Page 430 - Using MIS
P. 430
398 Chapter 10 Information Systems Security
lowercase letters in about 5 minutes. However, brute force requires 8.5 days to crack that length
password having a mixture of upper- and lowercase letters, numbers, and special characters. A
10-digit password of only upper- and lowercase letters takes 4.5 years to crack, but one using a
mix of letters, numbers, and special characters requires nearly 2 million years. A 12-digit, letter-
only password requires 3 million years, and a 12-digit mixed password will take many, many
5
millions of years. All of these estimates assume, of course, that the password contains no word
in any language. The bottom line is this: Use long passwords with no words, 10 or more charac-
ters, and a mix of letters, numbers, and special characters.
In addition to using long, complex passwords, you should also use different passwords for
different sites. That way, if one of your passwords is compromised, you do not lose control of all
of your accounts. Make sure you use very strong passwords for important sites (like your bank’s
site), and do not reuse those passwords on less important sites (like your social networking
sites). Some sites are focused on innovating products and may not allocate the same amount
of resources to protect your information. Guard your information with a password it deserves.
Management sets security Never send passwords, credit card data, or any other valuable data in email or IM. As stated
policies to ensure compliance
with security law, as discussed numerous times in this text, most email and IM is not protected by encryption (see Q5), and you
in the Ethics Guide on should assume that anything you write in email or IM could find its way to the front page of The
pages 402–403. New York Times tomorrow.
Buy only from reputable online vendors using a secure https connection. If the vendor does
not support https in its transactions (look for https:// in the address line of your browser), do not
buy from that vendor.
You can reduce your vulnerability to loss by removing high-value assets from your comput-
ers. Now, and especially later as a business professional, make it your practice not to travel out of
your office with a laptop or other device that contains any data that you do not need. In general,
store proprietary data on servers or removable devices that do not travel with you. (Office 365,
by the way, uses https to transfer data to and from SharePoint. You can use it or a similar appli-
cation for processing documents from public locations such as airports while you are traveling.)
Your browser automatically stores a history of your browsing activities and temporary files
that contain sensitive data about where you’ve visited, what you’ve purchased, what your ac-
count names and passwords are, and so forth. It also stores cookies, which are small files that
your browser receives when you visit Web sites. Cookies enable you to access Web sites without
having to sign in every time, and they speed up processing of some sites. Unfortunately, some
cookies also contain sensitive security data. The best safeguard is to remove your browsing his-
tory, temporary files, and cookies from your computer and to set your browser to disable history
and cookies.
CCleaner is a free, open source product that will do a thorough job of securely removing all
such data (http://download.cnet.com/ccleaner/). You should make a backup of your computer
before using CCleaner, however.
Removing and disabling cookies presents an excellent example of the trade-off between
improved security and cost. Your security will be substantially improved, but your computer will
be more difficult to use. You decide, but make a conscious decision; do not let ignorance of the
vulnerability of such data make the decision for you.
We will address the use of antivirus software in Q5. The last three items in Figure 10-7 ap-
ply once you become a business professional. With your coworkers, and especially with those
whom you manage, you should demonstrate a concern and respect for security. You should also
follow all organizational security directives and guidelines. Finally, consider security in all of
your business initiatives.
5 John Pozadzides, “How I’d Hack Your Weak Passwords.” One Man’s Blog, last modified March 26, 2007, http://
onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/. When Pozadzides wrote this in 2007, it was
for a personal computer. Using 2013 technology, these times would be half or less. Using a cloud-based network
of servers for password cracking would cut these times by 90 percent or more.
