start looking for the password. Under the keyboard, under the desk, in a manual. Somewhere there's a yellow sticky with one word written on it, and that's the password. Found it. HOTDOG. Didn't take long. It was in the inside cover of the once opened computer manual.

Then there's the office with 12 people. Everyone wants their own password, with their own "personal" (if you're at work, there should be no 'personal') space. Months after setting up separate areas for all the employees and creating different profiles, everyone has their password written on a yellow sticky somewhere around their monitor, and all 12 people in the office know how to get into every computer. Why bother.

Then there was David. David was a retired High School principal who could not stand being retired, and came back to work as a programmer. If you left your computer unattended, he'd sneak in, and start a time consuming task on it. As the day went on he'd forget what was running where. He'd get up, back to the "zombie" PC, and shout: "Does anyone remember what my password is?" He could never remember.

Several people I know can never log into any web site because they can't remember the username, email or password that they used when they originally signed up. There has to be a better solution, they all say, but one is not yet available. The best solution is to use the same username, email and password, this way you'll always remember. The worst solution is to use the same username, email and password. If you are compromised, then the intruder has access to all of your accounts. This is one method that identity thieves use. Once they have one piece of information, they'll use it on every account (Google, eBay, Amazon, bank account, etc.)

The processing power of today's computers can 'crack' a password in a short time frame. A lowercase password of 8 characters can be cracked in less than 2.5 days. An 8 character password with upper, lower, numbers and special characters would be cracked in about 210 years. Big difference. However, there's one big problem. The user cannot remember that's caps, or what's a number or frankly what their password is.

A common technique to "mask" password from ordinary dictionary words is to substitute letters with numbers. For instance, password could be duplicated as P - A - S - S - W - (zero) - R - D. Common letters that are substituted are: 1 - L or I, 3 - E, 2 or 5 - S, 7 - T, 9 - G, 0 - O. Other letter/word combinations can be used as long as the user remembers the relationship. Another is to offset your hands on the keyboard, and type a common word. For instance, if I move my hands one key to the right, when I type "password" I get "[sddeptf". Yet another trick is to use foreign words. Currently password dictionaries only contain English words, but as computers get faster and store more information, password dictionaries will change to include the more common languages around the world. However I must tell you that people who make a living cracking passwords know of these tricks, and they updated their algorithms to reflect the changes.

My advice. Use a combination of words and numbers that only you would know what they mean, with a minimum of 10 characters. I ran track and field in high school. My password could be something like T&F330hurdles. 13 characters. 2 caps. 1 special character. Want to make it harder. Add the initials from the High School at the end. T&F330hurdles@NBHS. A lifetime to crack (brute forcing a password is only as good as the speed of today's computers. as computers get faster, so does the speed at which it can crack a password.) Only a few people actually know that about me, and I don't have regular contact with any of them. I can always remember my password because it's relative to me.

In a work environment it's a waste of time (unless required by law) to implement security measures because the passwords become common knowledge. And the one time when it does not, information is needed from an employee's computer when she's on vacation, and nobody at the office has the password.

Use this information as best fits you. I'd hate to see someone compromised or a victim of identity theft.

People issues are the hardest to solve

I was having dinner with a client, and the owner of the company asks: "Francisco, you work at dozens of different companies. Tell me the truth. Are we the most dysfunctional company that you've come across?" I did not hesitate and answered "NO". He was taken aback by the quick answer, as well as "the" answer. "So you mean to tell me that there are worse companies than ours out there?" The answer was again, "NO". You see, many companies have people issues.

The last thing a company owner wants to do when he/she gets back to the office is listen to "petty" complaints. To hear that someone spends too much time in the bathroom, takes too many smoke breaks, constantly calling in sick, always on Facebook, snacking constantly, takes too many coffee breaks, answering personal cell phone, having an office romance, using the computer to run a home based business, talks all day and doesn't get any work done. You may laugh, but I've heard it all. Several times I've been told: "She must be banging him," referring to a co-worker who must be sleeping with the boss, as the only reasonable explanation for keeping their job. There's also the "he must have pictures, how else does he hang on to his job?"

Many owners choose to ignore the office shenanigans and let the environment simmer. It's not their expertise to deal with people. Remember, they are business people. They love business. They love to sell. They love to create new products and services. They love to wheel and deal. Cash the checks, as that's how they keep score. They are highly competitive and driven. The last thing they want to do is to reprimand an employee for spending too much time on the toilet. Keep in mind that when you fire someone, you then have to hire another person. You then have to train the new employee. The new employee will in turn take some time to get up to speed. It's easier to let the employee spend extra time on the phone, or take a longer lunch break. This leaves more time for selling, creating, competing, networking, etc.

Early in my professional career, I noticed this employee whom I believed did not do any work. Any attempt to discredit or point out his lack of contribution feel on deaf ears. Everyone else had already tried, and knew it was pointless. So I took notice of who he was and what he did. He generated organizational charts where he proclaimed to be the head of the department. He created several projects for which there were no budget or people to work on them. He was always in every meeting, at every break, and involved at every project adding his expertise. However, he never contributed to any project. None that I was involved in, nor anyone else that I knew of. He was really good at sniffing out meetings with food as he would walk out of them with hands full of whatever was available. He could be found speaking to the workers. He did it with me. Asked what I was working on. Seemed harmless, so I contributed to the conversation. He did it with everyone, it seemed. That was his job, to talk to people. Strange. Until one day, I finally figured out what he did. I was working in the lab, and was accidentally hidden in a corner of a large room. He and the owner of the company walked into the lab, sat nearby (without noticing me) and the owner said: "I want you to go down there [to a client,] and I want to know who's involved. I want to know their names and who they're working for. Don't come back until who know who the fuckers are." They did not know that I was there, or that conversation would have never taken place near me. But I had finally figured out what he did. He was a "spy." He spied on the competition, and he spied internally. He then had these meetings with the "boss" where he regurgitated the information he compiled.

So why is it that someone can spend countless time in the bathroom and nobody cares? Because she was "banging" somebody with clout. True story. Why did that person not get hired and the other person fired. A lunch relationship gone sour, where the bookkeeper decided, not based on merit, but rather on her soured relationship. True story. Why does this person get all the best/highest paying gigs, where she's a mediocre performer? The manager is her best friend from when they were in High School together. True story. Why did this person get hired when they were the least qualified of all who were interviewed? Someone's golf and drinking buddy. True story. I've seen more people get hired based on a relationship, rather than qualifications more times that I can count. While I know that it's "who you know, not what you know" that counts, in today's economic climate it's hard to "hand" someone a paycheck he is not earning. It's even harder to see the dysfunctional companies where employee productivity is non-existent due to employee "manager" relationships.

So the next time you see office politics, and you wonder why that person is allowed to continue with an unacceptable behavior, think of what you may not know, and that's likely to be the reason.