Let\u2019s make one thing clear: David Petraeus should not have been forced to resign. I honestly have no idea how good he was at leading the CIA. However, given his track record in the military there\u2019s no reason to think he was anything less than competent, and competent people seem to be in rather short supply these days.\n\tHe had an affair, which is a breach of a CIA regulations that say adultery is okay...as long as the agency and the spouse know about it. The regulations were put in place ostensibly to prevent a CIA employee from being blackmailed. This is the same ostensible reason for keeping gays out of the military, and we all know how well that worked.\n\tI suggest the CIA adopt a new policy of, \u201cWe don\u2019t care.\u201d If blackmail really is the primary concern then this would solve that problem just as letting gays serve openly in the military has done. The military, which also makes adultery a firing offense, should adopt the same policy.\n\tThis is an astonishingly bizarre moral code to impose on spies and soldiers. Do you know what they do for a living? They make decisions about life and death\u2013some of which involve killing other people. So it\u2019s okay to kill but not to have sex out of wedlock? Whiskey Tango Foxtrot! (Under these rules we would have been denied the services of Gen. Dwight D. Eisenhower who, when he was in England, did not do much to hide his affair with Kay Sommersby.)\n\tOkay, enough ranting and raving, and back to the subject at hand: What everyone can learn about IT security from this whole piece of stupidity.\n\t1) Never write down what can be said, never say what can be indicated.\n\tIt is sad that the CIA director apparently never learned the most basic piece of spy tradecraft.\n\tNever, ever write down anything\u2013especially on a computer\u2013that you wouldn\u2019t want on the front page of Google News. In Petraeus\u2019s defense very few people ever put this into action, a fact for which journalists are eternally grateful.\n\t2) Assume there is no anonymity on the web.\n\tNext, while it\u2019s not impossible to do email anonymously it is so difficult that you might as well just assume that it is. Remember Petraeus and Paula Broadwell, who has a Ph.D in counterterrorism, tried to do it and failed. \u00a0If you start by assuming there is no anonymity on the Web you will have a better chance at achieving and maintaining operational security.\n\tAccording to the\u00a0Associated Press, \u201cPetraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic.\u201d And teenagers?!? That is not a good indicator for success. In addition to creating the e-mails under false identities,\n\t\n\t\t"Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic "dropbox," the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace."\n\n\tThis came undone when FBI agents, performing what may have been the Bureau\u2019s first-ever probe of online harassment, used location data from harassing e-mails sent to \u201cTampa socialite Jill Kelley\u201d and the e-mail account from which they were sent to figure out that the sender was Broadwell. This lead them to search other e-mail accounts owned by Broadwell, including a Gmail account, which led them to the affair with Petraeus. That amazingly thorough investigation is especially impressive when you realize no laws were broken by anyone who was being investigated.\n\t3) Use a password that\u2019s at least 9 characters long. \n\tBroadwell appears to have been a subscriber to the "private intelligence" firm Stratfor whose logins and hashed passwords were hacked and released last year by Anonymous. Inside the file is data for email@example.com, whose hashed password is listed as "deb2f7d6542130f7a1e90cf5ec607ad1." Underneath all that hash is a password that\u2019s eight characters long, a close-to-but-not-quite perfect length.\n\tSecurity researcher Robert David Graham says that Broadwell's password was a good one that resisted obvious dictionary attacks. Graham did break it eventually using a brute-force attack that tried every letter and number combination in existence, running 3.5 billion combinations per second against the password until he found it.\n\tBroadwell's eight character password took 17 hours to crack, not bad and certainly long enough to deter many hackers. However, "time to crack" increases dramatically as password length increases. So another digit or two can make a huge difference for security. As Graham said, "Had her password been one character longer, I wouldn't have cracked it."\n\tAnd, of course, don\u2019t use the same password for more than one account.