Security

10 security mistakes that are easy to avoid

What's worse than getting hit with a security breach? Getting hit with an easily preventable one.

No matter how much we try, users -- and sometimes even IT departments -- overlook some security mistakes that are relatively easy to correct. In this article, I'll discuss 10 avoidable security mistakes and describe what you can do to correct the oversight.

1: Using poorly chosen passwords

There was a day when people thought that using the password "password" would be a surefire way to fool hackers and other miscreants. After all, who would use such an obvious password? Although most people now realize just how poor a password that is, so many still use equally obvious choices for passwords, particularly in this day of high social engagement. Take this for example: You cleverly use your anniversary year in your password along with the middle name of your oldest child. Both are easily retrieved on Facebook and through other means. Even organizations that have strong password policies can suffer from poorly chosen passwords when users attempt to work around the requirements.

Fix it: Don't use obvious patterns in your password. Mix things up. Substitute exclamation points for the number 1, ampersand signs for the number eight, and the like. The more variety you place in a password, the more difficult it is to crack. If you're creating a password policy for your organization, require the use of characters from multiple character sets.

2: Never changing passwords

I've seen this in action too many times. People who keep the same password forever and use the same password on multiple sites are more likely to suffer a breach. Even in organizations that require password changes, some people try to find ways around having to change passwords on a periodic basis. For example, I once had an employee with domain admin rights who decided to exempt himself from the organization's password policy. He was reprimanded (although, in hindsight, I should have fired him for abusing his access rights) and made to comply with policy. Of course, these kinds of situations should be the exception, but how many people use the same or very similar passwords across multiple sites and change only one character in their password when it comes to expiration time?

Fix it: Educate your users about the importance of good passwords and why changing them every so often is critical. As a part of your policy, consider using a third-party tool to disallow similar passwords at reset time and to create stronger passwords.

3: Not installing antivirus/anti-malware

This one is a given. If you're not running antivirus software of some kind in your environment, you're wrong. Even with the best firewalls, the concept of layered security still holds true. Anything that the firewall fails to catch can be handled by your antivirus software.

Fix it: Install anti-malware software... now.

4: Not using a firewall or being too lax with a firewall

Whether you're at home or running IT for a business, a firewall should be considered required equipment. Although Windows and other operating systems include built-in firewalls, I have always preferred a hardware firewall of some kind, especially when used in conjunction with the aforementioned software firewall. Moreover, any firewall that is deployed should be deployed well.

Fix it: Wherever possible, deploy a hardware firewall both at home and in the office. Make sure that firewall rules aren't allowing unnecessary traffic to make its way to the internal network.

5: Never patching machines

Operating system and application vendors release software patches for a reason. While many updates add new functionality, many also correct security flaws in products. I've seen plenty of home machines on which the user has disabled software updates. In the enterprise, patches can sometimes be avoided with the reasoning that the firewall at the edge of the network protects the organization. This isn't a good strategy, as valid traffic can still exploit vulnerabilities.

Fix it: Patch machines! Turn on automatic updates and implement robust patch management policies and procedures in your organization.

6: Insecurely storing data

How many of you have stored sensitive data -- personal information or for work -- on a USB thumb drive? Do you ever take that thumb drive with you out in public? I've seen a lot of USB storage attached, for example, to key rings and carried around. Further, that storage simply sits on people's desks and such.

Now, how many of you back up your organization's data to tape? Do those tapes go offsite and, if so, are they always under your control?

Unprotected data is a big deal. A single lost USB drive, laptop, iPad, or tape with the wrong information can land an organization in a mess financially, legally, and from a public relations perspective.

Fix it: Make heavy use of encryption for anything that is portable. Most backup software can be configured to encrypt data on tapes and you can use tools such as BitLocker and BitLocker To Go to protect laptops and portable storage devices. For other mobile devices, such as iPads, consider deploying mobile management security software that separately encrypts and protects particularly sensitive information.

7: Being too generous with permissions

In the enterprise, permissions drive what people can and can't do. The easiest way to enable employees is to grant them carte blanche admin access to everything, but that would quickly devolve into chaos. So most organizations have a policy and structure under which they grant specific permissions based on work-related needs. Over time, unfortunately, "scope creep" comes into play. People change positions within the organization and old permissions are never removed or a temporary permissions increase is never removed, and so forth.

Fix it: Make sure that there are clear permissions policies in your company. Your policies and procedures should include a periodic permissions review that matches current needs with existing permissions; permissions that are no longer necessary should be removed.

