So, if you have a six-character password and remember to change it once every 150 or so years, you'll stay well ahead of any potential hackers. Really, this is why outside attacks are so rare, because the time involved is insurmountable. This does shine the spotlight on the LotteryHack though. The LotteryHack bypasses the Great Divide because it works locally. This is what scared all those security people when they learned that hashed Internet passwords don't contain a salt. It means a user can take that password locally and try to hack it. Without having to connect to a network, you can crack passwords thousands of times faster than what was described above.

Still, 1000 times isn't that big of a deal when it means that you would still need to wait a half a year to crack one password. The technology isn't here yet for it to matter too much, but someday there will be quad-processor, 800 terahertz machines that will be able to rip passwords apart in seconds. That's why it's of paramount importance that you at least force the enemy to cross a network to reach you.

Lotus has provided a means in R4.x to strongly encrypt HTTPPasswords, which would make LotteryHack useless and force people to attack via your network. There's an action in the NAB/Domino Directory called, Upgrade to More Secure Internet Password Format. This will add a salt to the HTTPPassword and is highly recommended. In R5, you can default all passwords created strong encryption by changing the setting, Use More Secure Internet Passwords in the Directory Profile. Remember that Domino Directories often replicate and be sure that all replicas have the strongly encrypted version of the passwords-having one Domino Directory out there still containing weak passwords defeats the purpose of encrypting any of them.

Brother against brother
We've detailed the various aspects of the third most common form of security breach, so now for the second most common. This category is exponentially more likely to visit your company than the third and comprises violations by disgruntled employees, disgruntled ex-employees, lazy employees, and bad programming.

This is the area that your security department should be concentrating on. Not only are these "hackers" informed about what information to take and how to take it, they often have direct access to do so. This magazine has published many great articles on security measures that can help. However, there are some general things I'd like to point out.

Ignorance of the law is an excuse
Make sure employees know what they're allowed and not allowed to do. Reminders that company email is company property and that its uses should be limited to "x, y, and z" will make sure people know their limitations. There's a fine line between the merely curious and those attempting to harm your company. Most employees, if they know they could jeopardize their standing in the company through certain actions, won't take them. They often don't know what's off-limits, though.