Slashdot Mirror
Humans Continue To Be "Weak Link" In Data Security
ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."
You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.
If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.
Example:
awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05
That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.
In the summary it states 9/10 know of a laptop in their organisation being lost. The organisations in question could have thousands or tens of thousands of laptops.
It doesn't say 9 out of 10 lost or stolen. It says 9 out of 10 people reported that a piece of equipment has been lost or stolen within their organization. There's a big difference between those two statements.
Of course the issue still remains, people are always going to be the weakest security link. This should come as no surprise to anyone. It has always been that way, and always will be.
"Growing old is inevitable; growing up is optional."
It's because people tend to think of their passwords as words, not phrases. It's much easier to remember a simple pass phrase (e.g. "Quick_brown_fox"), than a shorter, but completely senseless random symbol combination (e.g. "gsf12mU&*").
Actually we've run into that. But That's a violation of HIPPA (Health Information Privacy and Portability Act), and if you find your users doing something like that in a medical environment? It can mean very serious action is taken. We actually had one person refuse to 'not' use post-its.. and they where let go from the organization. And I mean honestly in the grand scheme of things, you're adding one password to your daily computing life, that will ultimately save someones butt if their PC gets stolen. Where I work, most of the Doctors are grateful for that extra layer of security. They know that if patient data was leaked, on their watch? It would likely mean their jobs, a black mark on their names in the public, and a lot worse for the organization they work for. I'm sure its similar in other fields.
If you know nothing about the password at all, yes it can be more secure. However, if you know it is a passphrase, then you can work on it as such. Rather than brute forcing using character combinations, you use work combinations. Maybe your program also has grammar rules in it so it can make more intelligent choices in words. Of course against that you can start doing letter substitution but then you start having complexity problems again and so on. Also there's the problem of someone finding out your password, if it is very complex even if they see it they may not be able to remember it, but a phrase may be no problem. Etc.
What it comes down to is there's only so secure a password can be. How secure largely depends on the individual. Some people can handle long, complex, passwords. Others need things real simple.
Hence why, as I noted in another post, if the data you are securing is really so important, get two factor security. You can't force humans to be good with passwords so don't try. Use passwords as a part of a better security solution.