8: Choosing poor (or no) Wi-Fi security

Even with all the known risks regarding open Wi-Fi networks, there are still tons of them out there that are completely open and insecure. Some have taken the step of implementing Wired Equivalent Privacy (WEP) as a protection mechanism since it's widely supported, but WEP encryption can be cracked in as little as four seconds. That said, it's still better than no encryption at all, which carries its own risks.

Fix it: Implement WPA at the bare minimum, or better yet, go with WPA2. WPA2 is a modern wireless security standard that is supported by most modern operating systems. When you implement WPA2, choose a good wireless password, too. It shouldn't be too easy to guess or your wireless protection will be for naught. WPA2 can still be cracked, but cracking WPA2 is far more difficult than cracking WEP or WPA.

9: Avoiding basic mobile device security

Mobile devices will become a hacker's paradise in the coming years. Most people walk around with devices that have unencrypted personal information of some kind and these devices are accessible at a moment's notice. They can also be lost or stolen. I mentioned previously that you should consider what kind of information is on a mobile device and remove anything too sensitive or you should consider software that can compartmentalize sensitive information. But you should also keep the casual snooper from being able to easily access information.

Fix it: It's basic, but at the very least, impose some kind of passcode requirement for mobile device users who access company information. While this will not keep determined adversaries from getting information they want, it will thwart the causal snooper who might pick up the device.

10: Never testing backups

Let's suppose that all of your other security mechanisms fail and your environment is so severely compromised, the systems and data are no longer trusted. At that point, it might be time to consider restoring the environment from backup. However, horror stores abound about companies that have attempted to recover from backups only to discover that:

  • The backed up files were corrupted.
  • The backup tapes were bad.
  • No files were actually being backed up even though the tapes were being swapped each night.

None of the above is good and can place an organization in a terrible state.

Fix it: Immediately implement policies and procedures that require regular testing of backups. In addition, consider implementing a tiered backup system that backs up data from disk to another disk-based system and from there, to tape or to another offsite, off-network service that can't be compromised in the event of an attack.

Additional security topics

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

49 comments
umair.asif
umair.asif

This artical is very informative. Appriciate the work

Jimbo Jones
Jimbo Jones

WPA2/AES has NOT been cracked; read the linked article. WPA/TKIP has only been PARTIALLY cracked (cracking TKIP does not give a hacker access to the key), and best practice has always been to use WPA2 if your hardware supports it. The issue with WPA2-PSK actually is that users often pick pre-shared keys that are too short and not complex enough, and of course then it's susceptible to brute force like any other authentication method. If you use a PSK that is 25 characters or longer and random, WPA2 is secure. The other issue with any PSK method is that the key is stored on the device, so if it is stolen, or if an employee is terminated, the unauthorized user has access to your network. WPA2-Enterprise avoids that by using a backend Radius server.

matumo.buzingo
matumo.buzingo

changing the password is necessary not for the sake of making more and more difficulty to guess but to make sure that whoever comes into knowing it may not make use of it for such at time which you have not changed it. in the view of this thus, it is necessary that we periodically change our passwords. 2mo.

LedLincoln
LedLincoln

Everyone posting on this thread is quite password conscious, and is *relatively* unlikely to get hacked. The weakest links are the careless and clueless users who don't understand security, and for whom following all our great advice would annoying at best, and probably just won't happen. The reality is that we are dealing with ordinary people, not geeks, and for that reason, passwords are a pretty poor method of protecting information.

Al_nyc
Al_nyc

As others have pointed out a strong password is more important than changing passwords. Having passwords that expire on a regular basis leads to weak passwords, forgotten passwords or users who write them down on postits that are no more than an arms length away from their computer. All that are huge problems. Another thing that users should be regularly checking is when their ID last logged in and from what IP address. I always check that. If I see a problem, then that is my cue to fix my password. So far, knock on wood, no problems of the sort.

3rdWick
3rdWick

were driving me crazy. Our company bought out another and now we are setting on two different servers. Add to that the time sheet reporting and expense account reporting and medical site. Then the 401K on a different site. At first I did have just one password, but then I discovered KeePass and now I am able to make all the passwords complex and different. I use a really strong password for the KeePass program and for my login to my computer. My solution to this password problem, and I am sure there are other programs like this one. And yes I don't see how changing a password is going to help any. If someone breaks my password, they are not going to wait 3 months to use it. It will be compromised immediately.

