Jun 07, 2012

Are you worried that this weeks leak of LinkedIn/last.fm/eHarmony will compromise your employees' passwords?

Whenever I learn about another password hack, I just send out my stock "password hack" email. Essentially, it says, "Hey, I know none of you little angels would use your work account passwords for personal stuff, but...." So that went out Monday for LinkedIn, Wednesday for eHarmony, then again today for last.fm. I limit it to major breaches, but all three of this weeks were what I would consider major. I am certain that some people use the same password for everything. So it doesn't take long for me to start thinking of someone looking at a LinkedIn account, seeing that John Doe works at Acme Corp, then using John's password to access his corporate email, etc. Maybe I'm overly cautious, I don't know. How much of an issue do you think this is?

Just make sure they all change their passwords, and it probably won't be a problem. It's also a good idea to include information on how to set up strong passwords. Many people are utterly clueless about how easy it is for common passwords to make accounts vulnerable.

Better safe than sorry.  Without a doubt, unless you are at a very small company, there are people that are using the same ID and password across multiple sites and your network if username/password restrictions don't prevent it.  I'm sure a lot of passwords that are being used, assuming you didn't assign them, are the same absurdly weak choices that you see again and again: qwerty, password, 12345asdf, john316, etc.  Anytime you can use self-interest about things employees care about (oh, noes, my eHarmony account!!!!) to reenforce the importance of basic security practices, you might as well take advantage of it.  

Answer this