Why sharing passwords is a Very Bad Idea

I think the following policy should apply to company user accounts (not personal ones like Facebook or Google accounts, but accounts at workplaces). The bigger the workplace, the more important these are:

  1. Access should be given to named individuals only.
  2. Account names should be based on individuals’ names.
  3. Credentials should not be shared.

Continue reading

Response to a bad article on My Health Record

Dr Stephen Duckett of the Grattan Institute wrote a particularly poor piece on the My Health Record system. His article is available here:


This post is my response, lightly edited with some footnotes added.

Continue reading

Two-factor authentication – do it now.

The online world has become too dangerous for us to keep protecting ourselves with no more than a username and a password. Especially when most of us choose stupidly simple passwords. Even if you choose a good one – upper and lower case, special characters, letters and numbers – you now need such a long one that no human can remember it. Tools like LastPass are great, but only if you also use ridiculously long passwords. Pretty much the best protection you can give yourself is a simple thing called two factor authentication. It’s simple, it’s free, and it’s very effective.

Continue reading

Data Loss Prevention policies made simple

On a mailing list I frequent, someone asked about policies to help a company avoid losing intellectual property. The generic term for stopping the loss of important information (with loss being not just destruction, but also the wrong people getting it) is data loss prevention or DLP. I was moved to comment… because most DLP policies are not worth a button.

Continue reading

Unforgettably yours?

On a mailing list that I frequent, someone recently posted a set of statements which gave me pause for thought. I thought about the millions (billions?) of personal details stored in private collections of personal details, also known as contact lists. And I thought about how little care we take about how we treat that information.

I will summarise the statements as follows:

  • I have a large address book of contacts, which is growing fast
  • I’m a member of multiple social sites, like Facebook, Twitter…
  • my contacts currently live in Google Apps
  • I want my contacts available in each service
  • I could import my address book into each service
  • but I’d like to automate it

Which led me wonder what details the writer might have collected about his numerous contacts. Name, address, phone, email, birthday…? And without asking all these people whether it’s OK with them, the writer is wanting and planning to dump their details (automatically if possible) into multiple privacy-hostile service providers’ databases. For the sake of convenience.

Given the state of privacy laws in Australia and their near-total lack of meaningful enforcement, no-one can stop this person doing whatever they like with whatever data they collect.

But if you are like this person, and think that my personal details are yours to do as you please with, and specifically yours to share with large commercial third parties whose avowed intention is to collect all the data in the Universe, I do have a request.

Please – forget me. Before you make me unforgettable.