Not~SpamR
Not~SpamR

Some already alluded to hackers using other methods of breaking into systems these days. Just like the security of modern cars is such that it's all but impossible to break into them and drive them off, so would-be car thieves simply change their mode of operation to steal the keys. There are all sorts of tricks they pull to trick motorists into stopping, or they just break into your house and steal the keys. A chain is as strong as its weakest link. So much of what passes for security is focussing on one link, which is far from the weakest already, and trying to make it ever-stronger. In the meantime the weak point is elsewhere.

Not~SpamR
Not~SpamR

The trouble with corporate policies on changing passwords is that when you're told you must have a password of 8 characters or more, it must have numbers and letters (both uppercase and lowercase) in it, and it can't be any of the last 13 passwords, and you have to have different passwords for each system, one has to ask how many jumbles of numbers and letters the average person can be expected to remember. Was my login password ahG39f?r or was that my email password? Or was it aHG39f?r, I can't quite remember which ones I capitalised. If people can't remember their passwords they end up writing them down, which makes the system less secure rather than more secure. Or they put them all in a file with a single password, which means there's one single point of failure for every system they can access, and for good measure the corporate IT security people have no control over how (or even whether) that file is secured. Ultimately the purpose of security is to be as invisible as possible to authorised users while being as obstructive as possible to unauthorised users. When it becomes obstructive to authorised users they'll look to circumvent it for their own convenience, which means that as security becomes more comprehensive according to the textbook it becomes weaker in reality.

Deadly Ernest
Deadly Ernest

frequent password change concept are pushing it for the system access password on the corporate networks where the data never goes outside the corporate network anyway, thus most of the options to intercept and collect the password aren't able to work as they don't have the access. It's often just some fools paranoia about passwords. One military base I worked at we had a corporate network that wasn't linked to the Internet and the fellow responsible for base IT had the staff change their password each year just after the major tour of duty rotations. His replacement insisted on monthly changes. After three months I was able to crack 80% of the passwords by just entering abusive phrases as that's the only way the troops could remember the constantly changing passwords. After hearing about this the Base Commander issued a base policy of annual password changes. Password policy was always - password length 12 to 25 characters must have at least on capital and not as the first or last character and two numerals with one of them in a place other than either end. It was definitely complex enough all the time.

jartman
jartman

Yet another article recommending multiple and diverse "difficult to remember" passwords. And, as always, no workable idea of how to keep track of all these (many!) passwords. Useless advice without a practical way to make it useful.

mla_ca520
mla_ca520

The reason to change passwords regularly is so that if a user's password has been compromised that access will cease to work at some point, so the more frequent the password changes, the less likely you will face long term damage from a compromised system. (incidently, the passwords doesn't even have to be compromised, a skilled technician can simply capture a user's ID / pass hash and pass that if the transmission isn't salted). I see where you are coming from with that, but it is a legitimate security measure.

LedLincoln
LedLincoln

Complex passwords are okay, but probably not as helpful as a lot of people think. Website logins are too slow and are probably going to lock someone out before they are able to do any serious cracking. The vast majority of breaches occur through social engineering, as people are persuaded to give up their security information voluntarily. It may be something seemingly minor, but it can lead a hacker to thread through increasingly important accounts to, say, one's bank account. Related: Perhaps you should have added #11: Logging into your secure account on an insecure computer. Public computers or even your friend's computer may have malware that will send your login information to some hacker in eastern Europe. A complex password won't help avoid this, but frequent password changes might alleviate your risk.

toddwahl
toddwahl

Hackers take the path of least resistance..........passwords are only one hurdle to a breach! Neither password strength nor password changes keep a real hacker from the goal of breaching a network.........2 factor authentication ought to be a must for anyone who wants REAL secure access (puts a minimum of two hurdles in the path). Then you can have a password that is somewhat memorable and not have to change it because the 2nd factor is constantly changing. Second factor authentication is affordable (FREE....Google Authenticator) for all or minimal cost (Authanvil or Lastpass) at best so there is no reason everyone cannot go beyond single factor authentication (password only......too easy to hack regardless of strength or frequency of change) to using something of today's technology to secure access to nearly anything.

oldfield
oldfield

It is very common that strong passwords seam to mean - not possible for a human to remember except if they write them down. Security is more than just the password, it is the entire security of the system and this includes the person at the end. It is all very well if systems create strong passwords for login if the person at the end keeps forgetting it so must write it on a post-it note. A strong password is long - 16 characters with numbers (some server-OS choke on punctuation). Use multiple short words joined that is funny, then users will remember !

