At a comedy show I attended over the weekend, I heard a comedian tell a funny story about a guy she had met on a dating site. They hadn't gotten together yet, but had exchanged a few messages through the site. To this point, all they had was each other's first names and a photo. After he had sent a message which she hadn't responded to, he sent another message, this one insulting and disrespectful, about her not responding to him. As she tells the story, she replied to him that his message had been offensive, and she asked him to apologize. He did not, and so she said, "Please apologize, or I'll tell your mother what you said." He still did not apologize, but replied with an "LOL".
Now she was on a mission. The guy had mentioned the name of the very large company where he worked, and so her story went on to detail, in a sometimes uncomfortably funny way, how in under an hour, armed with only this person's first name, company, and photo, she was able to track down his name, his high school, his hometown, his mother's name, his mother's address, and the name of his newborn niece. Her message back to the shocked writer of the offensive insult was that she hoped when his mother received her letter at [her home address] she would impress upon him the importance of treating others well, because she would hate for [his young niece's name] to grow up in a world where young men felt free to insult women just because they felt they were anonymous on the Internet.
It was a story that worked well as a comedy bit. Whether entirely true or not, we could take any number of lessons away from this story. One lesson, of course, should be to treat others the way we'd like to be treated in all circumstances. But for a technology blog post, it underscores a couple of key points I want to highlight.
The first point is about privacy. The Internet in general, and social media in particular, have opened many connections between people, and enabled many of us to stay in touch across distances, or renew acquaintances from our past. However, the reality is that there is a lot more information about us out there, and it may be accessible by people you don't intend. For some of that information, you can't do much about it, but for those things we can control, it's important to be aware of, and vigilant about the privacy settings on our accounts, and to be careful about the things we decide to share.
A more subtle point, which may be less obvious, is about our online security. Specifically, this relates to a topic I've written about before, password security. Many people make up what they think are very secure passwords, using personal information such as birthdays, anniversary dates, children's or spouse's names, and so on. Hackers will tell you that with just a little bit of information about someone, guessing a password becomes much easier. As the story above illustrates, it's easier than we might realize to learn that type of information.
You may have seen a news story recently that Bill Burr, the author of the most widely-used password security guidelines for the last 14 years, now regrets the advice he gave in 2003. The NIST document he wrote recommended using passwords with mixed case, numbers, and letters, and that people change their passwords every 90 days. The new NIST guidance does away with that advice, opting instead for longer passphrases that are combinations of multiple words, which are easier for humans to remember, but harder for computers to guess. This article gives a pretty good summary of the story and the reasons behind the new advice.
Unfortunately, many of the password checking utilities used by systems to determine whether your new password meets complexity guidelines will probably still follow the old advice for quite some time, until someone rewrites the code. But wherever possible, opt for longer passwords over short ones, and go for something with multiple words that you can remember. Or, as we've written before, start using multi-factor authentication and biometric security like TouchID and Windows Hello, to counteract the weakness inherent in password-only security schemes.
For your business, security is increasingly important to avoid disruptions as well as liability associated with information breaches. Be sure you're talking to your IT support provider about the best ways to keep your company's information secure.