A rant on the importance of properly securing sensitive data
This morning started off as a typical workday for me, sitting in my office banging away on the keyboard, reading system logs, and chatting with three different colleagues via IM, while on hold with tech support (I multi task very well sometimes).
Without warning I suddenly had this feeling that something VERY bad was happening. I can’t really explain it, but a chill ran down my spine and I just knew something freaking dire was transpiring at that very moment.
I stopped everything I was doing and closed my eyes trying to figure out what had set me on edge, and then I heard it. Wafting from down the hall (I work in the accounting building) I heard the following “… can you email me that text file with all the credit card numbers in it again? I think I accidentally deleted it from my email.”
WHAT!?!?!?!? GAH!!!!!!
And so I went charging out into the hall to put an immediate halt to this nonsense.
Now I have explained multiple times that no one (I mean that literally – myself included) is to ever store any passwords or access codes (including credit card numbers) in an unencrypted format, for any reason (this is quite clearly laid out in our IT policy manual, which every employee has read and signed). Apparently some of the office staff thought I didn’t really mean that, it was just filler in the policy manual.
GRRRRRRRRRRRRRRRRRR
So 45 minutes later I sat in an emergency all hands meeting yet again explaining (in detail) why this is a no no, with the usual push back (it’s too hard to lock a spreadsheet, etc.).
I just don’t understand what is so difficult about this, after all I have provided them with the necessary tools to secure this… kind… of… informa… DOH!
Every now and then I have one of those moments when I realize that I have done everything I can think of to prevent some problem (in this case potential data loss, and/or financial abuse), except one simple thing to ensure that everyone plays along; in this case I forgot to give them the tools!
Hey you’re not perfect either, so back off!
As I realized my mistake, I smoothly (seriously I don’t think anyone even realized this was not part of my planned topic) plugged my laptop into the projector and continued on to explain the answer to all of these issues; KeePass Password Safe.
For anyone that has not used KeePass, this little tool is a little piece of file/password encrypting goodness. It’s free (as in open source free), and the files created with it can be viewed on Windows and Linux/Mac OSX machines. You can download KeePass here.
Personally I use version 1.11, as it is also available in a portable version from PortableApps.com, and I always try to keep all of the utilities I use on a daily basis on my USB drive.
The Linux version is called KeePassX, and can be found here.
I love this program because it only requires the user to remember two passwords; their logon password, and the Master password for KeePass. Everything else can be kept in the KeePass database.
I seriously cannot say enough about how awesome this tool is, I use it to secure every piece of sensitive information that I have. If you’ve been looking for something to protect your sensitive information, I would highly suggest you give KeePass a spin, I think you’ll find it’s really unobtrusive, and definitely safer than using a text file to store credit card numbers.
August 9, 2008 - 12:28 pm
Great article, I have been playing around with different Password safe apps but most are available for only one platform Win or OS X or Linux. I use all three and I need something to support cross platform use. I will definitely give this a try. Thx
Click to Reply to This Comment.
Karl L. Gechlik | AskTheAdmin.com Reply:
August 9th, 2008 at 3:52 pm
Come back and let us know how it goes Bryan!
Click to Reply to This Comment.
August 10, 2008 - 12:09 am
I love KeePass, and I use it to create all my passwords. Sometimes friends give me a weird look when I say I don’t know my password – I have to plug in my USB drive to get it (using Portable KeePass) – and I have to explain that I use all random-generated passwords. (And yes, the USB stick is encrypted by TrueCrypt.) But it makes me feel a LOT better.
Click to Reply to This Comment.
Karl L. Gechlik | AskTheAdmin.com Reply:
August 10th, 2008 at 11:50 am
How long are those random passwords Kat? What happens if that usb drive gets busted?
Click to Reply to This Comment.
Joe Glessner Reply:
August 10th, 2008 at 12:12 pm
As I keep almost EVERYTHING I use on a daily basis on my USB drive, I actually have put some thought into the “what if it breaks?” question. For me, I use Microsoft’s Synctoy (the 2.0 beta) to copy everything on my USB drive to my workstation at the office and to my laptop at home every day. I also copy to a spare USB drive at the office one a week (I keep this in my firesafe with the backup tapes).
I rely pretty heavily on the data I keep on my USB drive, so I have made sure that it will always be available to me. In addition to the above, once a month I burn a copy to DVD and drop it in the firesafe so if I screw up and delete something I won’t need for like 2 months, I’ll be able to find it when I need it.
Click to Reply to This Comment.
Kat Reply:
August 10th, 2008 at 5:12 pm
Indeed, I do have backups. KeePass supports generating quite long passwords, and I only use short ones on sites that require it (some sites limit you to 14 characters, for example).
Click to Reply to This Comment.
August 11, 2008 - 3:11 am
Hi Karl, im just graduated from college and my first job is become SysAdmin at some international school here in Indonesia. Great blog! I hope you dont mind if i ask you several question, as im so unknownledgeable… :)
Click to Reply to This Comment.
Karl L. Gechlik | AskTheAdmin.com Reply:
August 11th, 2008 at 9:09 am
That is what we are here for Teguh – email your questions to help at asktheadmin dot com.
Click to Reply to This Comment.