Off To See My Lawyer
'Oven-Ready' Document Shop Click here to sign up for our latest updates

Posts Tagged ‘Data Protection’

Creating secure passwords

Friday, July 15th, 2011

This is not a strictly legal post , but I thought it was very useful and easy to apply. Given that I am always going on about making sure your data bases and IT systems are secure, this seems to be the perfect tool to get started!

What makes a password strong is the combination of different alphanumeric, special characters, and capitalization that you use, and of course the length of the password.  I don’t know about you, but I don’t want to remember and type an epistle when I fill out a password field. And, ideally, I don’t want to use the same password on many sites, because if one is compromised then my entire life is unlocked.

I want to show you here how to choose very strong passwords for every website that you use, that are different for each website, and are each only 9 characters in length max. A study found that an 8-character password that’s constructed in the manner I’m going to show you has 7.2 quadrillion different combinations, and will take 83.5 days to crack if the hacker can try 1 billion different passwords per second.

Step 1: Pick 2 Starting Characters

To make it easy to remember, all your passwords are going to start with the same characters. But these are not just any characters. Pick 2 characters from the list of special characters that you see above the numbers on your keyboard and to the left of the Enter key.

These characters are: ~`!@#$%^&*()_-+={}[]:;”‘<>?/|\\

Pick any two of them as your password starting characters. To show you an example as you read through the steps, let’s pick $ and % (pick your own two).

In my example, all my passwords are going to start with $%.

Step 2: Pick 2 Ending Characters

In exactly the same way as above, pick two different special characters that will be at the end of your passwords. Don’t pick the same characters as your starting characters.

For the purposes of my example, let’s pick * and ^. Hence, all my passwords are going to end with *^.

Step 3: Construct The Middle Part Using The Website Name

This is the fun part. Take the first 6 characters of the website domain name where you want to use the password. If the domain name is shorter than 6 characters, then use the full domain name.

In my example, let’s create a password www.microsoft.com.

The first 6 characters of the domain name is “micros”.

Now we’re going to substitute some characters and capitalize others.

Substitute the following characters: a becomes @, e becomes 3, i becomes 1, o becomes 0, and u becomes ^.

Now we have “m1cr0s”.

Now, decide on a standard for yourself regarding which character(s) you’re going to capitalize.

For this example, let’s say we’re always going to capitalize the 3rd consonant.

So now we have “m1cR0s”.

The next step is to drop the last character (“s” in our case), and append the Ending Characters (*^) that you picked in Step 2.

Our password is now “m1cR0*^”.

The last step is to add the Starting Characters (Step 1) to the beginning of the password.

The final password is “$%m1cR0*^”.

A Few More Examples

Domain: www.twitter.com, Password: “$%tw1Tt*^”.
Domain: www.facebook.com, Password: “$%f@c3B*^”.

Domain: www.ebay.com: Password: “$%3b@*^”

Remember

Pick your own 2 starting characters and your own 2 ending characters, don’t just use the same ones I used in the example.

In addition, make your own capitalization rule (you can capitalize more than 1 character if you want to.You can also use more than the first 6 characters of the domain name if you want to. It just means your passwords will be slightly longer.

Is This Password Strong?

Yes, it is very strong. With this method you’re potentially using any of 30 special characters, 10 numerals, and 26 lower case and 26 uppercase characters.Unless a hacker happens to have a water-cooled supercomputer in his briefcase, he will not be able to crack your password.

Making It Even Stronger

If you’re concerned that some hackers might know about this password construction method, simply pick 3 starting characters and/or 3 ending characters, or as many as you like. Any slight variation of the method makes your passwords even more secure.

Credits

This password construction method was designed by Sammie, a person with a brilliant technical mind.

Tags: ,
Posted in Blog | 1 Comment »

Calling all website owners: check your cookies!

Tuesday, May 31st, 2011

On 26th May 2011 a new law* came into force which applies to all website operators who use “cookies” to track their visitors’ movement and choices around their site. A cookie is a small file of letters and numbers downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.

The previous rule on using cookies for storing information was that you had to:

  • tell people how you use cookies, and
  • tell them how they could ‘opt out’ if they objected.

Many websites did this by putting information about cookies in their privacy policies and giving people the possibility of ‘opting out’.

The new law requires website operators to make sure they have their visitors’ “informed consent” for the use of cookies. The changes aim to give users more choice and control over what information businesses and other organisations store on their computers and how they track users.

