Platt Perspective on Business and Technology

Developing and enforcing password best practices

Posted in social networking and business, strategy and planning by Timothy Platt on March 8, 2011

Passwords are often viewed simply as a nuisance – until, that is, someone breaks into a password protected file, service or account and causes damage. My goal in this posting is to offer an approach to selecting and using passwords that can make it easier for you to remember them, and harder for anyone else to guess them.

I include this in two directories with that goal in mind: Business Strategy and Operations and Social Networking and Business. The points I raise here apply to the full range for which password protection is used, including file and computer desktop access control, identity when making online transactions and purchases, control and protection of social networking identity and a great many other situations.

First, I want to cover the “do not do” list, and I add a focus on these points and these points alone can in fact prompt people to cut corners and do this wrong. So I will offer some positive guidance here too.

• Do not use simple, short, easy to guess passwords (e.g. 123abc).
• Do not use the name of your husband, wife or significant other, or the name of one of your children or of your pet.
• Do not simply use words from the dictionary (e.g. password). I note here that the word password is one of the most commonly used passwords in place for most systems, at least when more complex password formats are not in some way enforced.
• Regardless of how good a password may seem, do not use the same one for multiple circumstances. If you do and someone finds out what your password is for one account or access point, all of your accounts and access points may be compromised. Hackers who get one password almost always check to see where else that same password is being used, and especially if it looks to be carefully selected.
• Change your passwords occasionally.

I add here that the worst possible passwords are ones that you cannot remembers – so you write them down on post-it notes and leave them up and visible for all to see. I have seen that many times.

• Don’t use such complex and hard to remember passwords that you will not remember them.
• Don’t change your passwords so often that you cannot keep track of which one is current.
• When you do change a password, as some systems periodically require, do not simply reuse the same old one again.

Here is a point I have seen violated many times that I would direct to systems administrators who need to assign and maintain large numbers of passwords.

• Do not try to make your life easier by setting up passwords according to a simple, easy to discern pattern (e.g. user-first-initial followed by some set number followed by user-last-initial and for a specific example, t1234p for Tim Platt plus that number.)
• Do not forget the points I raise above as an admin either, as setting your system to require very frequent password changes with long minimum password lengths simply leads to visibly posted passwords everywhere.

Now I turn to the obvious “to do” part of this:

• Do require a combination of letters and numbers and with case sensitivity for the letters.
• Do require at least one upper and one lower case letter, and one number, and requiring a special symbol can help here too.
• Do require at least some minimum mandated number of characters in a password (e.g. at least 8 and up to 12) and do require periodic password changes where a previously used password cannot be reused.
• And most importantly, do offer guidance on how to more effectively select passwords that can be more easily remembered, even as they would be difficult to guess.

And this brings me to the most important bullet points here in this posting.

• For users, always select passwords that you can pronounce. This makes remembering them much easier (e.g. reg7zar9 or tov!jux3).
• If you do have to write down your passwords, and you may have to as a backup and for the ones that are infrequently used, keep this list under lock and key and out of sight.
• Never, ever share your password with others except where absolutely necessary (e.g. leaving a record of your computer and account passwords with a systems administrator or with your supervisor for work file or account login access.)
• For social networking this means never giving your social networking profile password or your Facebook password to one of your friends. There are better ways to share, that are a lot less likely to backfire on you.
• Really think through how you select, use, and otherwise manage your passwords, thinking in terms of possible worst case outcomes if your password gets into the wrong hands to prompt you to do this right.

A lot of information security professionals see password systems as a necessary evil, used and useful but of more limited protective value than they should afford. This is mostly because so many people select and manage their passwords very badly – and that applies to hurried systems administrators and computer professionals who cut corners, just as much as it applies to end users with little computer experience. Passwords and password systems can, however, offer very genuine privacy and access control value if they are set up and used correctly.

One Response

Subscribe to comments with RSS.

  1. Brad Fallon said, on March 8, 2011 at 9:58 am

    Very informative post. It is really important to know what password we should be using instead of the easy ones that is very easy to get hacked.
    Thanks for sharing this one. I am going to let my colleagues read also this post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: