Passwords aren't the problem -- we are

A billion stolen passwords or no, we can all benefit from exercising common sense when it comes to online security

The world is abuzz with news that a Russian hacker conglomerate may have stolen more than 1.2 billion email addresses and passwords. Whether or not the report turns out to be true, with all the ways the bad guys can get your credentials, you're fooling yourself if you think you don't have to worry about ever being compromised.

But I'm not here to tell you use stronger passwords (for the most part, that doesn't work), to only use two-factor authentication (not available on most websites), or to change all your passwords (though you probably should).

[ Don't panic: That Russian hack bombshell isn't what you think | On sale: False sense of Internet security, for the low, low price of $120 | Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The fact is that long and strong passwords, for the most part, don't work. The bad guys' methods for stealing them will prevail, no matter how good your password. Even if your logon credentials aren't caught up in batch of stolen passwords making the latest news headlines, chances are that one or more of your passwords have been stolen or will be stolen in the near future. It's the Internet, and it's very insecure. It's a dangerous, wild, wild, West often controlled by outlaws and criminals. It's going to remain that way for the foreseeable future.

Instead, I'll encourage each of you to send a letter to all your friends and the businesses you engage with. I'm more than half-kidding, but I think if our friends and businesses used more common sense, we would all be safer. Here's my letter:

Dear friends and businesses,

There is a good chance that all of our Internet passwords are already stolen. In light of that assumption, let me share what the real me would not do, along with other hints. That way, if you get an email or commercial transaction supposedly from me, you'll be able to quickly separate the legitimate wheat from the rogue chaff. Here are my hints:

For businesses:

  • I will not ever buy a product and have it shipped to another country.
  • If I buy any product and ask you to ship it to anywhere besides my long-held home address, you have permission to call me on my long-held phone number to verify.
  • I will never change my mailing address, phone number, and email address, then also transfer all my money to another bank within the same day, much less same Web session.
  • You should never transfer all my money to another bank or country without first calling my long-held phone number.
  • I will never sell all my stock, at a loss, and try to transfer the money to a foreign bank during the same day.
  • I will not call you reset my online password and be unable to easily verify information such as my last transaction, purchase, user, or origination location of the last session.
  • My debit and credit cards have my picture on them. If I'm buying in person, I should at least look like a little like my picture.

For friends:

  • I will not ask any of my friends to run a new Facebook app.
  • I will not email you or use Facebook to tell you I'm trapped in another country and ask you for money to rescue me.
  • I will not ask you to look at this cool new website in an email without any other text that actually sounds like it is coming from me.
  • I will never ask for your password or give you mine, especially over email or social media websites.
  • I will never offer to give you some of my money if you give me your bank account details.
  • I will never offer to pay you full price for your item and pay shipping.
  • I will never offer to buy something from you and suggest my "personal, trusted escrow company" you've never heard of.
  • I will never send you an email saying you'll have bad luck if you don't forward it to 25 other people.
  • I will never tell you to sell me an item you're advertising on a well-known auction service by taking communications offline and bypassing all their protections.
  • I will never send you an email from an email address you've never seen before and ask you to click on a weird link.
  • My email address will always match the embedded email link behind the visible email address.
  • I will never send you an email and tell you to run a program.
  • I will not start a new Facebook page and invite you to friend it while still keeping my current Facebook page.
  • I will not knowingly invite you to share your friend list to look at a video.

If my trusted friends and preferred businesses could understand these rules, I wouldn't have to worry nearly as much about my online logon credentials being stolen.

What would your letter contain?

This story, "Passwords aren't the problem -- we are," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies