Cyber Security Awareness Month
To mark October as Cyber Security Awareness month, we asked leaders in our community this question: Data breaches containing password information have become a regular occurrence. At the beginning of October, Yahoo revealed that its 2013 data breach affected 3 billion accounts, with not only passwords, but answers to account recover questions leaked as well. Given the threat of account hijackings from stolen passwords, what is your approach to managing passwords? Share how you approach this both at your business and for your own personal accounts on the web.
Brendan Howe, president and CEO, Techify
I take protecting passwords very seriously both at work and at home. Over the years, we have seen many examples of password breaches both in the news and with businesses who have called Techify for help. At the office, we use a password generator to create long, complex passwords and use two-factor authentication as much as possible. We also strongly urge our clients to use complex password policies across their different applications. At home, I use a password keeper on my phone and enable two-factor authentication wherever it is available.
Sheetal Jaitly, CEO, TribalScale
At TribalScale, we have enabled two-factor authentication on all of our accounts. We also use services such as LastPass, a site that manages all your password with one master password. All your information, whether it’s business or personal related is important so I treat both the same at work and at home.
Luc Villeneuve, country leader, Red Hat Canada
When I’m online I take nothing for granted when password cracking software is capable of tens of millions of attempts per second. My general principle for personal passwords is to use initial letters of a phrase or sentence, essentially a “random” sequence of words. Length is critical. I try to use symbols and capitalization. Don’t assume any information is private, particularly your SIN or family names. Never re-use email passwords because many online sites use your email to reset forgotten passwords. Avoid saving your passwords in a plain text file. Instead, consider just saving the site name, your login name and maybe a phrase or clue to recall the password.
Tammy McKinnon, vice-president of business management & governance, TD
Passwords still play an important role in verifying our online identity. While the evolution of biometrics and digital identity technologies could change how we use passwords in the future, for now, I follow a three-step approach to keeping my financial information secure. I make sure my passwords are strong – I change them frequently and make sure they’re not predictable. I pay attention to TD Fraud Alerts – this is our system for notifying our customers by text if we detect any suspicious activity on their TD Access Card so we can immediately block access to their card if the activity is fraudulent. I’m also always cautious if I receive an unsolicited e-mail containing attachments or asking me to click a link and provide sensitive information. Banks will never ask for sensitive information like usernames or passwords through an unsolicited e-mail.
Carl Rodrigues, CEO, SOTI Inc.
It’s critical to have a strong deterrent approach to security, to be able to proactively mitigate risks, rather than be in a defensive position. SOTI enforces complex passwords with 3-month expiry, multi-factor authentication, encrypted communication to company applications, and single sign-on (SSO) technology to protect company and customer data. SSO prevents employees from sending corporate credentials to company applications; as a result, if one of the applications is compromised the employees’ corporate credentials are not exposed. In addition, if an employee’s credentials are compromised then access to all company applications can be disabled from one central location.
Mary Ann Yule, president and CEO at HP Canada
Many of today’s attacks, including those aimed at stealing passwords, are coming through unsecure web browser links. With the ability to differentiate between safe and unsafe sites becoming more difficult than ever, users need hardware-enforced security for web browsers to protect themselves. In my organization, we use HP Sure Click technology, which prevents phishing and malware attacks from compromising a user’s data, passwords, and systems by seamlessly opening each browsing tab in a “micro virtual machine,” isolating these threats from the PC’s core system. This eliminates the ability of one website to infect other tabs, the system itself or the entire network. And more importantly, it shifts the responsibility from the end user to the PC hardware.
Greg Wolfond, CEO of SecureKey Technologies
Yahoo believes that an “unauthorized third party” managed to steal data from their centralized information model. The breach not only exposed that centralized databases are no longer safe, but also revealed the immediate need for secure authentication tools to verify that people or organizations are who they say they are. Blockchain-based solutions utilized to verify one’s digital identity create barriers between personal data the potential data breaches that have become the norm, protecting the information of consumers and the organizations they choose to interact with online. Solutions like the digital identity network we are building prevent vulnerable data honeypots from ever being created by building a digital environment of trust, privacy and security that goes beyond passwords.
Alan Cawse, CSO, EVP technical services, Geotab
When you cannot control how your passwords are secured, you have to assume that they will sooner or later be exposed. To limit the impact of a breach, it is critical that you use completely different passwords for different sites or services. The best way to achieve this is to use random, complex passwords (at least 15 characters long) each time you have to create one, and use a reputable password manager to keep track of them. For additional protection, you should always enable two-factor authentication whenever you have it as an option.
Dave Millier, CEO, Uzado Inc. 
Use multi-factor authentication wherever possible. Something you have along with something you know can make all the difference if your password gets compromised somehow. I leverage my cell phone and text messaging extensively. I use a different password for everything and encrypted password manager software to maintain all my passwords. Wherever possible I enable two-factor authentication (banks, email, basically anywhere it’s available I turn it on). Passwords are a necessary requirement for accessing most systems; two-factor / multi-factor authentication makes it almost impossible for someone to compromise your account(s), even if they manage to hack a database which contains your password or hack your own system, that extra requirement (factor) may very well save the day.
Douglas Heintzman, preactice leader, The Burnie Group
I tell anyone that will listen that we should all be using blockchain based digital identity management systems that support zero knowledge proof protocols so that not only are we not vulnerable to these data breach exposures but our adhoc online transactions become much more secure and frictionless. When that doesn’t work I just change my passwords a lot.
Bojan Paduh, founder, Electronic Recycling Association
Personally, I keep up to date with hacking threats by reading various blogs, articles and attending conferences. I find even the basic knowledge of the ‘hack world’ and knowing what could happen, can help protect you and your company. We have limited the number of admins who control our website and also the number of times our employees can upload files. We have introduced a backup policy where we back up our servers on a regular basis to ensure all of our important data is secure and up to date. This process prevents the loss of vital data for the running of the business. Managing our own accounts and passwords has proven successful over the past 14 years and continues to do so on a daily basis.