(this article originally appeared on Technorati)
If you're in IT or following technology trends, you probably have heard about Google's Chromebooks.
If you haven't, Google made an operating system that is lean, small, and boots right into a browser only. Holy smokes, the future!
This OS will only ship on laptops, for now, and during the recent I/O conference Google holds for developers Google really hit home on the fact that these should really be great for the enterprise field.
Can you imagine? Never having to install an app with a CD, or worrying about the fact that the user is still running IE 6 or Office 2003? Smells like heaven if you ask me. What a fantastical dreamworld we'd all be living in. Not to mention the fact that you'd be using Google's services via the web anyhow, so all the updates to those apps would be taken care of by Google.
Though, the downside to that is of course, Google could update all of your apps without you even knowing it. Such is the life of living on the web, friends. What becomes of your friendly neighborhood engineers, you ask?
Well, an engineer with skills is knitting would be a good idea as a job backup plan. But, Google has an intensive Administrator panel planned for the Enterprise versions of the OS. Plus, who will reset your password when you forget every Monday morning?
According to PCWorld's website, LastPass is requiring everyone to change their Master Password due to a possibility that the database was compromised.
LastPass is an online service that allows users to store all of their passwords for online services, as well as form data, so that they do not need to remember or rekey all of their information every time they visit a website. As a user of LastPass, it is very handy to login to one page with a strong password (upper and lower case letters, numbers and/or special characters, and at least 7 characters long) that can then login to all your other websites.
The article indicates that LastPass is having everyone change their Master Password not because they know that passwords have been stolen, but simply that they may have been stolen due to lack of solid information. This is an inconvenience to all users of LastPass, but I would rather change one password that protects all other passwords than to keep the one password the same and have the possibility that someone has the password to my bank account.
What do you think? Is it a good idea to have one password (even if it is a strong password) that holds the key to all other passwords? Just think of it as a virtual lock box – one key that can open a door that has all other keys available. I love the idea of only having to remember one password and know that all others are secured and can only be accessed by me. Even when information is revealed that there is even a remote possibility that the password has been retrieved by an unauthorized person, it is a lot easier to change one password prior to any access then provide “clean-up” afterwards. Wouldn’t you change the key on your lock box if you heard that someone might have possibly been able to make a duplicate copy? I know I did.
- by Andrew, "Babyface", Neumann
While I had originally set out to blog about a few exciting features available within Postini for encrypting traffic to and from your messaging server, I found myself sidetracked and subsequently uber focused on an issue that I thought was long dead – documenting Users Passwords... on paper... in a centralized location..
Who the heck should care about e-mail security when the most fundamental concept of PC security is ignored, likely by more companies than this IT professional would like to admit. While the prospect of having this secret information is sometimes a Godsend for an IT professional like myself, I assure you it will only lead to death and destruction. Well, maybe not that severe –an upset stomach and possibly a few grey hairs. Make light of this situation and you may find yourself on the receiving end of some pretty nasty results the next time you’re sitting in your board room dismissing someone for inappropriate behavior. Let a few minutes slip by after the termination and you may definitely see some inappropriate behavior. The mad scramble that will follow to try to ensure that the ex-employee doesn’t access your Network through VPN by using another employees credentials. Sonny, did I say an upset stomach and a few more grey hairs? Let me amend that to a one way ticket to a straight jacket as you realize that your confidential company property has suddenly ‘disappeared’ – it was just there this morning, what happened?
You didn’t follow Microsoft best practices and implement a comprehensive Password Security policy to ensure the security of that which you spent your whole life building. Ouch-ers! Microsoft recommends that ALL company employees (including principals) follow these best practices for password protection:
- Always use strong passwords. A password is considered strong if it meets the below minimum criteria:
- Is at least seven characters long.
- Does not contain your user name, real name, or company name.
- Does not contain a complete dictionary word.
- Is significantly different from previous passwords. Passwords that increment (Password1) are not strong.
- Contains characters from each of the following four groups:
- Never share passwords with anyone.
- Use different passwords for all user accounts.
- Change passwords immediately if they may have been compromised.
- Be careful about where passwords are saved on computers. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember a password. Selecting this option poses a potential security threat.
While an IT professional can make recommendations to the principals of an organization extolling the benefits of implementing a universal Password Policy, it is ultimately up to the client to decide what they would like to do. If the decision is made to potentially jeopardize company data, positioning, and security by not implementing a Password Policy forcing users to take the 30 seconds every 45 days to change their password, ensure that you have documented this fact and then sleep soundly knowing that you have put your best foot forward to try and safeguard a client from what could potentially be a very devastating event.
Perhaps a box of ‘Just for Men’ hair color treatment should be part of your IT Engineer Tool Kit?
Ah, the IT Engineer Tool Kit. We love them! Trigon and our kits server Montgomery and Bucks Counties just to name a few. If you'd like a refresher course with your Password rules, be sure to contact us.