eDiscovery Daily Blog
eDiscovery Trends: An Insufficient Password Will Thwart Even The Most Secure Site
Several months ago, we talked about how most litigators have come to accept that Software-as-a-Service (SaaS) systems are secure. For example, at Trial Solutions, the servers hosting data for our OnDemand® and FirstPass® (powered by Venio FPR™) platforms are housed in a Tier 4 data center in Houston (which is where our headquarters is). The security at this data center is military grade: 24 x 7 x 365 onsite security guards, video surveillance, biometric and card key security required just to get into the building. Not to mention a building that features concrete bollards, steel lined walls, bulletproof glass, and barbed wire fencing.
Pretty secure, huh? Hacking into a system like this would be very difficult, wouldn’t you think? I’ll bet that the CIA, PBS and Sony had secure systems as well; however, they were recently “hacked” by the hacker group LulzSec. According to a recent study by the Ponemon Institute (linked to here via the Ride the Lightning blog), the chance of any business being hacked in the next 12 months is a “statistical certainty”.
No matter how secure a system is, whether it’s local to your office or stored in the “cloud”, an insufficient password that can be easily guessed can allow hackers to get in and steal your data. Some dos and don’ts:
Dos:
- If you need to write passwords down, write them down without the corresponding user IDs and keep the passwords with important documents like your passport, social security card and other important documents you’re unlikely to lose. Or, better yet, use a password management application that encrypts and stores all of your passwords.
- Mnemonics make great passwords. For example, “I work for Trial Solutions in Houston, Texas” could become a password like “iw4tsiht”. (by the way, that’s not a password for any of my accounts, so don’t even try) 😉
- Change passwords every few months. Some systems require this anyway.
Don’ts:
- Don’t use the same password for multiple accounts, especially if they have sensitive data such as bank account or credit card information.
- Don’t email passwords to yourself – if someone is able to hack into your email, then they have access to those accounts as well.
- Personal information may be easy to remember, but it can also be easily guessed, so avoid using things like your kids’ names, birthday or other information that can be guessed by someone who knows you.
- Avoid logging into sensitive accounts when using public Wi-Fi as it is much easier for hackers to tap into what you’re doing in those environments. If you’re thinking of checking your bank balance while having a latte at Starbucks, don’t.
So, what do you think? Are you guilty of any of the “don’ts” listed above? Please share any comments you might have or if you’d like to know more about a particular topic.
Full disclosure: I work for Trial Solutions, which provides SaaS-based eDiscovery review applications FirstPass® (for first pass review) and OnDemand® (for linear review and production). Our clients’ data is hosted in a secured, SAS 70 Type II certified Tier 4 Data Center in Houston, Texas.