This question has many answers in today’s world.   It can be a lock and key, or a wall, or a weapon.  It can be the blinds on your windows.   It can be a cup of coffee, and a bowl of comfort food. It can be how you act or where you go.  

Information security is no different than physical security.  The lock and key are like your user ID and password that you enter when you boot up your PC at home or work.  A wall is analogous to your network firewall, or perhaps your cable or DSL modem, and wireless router at home.  The weapon is for example active spam filtering that notifies either your network administrator, or perhaps one of the online spam monitoring and control services.   Window blinds, obscure what is in your house from passersby as the browser session encryption your bank uses when you log in to review your checking account.  Your coffee and beef stew are as the program choices that you make to feel comfortable with your PC and what you’re doing with it.

As you see, information security is just as important, and in many cases more critical than physical security.   Information Security or Info Sec as it is often referred to, can be a risk from wherever in the world the person or persons meaning to exploit this issue, and are able to connect to this thing called the Internet.  At any given moment, there are hundreds, if not thousands of active attacks underway against a device attached to the public Internet.  This is not to be alarmist, or cause fear in the average Internet or computer user just trying to go about their day, using their email, and browsing web pages.  That said there is a real need to be aware of what is going on.   

Be careful of anyone asking for your password- or even your user ID- as without an expected procedure, this can be an indicator of someone trying to use a technique called “Social Engineering” to get you to divulge your private information.  Social Engineering is at its core the art of trying to scam, or schmooze a person into doing something that they otherwise wouldn’t do.  Common methods of social engineering are, to leave a USB thumb drive, laying somewhere that a targeted person or group of people would likely pick it up.  Studies have shown that a significant portion of people will take a USB device that they find, and without considering what could be on the device, insert it into their computer.  This has been used, with great success to compromise security at high profile companies in the financial and defense industries, as well as others.  Other ways this technique has been used, are people posing as maintenance staff, employees visiting from other departments or locations, emergency services personnel, technology repair contractors such as printer techs, even IT staff.  This is a shining reason why employees need to be aware of who should have access to what in the office, and under what conditions.  

Also, physically securing your computer or other devices, such as smart phones, MP3 players, tablet PCs and the like is very important.  In many cases, physical security can be as important as protecting your user ID.   Locking your screen with a password, or unlock pattern, such as is available on many smart phones and tablets, is an easy and fast way to ensure that unwanted snooping doesn’t occur.  any Windows PC running Windows XP or newer, can be locked by simply pressing and holding the “windows” key, to the left of the space bar, and then tapping the letter “L” and the PC will be locked immediately.  Many Apple devices and computers, as well as many Android devices also have a similar function as well

Please do not write your password down on a piece of paper, or post-it note, and leave it, even hidden on your desk.  If someone is snooping, the first place they’re going to look is on the underside of your keyboard or mouse pad.  It’s generally discouraged or even forbidden by policy at times to have your passwords written down on paper.  If you need help with remembering a collection of passwords, there are many programs, for computers, smart phones and tablets that can securely keep your passwords and other sensitive information for later retrieval.

Some people I’ve talked to over the years are resistant to using secure passwords, many times in fear that they won’t remember it themselves.  I can offer some simple suggestions, to make the process of remembering your passwords easier.  The first is to determine a root word or phrase that is meaningful to you, but wouldn’t be either publicly known about your, or easily guessed.  Some ideas in this vein would be perhaps a private nickname between you and your spouse, a phrase or comment that is important, but that you don’t share with others, or perhaps even a pattern of keys that has meaning to you…  The important thing is that your selection is not easily guessed.

The next step is to change the appearance of the word... this is most often done with letter substitution, such as exchanging the letter E with the number 3.  Or perhaps the letter A with the @ symbol.  Also, similar sounding letters, or groups of letters can be substituted.  Exchange “ph” for “f”, or “K” for the hard “C” consonant sound.  Also, 1 can be substituted for the L or the I.   The possibilities are nearly endless.  Please allow me to demonstrate.  

One of the most common passwords in use today, is simply “password”.  Surprising, isn’t it? Obviously, it’s also extremely insecure.  I am going to start with the word “password”- now I don’t recommend that anyone use “password” or something directly derived from it, but it makes a good example of what can be done.

I am going to make some substitutions as mentioned above.  First, the “a” is changed to “@”.  - “p@ssword”.  Next, the “o” will become “0” (zero)  “p@ssw0rd”.  Note, that with two characters changed, it’s beginning to be quite different, although at a glance the human mind still reads “password”.

Now, we’ll change one “s” to “5” - “p@s5w0rd” and capitalize one letter not usually done so in this word- “p@s5w0Rd”

Also, I recommend that your password is at least eight characters long.  Please bear with me; we’ll need to do a little math.  If we only use lower case letters, then we have 26 possible characters to utilize.  How many possibly passwords are there?  If we have a six character password, admittedly this is easier to remember than a longer one.  However, 26 letters, to the sixth power, would give us just shy of 309 million possible passwords.  I know it seems like a huge number, but given the speed and power of today’s computers, a password of six random lower case letters can in many cases be broken in less than an hour.

If we add just two more letters, again all lower case to eight, then we are at nearly 209 billion combinations.  This is a quantity 676 times larger than we started with, or from about an hour, to about a month.  Adding capital letters to the mix brings us to in the ballpark of 53 trillion possibilities in an eight letter password.  If we add the numbers zero to nine, we’re up to 218 trillion combinations.

If we expand our count to what can be easily typed on a standard computer keyboard, we’re at a total of 94 characters, (47 keys, times two if we press the shift key).  This multiplies out to about six quadrillion total possibilities.  As such, “p@s5w0Rd” is one of a nearly incomprehensibly large set.  

Quite a jump, from 309 million to six quadrillion? All with what is easily typed on the standard PC keyboard today.  

In summary- good security, both password and otherwise, doesn’t need to be difficult.  All it takes is those of us using the technology and systems to be aware who and what we are giving our personal information to.  A good rule of thumb, is if something just “feels wrong”, there’s a good chance you might be right.  It’s never a bad thing to be overly cautious until you know for sure what the details are.

Grant Bakken

Atomic Helpdesk Support Specialist