I just read a helpful article about tuning organizational password policy but I’m afraid it rubbed me the wrong way.
What it says is helpful and mostly good practice, but it fails to address the problem from the perspective of the users, and does the usual “well, this will be a pain for the users, but it’s good policy, so we’re recommending it,” which is one of many reasons why people hate IT departments. (I say this as a seasoned IT professional, and I hate us, too. 😉
IF you notice that YOUR passwords violate any of these rules, chances are that they are already broken. Change them now.
To all password users, everywhere: Make your passwords unguessable as best you can. If someone guesses your password, change it. Corollary 1: Since you can’t know if someone might have guessed your password, change it from time to time. If you feel that you have to make a list of passwords, make a list of reminders, not the actual passwords, and keep it safe (not where someone can look at it without you knowing about it). More detail below.
- DON’T use any word that might be in any list, anywhere. That includes: dictionaries, your name, the name of anyone or anything special to you. (Why? Because computers are fast, the lists of frequently used passwords are long, and the two go together to form automatic password breaking programs.) Worst offenders: ‘password,’ ‘sesame,’ wedding dates, birthdays, etc.
- DO add extra characters or combine words so that you make a password that won’t be on any list. The idea is to make a password that takes too long to guess, since the combinations are too many to explore. That said, you HAVE to do better than ‘password1’.
- DON’T write down your password at your desk, under your keyboard, on your monitor, etc. In your wallet…yes. If you have a backup copy with how to change the passwords, just as you have a copy of your credit cards and how to report them stolen. (You do, right?)
- DO make some notes, in a safe place, for a reminder of the password, but NOT the password itself, and NOT something that someone else might guess. Don’t include all of the information needed to recreate the password, this is just a reminder as to which family of passwords you used for this particular service, application, or site. This works well if you have several different families of passwords, and all you need is a reminder of which one (mainframe, ah, that’s my “O” password family). Remember: your password must NOT show up in any dictionary or word list ANYWHERE.
- DON’T use the same password in multiple places. If you do, guessing one gets ALL of them. Can you afford that risk? Can your company? Can your bank account?
- DO use a base word, initial letter sequence, or other ‘key’ plus additional info related to the service. (An example of an ‘initial letter sequence’ is ‘Duabwilsookpai’ which is the first letter of each word in previous sentence. ) Pick something else; if you’ve seen it in a blog, it’s potentially available to a password cracker.
Comments welcome. I’m happy to publish this elsewhere and give full credit for comments that make it better!