Business groups and privacy watchdogs are divided, though, on exactly what “informed consent” means. Luckily, the Information Commissioner’s office (‘ICO’), the government body responsible for enforcing the law, has published a Guidance Note on what they expect website operators to do. However, the guidance is not definitive and leaves it up to organisations to decide how best to obtain the necessary consent. Thankfully, the ICO has given businesses a year in which to change their use of cookies to comply with the law before it will start to take enforcement action.

What should you do now?

  1. Establish what cookies if any you have on your website. You may have had the site developed for you and so you need to ask your website developer what cookies they used.
  2. If you do have cookies, decide which ones are essential for your visitors’ use of your site. For example, a cookie that tracks what a customer puts in their shopping basket would be considered essential and therefor may not need the customer’s express consent. A cookie that tracks that the customer had  a good browse in home furnishings  before going to children’s’ wear on the other hand may be considered intrusive and therefore require express consent.
  3. Draw up a plan that shows that you are addressing the use of cookies and that you are putting into place a plan to comply with the new law. This will be important if the ICO does come after you.
  4. Establish how you will get a visitor’s consent to the use of cookies. One option would be to have pop- up box that alerts users to cookies and asks them to agree. Alternatively, the ICO have said that getting users to agree to your Terms of Use/Privacy Policy would also work. However, instead of just displaying them as a link on your website, you would need to get them to tick a box, indicating their express acceptance of them.
  5. Check that your Privacy Policy spells out exactly what information is being collected by cookies. The bottom line is that you need to be upfront with users about how your website operates

“Some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent,” the ICO guidance said.

“It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale,” the ICO said.

*The Privacy and Electronic Communications (Amendment) Regulations 2011.

For the Guidance Note see here

For the Information Commissioner’s Office see here

Tags: , , , ,
Posted in Blog | No Comments »

Privacy Policies more important than ever

Wednesday, October 6th, 2010

The Information Commissioner’s powers to fine businesses who do not comply with the Data Protection Act has been increased. Look out for fines up to £500,000 if you lose people’s data or flout the Act. One way to comply withe Act is to have a Privacy Policy which alerts your customers or website visitors as to how you plan to use the personal details you collect from them. Ideally have a link to your Privacy Policy from every website page and get your customers to tick a box accepting the terms.

Don’t have a Privacy Policy? Buy and download one instantly from our Document Shop

Tags: ,
Posted in Blog | No Comments »

Check your pockets or you may end up with a £500,000 fine!

Monday, May 10th, 2010

I was stunned to read in a recent survey that last year 4,500 memory sticks were forgotten in people’s pockets as they took their clothes to be washed at the local dry cleaners! I have washed a couple of my daughters’ memory sticks  which were stuck in skirt pockets, but I didn’t realise this happened on such a large scale. :roll: As I pointed out in an ealier blog, from 6th April onwards if data is lost and it causes a major security breach, this could now cost a company up to £500k in fines . This is because of the new powers given to the Information Commissioner’s office to fine companies who have not sufficiently protected customers details under the Data Protection Act .

If you use memory sticks, check out the ones that can be encrypted such as the ‘Safe Stick’. There are also some clever ones that self detruct if you find you have lost one or that an employee has stolen vital data on a memory stick.. More on that soon

Tags: ,
Posted in Blog | No Comments »

Businesses to be fined up to £500,000 for losing data

Tuesday, April 6th, 2010

Check out this article from the very useful on-line magazine Growing Business

Bottom line: you cannot take data protection seriously enough. In this day and age when the devices for storing information are getting smaller and smaller-even smaller than some lipsticks!-make sure you know exactly where they are.

Ideally, encrypt the information on them, so that if they are lost, no one can read the contents.

Tags: ,
Posted in Blog | No Comments »

Key questions to ask yourself on data protection

Wednesday, March 17th, 2010

If you are gathering personal details on your website or in business, ask yourself these questions to see if you comply with the Data Protection Act. A “YES” does not guarantee compliance, but it means you are heading in the right direction. If you don’t have one, a Privacy Policy can be found in our document shop.

  • Do I really need this information about an individual? Do I know what I am going to use it for?
  • Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
  • If I’m asked to pass on personal information, would the people whose information I hold expect me to do this?
  • Am I satisfied the information is being held securely, whether its on paper or on computer? And what about my website? Is it secure?
  • Is access to personal information limited to those who absolutely need to know?
  • Am I sure the personal information is accurate and up to date?
  • Do I delete or destroy personal information as soon as I have no need for it?
  • Have I trained my staff in their responsibilities under the Data Protection Act? Are they fulfilling them in practice?
  • Do I need to notify the Information Commissioner? If so, is my notification up to date?

For more information and advice on good information handling go to : www.ico.gov.uk or phone 08456 306060

Tags: ,
Posted in advice | No Comments »