Boushe
Boushe

Honestly, you continuing to say that it is pointless only proves that everyone else here has been in IT longer than you have and they know more about keeping accounts and a network secure. Just like josmyth said in the valid point that he made above you, its just a matter of time. Like I said before, if a hacker discovers that someone is being lax about changing their password every so often, then YES you are screwed if he decides to throw some hacks in that persons direction

Crash2100
Crash2100

I know it's possible, but I have to ask "how can you never test a backup?" At the least, you try it out to get a file back or something. I backup everything on my computers between daily and once a month, and these backups have saved my butt more times than I can even remember. If you do backups on a regular basis, you can even get a file you accidentally delete or overwrite back without much effort. But I guess there are just some people who do a backup and assume that's all they have to do, then forget the thing even exists when they finally needed it.

Glitchw
Glitchw

... along with the middle name of your oldest child. Both are easily retrieved on Facebook and through other means. This implies the "hacker" knows you used these two particular pieces of information out of multitude of info-facts available on and off line.More likely to fall to a brute force attack than a Google search. It's much stronger than either alone, but granted, not as strong as the other suggestions.

gfailen
gfailen

Hello all. I live in Argentina, and some keyboards you see are in spanish, some in english. So the symbols are not always in the same place (simply think about letter "??"). And, sometimes, if the language of the OS is different from the language of the keyboard... guess what. So, if you live in USA and plan to travel abroad, take care of that. That??s the reason why I think carefully about what symbols I`ll use in my passwords.

Boushe
Boushe

There is absolutely no reason to say that changing passwords often serves no purpose. If you go with that mindset in any IT field, you're screwed. That type of thing is exactly what a hacker is going to expect. Regardless of what kind of environment you work in, a specific schedule should be followed, as far as changing your password is concerned, regardless of how strong it is

SkyNET32
SkyNET32

Changing passwords often serves no purpose, especially if users already adhere to #1. Having strong passwords eliminates the need and worry of changing passwords that folks need to retrain themselves to remember. If the passwords are strong enough, there is no worry of them being cracked. So educate users to create strong passwords and even "padding" them, will not only make them strong, but make them easy to remember. For ex. !@##EW(S(!!H898%R$ is not as strong as D0g........................................................... See https://www.grc.com/haystack.htm Sigh, I wish this "mantra" of changing passwords often policy would just die already. ;) Philip

CWOThomas
CWOThomas

Passwords are more important than ever before, but for users trying to keep ahead of technology in this area seems like being on the losing end of an arms race. The reason is, hackers are using more sopisticated methods to obtain access to your data. It's only a matter of time until the use of random characters or phrases in passwords will be broken. In response, organizations try and implement yet even more strict password requirements. Why not have the computer(s) identify the person that's using it? I'm not talking about fingerprints, but a more robust biometric system that looks at a number of personal attributes to identify the user. DARPA is trying to figure out how computers can adapt to users, rather than users to computers in this case (National Defense Digital - 2012). Until the day arrives where computers can identify their users, the password arms race will continue. Thomas

technomom_z
technomom_z

You forgot the most easily avoided ones of all. Don't click on links in email. Don't give out sensitive information to people over the phone or via email.

Neon Samurai
Neon Samurai

Wouldn't be someone trying a website login these days. The real target is the user database so one can work on cracking the passwords at home. Be suspicious of any website that has a maximum password length or limit on complexity because it means they are not properly using and storing your info in a secure manner.

Deadly Ernest
Deadly Ernest

break it so fast it's not funny. Short term duration of a password means people won't put in a lot of effort to remember it, so it's either very weak and easy to remember or written down. I've lost track of the number of people I know who have little books they carry around with account names and strong passwords written in them so they can remember them and not have to mess them up again. If they lose the book they lose everything. A few very strong passwords that you can remember and change only every year or two or three, and you're much better off as it would take a great hacker longer than a few years to break a very strong password that's ten or more digits long. So you're safe with a long life password. but as I said before, you're better off with a number of passwords you remember and use them for different levels of security for the sites you visit.

