YET ANOTHER reason to enforce strong passwords in the corporate world.

It amazes me how many companies let employees use weak passwords, or passwords with no expiry.

Below is an excerpt from a prior article at CRMbuyer.com.

Convio, a provider of CRM applications for nonprofit organizations, has announced that e-mail addresses and passwords have been stolen from its clients’ databases. The American Red Cross is among the companies affected by the breach. No bank account information or Social Security numbers, however, appear to have been leaked.

Tad Druart, a spokesperson for Austin, Texas-based Convio, said the company has notified federal authorities of a data breach between Oct. 23 and Nov. 1.

The hacker used an employee’s password to get at the data

No Social Security numbers or bank account information was stolen, Druart said. He said the company immediately notified the 92 companies affected, though he would not name them, and it wasn’t known how much information was compromised.

Red Cross spokesperson Stephanie Millian confirmed that roughly 278,000 e-mail addresses and a smaller number of passwords were taken from a Red Cross blood drive Web site that ran on Convio’s software. She said the Red Cross notified affected users Nov. 14.

What kind of policy settings or password complexity are we looking for?

A Policy Setting should have the following:

• Enforce password history: 3 passwords remembered
• Maximum password age: 90 days
• Minimum password age: 0 days
• Minimum password length: 8 characters
• Password must meet complexity requirements.

The password complexity requirements are:

• Not contain all or part of the user’s account name
• Be at least six characters in length
• Contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Non-alphabetic characters (for example, !, $, #, %)

I’m not claiming the above incident was a result of a weak password, but it’s always a good reminder to set strong passwords and change them regularly between 90 – 120 days.