Monday, September 03, 2007

Monster incident raises questions about userid and password logon paradigm

The recent media reports about the information leak from (Monster’s own account of this is here:) again reminds us that large corporations have not been particularly successful in safeguarding client information. At many other companies, compromises have happened the old fashioned way, however, with loss of laptops or diskettes or CDs.

In this case, there is a lot of criticism that the conventional idea of user name and password is not and adequate paradigm for security client information. Nevertheless, the information leak appears to have resulted from passwords and such leaking from recruiters or other third parties, not by direct attacks on Monster. Some companies will start checking for logons from overseas, which can be an indication of password compromise. Others may become stricter with password changes and password cracker tests.

In theory, the same risk could exist any time a resume is sent to a headhunter, or any time an applicant uses a “headhunter’s” website to apply for consideration for a job. Headhunters now routinely advise jobseekers to leave social security numbers off of resumes. If the job hunter has a land address box from UPS or a similar company, he or she may want to use that as the contact address.

Of course, a practical question is how effective using job boards really is. In 2002, I started using them and basically got nowhere. What I found is that promising employment opportunities nearly always depend on a specific match to a specific requirement at a specific employer or situation that the job hunter finds our about through his or her own activities. The low-tech approach often works better. And, as we know especially now through all the media attention to employer’s gumshoeing on the Internet, it is not always prudent for a current employer to find out that one is “looking,”

There is a good story about this at MSNBC by Brian Bergstein, here.