wizard57m-cnet
wizard57m-cnet

Besides, what does it mean if someone has been in IT longer than someone else? I've been around for over 30 years, and I can say from the viewpoint of someone being forced to change passwords at excessively short intervals that it does not work! Everyone either wrote the new password down or would print a screenshot of it. If they lost that, they would ask for another password to be assigned, then write it down or take the screenshot. So, outside of a bit of inconvenience to the user, what does forcing password change every month accomplish? Not much. A strong password that is not easily guessed but can be remembered seems to be a more reasonable approach. edit to add... those "new" ideas were rebuffed by the 15th century church leaders as well... how dare those young heretics suggest the world is not flat but is round!!

carl.gaede
carl.gaede

After a server location move my brother tried the backup tapes just for grins only to discover that their software did not copy files through links. His several hundred location retail employer had no backups of their entire transactions database going back to day 1. No biggie. I am sure that this could be recreated by hand using the paper trail, right? ;-0

Al_nyc
Al_nyc

This is exactly why I NEVER voluntarily give that information. If I have to, then I fake it. I don't feel slighted if all of my FB friends don't wish me a happy birthday. As far as the public internet sites are concerned I'm currently 112 years old and live at 123 main st, my dogs name is Fido and my grandmothers name is Granny.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

There are techniques our there to grab keywords from social media and then to mix and match them as a part of a dictionary attack. This greatly increases the attack success rate. Bill

Deadly Ernest
Deadly Ernest

it's hard for most people to remember a new password too often. or you get the ones where they use the exact same word and just add the month to the end.

SkyNET32
SkyNET32

Serves no purpose, unless an employee is fired or resigns. That's all

SkyNET32
SkyNET32

to change passwords if they are strong enough and easy to remember, goes unnoticed.. So once again, yes, there IS certainly a reason: Users will try everything to keep getting back to the password they took so long to memorize anyway, and in case you weren't listening, if the password is strong enough, there's no need to change it periodically, if at all. so no, I'm not screwed, and yes, it serves NO meaningful purpose; those who continue to adhere to a useless policy (obviously like yourself) only to create even MORE work, are screwed. But keep perpetuating the "mantra" by all means, especially when you posit no evidence as to why your argument is even valid.

pcrx_greg
pcrx_greg

Take a look at this comic strip from XKCD. Http://xkcd.com/936/ It makes a lot of sense to make easy to remember but hard to guess passwords.

andrew232006
andrew232006

I have a dozen passwords to keep track of with frequent password change rules and obscure rules like password must contain a symbol and a number and a capital letter. Rules like these make it more difficult for humans to remember than it does for computers to crack. Having to change them all regularly makes it nearly impossible to keep them all memorized. So users usually end up either recording them somewhere where they can be discovered. Or they use the same password for many different systems and a vulunerability in one system will compromise many systems.

Charles Bundy
Charles Bundy

as the underlying assumption of encryption on the part of the service provider. If someone in Internet land is storing passwords in an unsecure fashion then a backend harvest will net them your password no matter how [i]strong[/i] it is. In those cases about the only thing you have control of on the front end is password rotation frequency/differentiation. Otherwise I agree completely with what you are saying, esp wrt padding. Make a password rule too complex and you can usually find it on a post-it-note.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Do a search on "passing the hash" and let me know if that changes your mind. Often times corporate security policies have people change their passwords not because they could be cracked, but because changing passwords will cause problems if a person's hash has been stolen. It limits the amount of time that an attacker has unrestricted access with those credentials. Bill

daldama
daldama

All you password change junkies....why? Why does it make better security. As Phillip points out, you WILL have instances where users will change a strong password to a weaker one. And most people end up keeping the same password but change the number or capitalize a different letter. Duh. Let's stop the madness. STOP changing passwords often. Start teaching users how to build STRONG passwords.

josmyth
josmyth

It's just a matter of how long it takes and if the hacker gives up at some point to move on to easier targets. Someone could have their password cracked and not know about it for awhile. At the very least, changing passwords will clean up the compromised passwords.

Nimmo
Nimmo

Email links should be up near number 1, as for sensitive information that should stand for both employees and IT staff.

cue.burn
cue.burn

True, choosing a very complex password foils computer cracking techniques. However, for this to be the only defense requires that we be absolutely certain that the password has not been compromised in any other way (e.g. social engineering, etc.). I am reasonably sure that my own password has not been compromised. The passwords of my users who have access to sensitive data? Not reasonably sure at all.

Craig_B
Craig_B

What if an employee works for a company for 5 years, on day 1, they create an uber secure password and they never change it. Through any number of different methods (crack the DB, social engineering, malware, lucky guess, extortion, etc.) someone manages to get the password after 3 years. Now the cracker is golden and has an account of a password that is good for at least 2 years in this case. They can then use this for other attacks and get more passwords for users that might be around for the next 10 years. Technology and security implementations continue to change and after a few years that uber secure password may just be a good password over time. Having a user change the password every week is one extreme, never require a password change is the other extreme. I believe somewhere in between these extremes there is a balancing point where having users change passwords is beneficial for security. Of course you can choose any policy that you feel comfortable with.

daldama
daldama

The ORIGINAL reason to change passwords often was to correct admin mistakes of not removing old users (ex-employees). ALSO....remember the movie War Games w/M. Broaderick....they used a shared password. So changing the password every so often protected them when users became ex-users. Point is....we don't need to do this anymore. Our security has evolved into a sophisticated system where it is easy to remove employees from the user profile. IMHO....changing passwords is another excuse by systems admins to justify their jobs. Lame.

Deadly Ernest
Deadly Ernest

however, there is a real need to either change passwords on a reasonably regular basis or have different passwords for different purposes. The main reason security people tell you to change passwords on a regular basis is because most people will use the same password for just about everything; and once a password gets compromised in one location it's compromised all over. Another way around that is to have a set of very different passwords that you remember and use them for different levels of security needed for the site. For example, the password security needed to access a site where you have read only access, such as an on-line story site, you don't need high security; while password security for your on-line banking site does need to be very high security. If you have four or five and split their usage up based on the needed security level the chances of being compromised on the high level passwords are very low and it doesn't matter that much about the low level ones. Another way is to have a different password for each log on you have, but this will soon have you going crazy trying to remember them or you end up making them too easy in order to make the easy to align with each log on / site. Even using one or both of the above, you should still change them every now and then, but you can make the changes an annual or multi year event instead of a monthly one. The biggest password security issue is when people resort to writing them down in order to be sure they have them right. Next after that is when they get disgruntled due to some security guy insisting they change each month so the password is made up of abusive phrases, and thus often easy to break.

SkyNET32
SkyNET32

Only WEAK ones..If it was implemented at the onset that compliance was to use strong 16-20 alphanumeric and special symbol passwords, and employees aren't sharing them, writing them down on post-it notes there is no reason to change that strong password. It would take a hacker hundreds of years to brute-force a cryptographically strong 20 character password, even with a highly sophisticated offline GPU gate-array. If the crypto is done right, there's no need to worry. Only case that I can see worth changing an employer/employee's password would be if they left, resigned, or were terminated.

ebsfrmr
ebsfrmr

Is this an absolute rule? What if you can see the entire address path when you hover over it, and can see the path is as shown in the message? The reason I ask, is I am trying to not send so many attachments to clients and directing them to my website to access presentations and such. I use the entire http://... address. Any ideas and tips would be helpful.

Scott Lowe
Scott Lowe

Email links... not sure how I missed that one, but they're just nasty. For what it's worth, consider it "Number 0" on the list now that it's in the comments :-) Scott

Not~SpamR
Not~SpamR

So set the system to inform the user when they last logged in. If the user sees their last login wasn't when they last logged in they know their password is compromised and can change it immediately and to something totally different, rather than being blissfully unaware until the system forces them to change it resulting in them changing MyPasswordToComplyWithSillyRule101 to MyPasswordToComplyWithSillyRule102 which the person who cracked their password will probably try first of all when they realise ...101 doesn't work any more.

Kenton.R
Kenton.R

...and that's something you don't want to do. You can still send the link in the email, but don't make it clickable - make them cut & paste the url into their browser. If they have to select, cut, paste, hit enter, and STILL don't notice it is sending them to maliciouslink.com/exploit.asp instead of yourwebsite.com/valid.html... well, you've done all you can for them. You could send them a link to a nsfw shock site and I guarantee they'll start carefully reading links instead of blindly clicking them... but HR/legal departments probably wouldn't approve of that strategy. Some malicious links get sneaky, disabling or displaying "OnMouseOver" text that is incorrect to hide the real link and/or typing out https.://YourNormalBank.com while actually linking to FakeBankSucker.com. If the link appears to be written out in the email, 90%+ will just click it and assume that is where they are going.

pcrx_greg
pcrx_greg

An excellent way to share presentations or large files is to use DropBox from dropbox.com. This application allows you to share files in the cloud with any client that you wish. You can setup separate folders for each client so they only have access to what you want them to see. The first two 2 GB are free and then you need to subscribe.