Clients regularly ask us about passwords: how long should they be, how complex do we make them, what is the best way to enforce passwords and how will my users remember them?
First of all, what is a password and why do we need them. A password does not need to be an actual word it can be a string of characters or numerals which is used to authenticate you as a valid user in order for you to gain access to company resources.
A good starting point for any security related topic is writing a policy. Once you have this in place it becomes far easier to manage the process of change necessary in order to enforce what you are trying to achieve.
So what should I put in my password policy and how rigid should the policy be? Your policy will need to explain why you are enforcing passwords and who is required to use them. It should state who is responsible for ensuring the policy is adhered to and who should be adhering to the policy. There should be guidelines for creating, memorising and protecting your passwords and a process for changing them on a periodic basis.
Guidelines for choosing strong passwords need to be defined in your policy.
Passwords should be:
- Eight characters or more in length
- Contain a combination of both upper case (A-Z) and lower case (a-z) letters
- Contain at least one number (0-9) or one symbol (such as, ~,#,$,%,^,&,*)
Passwords should not be:
- Comprised of a stand-alone word, in any language, including slang or jargon
- Based on personal information such as names of family, pets, address or similar
- Easy to guess, such as your favourite sports team, band, computer game, or similar
- Computer terms and names, or commands
- Obvious place names, company names, or acronyms or abbreviations of these
- Obvious patterns such as qwerty, abcdef, ggghhh, 123321, or similar
- Comprised of a word spelled backwards, such as drowssap
- Any of the above preceded or followed by a digit, such as password1 or 1password.
You can suggest to your users that they select a pass phrase that is easy to remember but hard for someone else to guess – such as, P@ssw0rdsAreEasy2Rememb@ or Istubb3dmyt0e!
So you now have a guide to setting up complex passwords and a process that your users can use to remember them. Next up is to make sure that passwords are kept secure by protecting them. As a guide you should never:
- Write down your password, nor ever keep a written record handy at the office
- Store your password on any computer system without encryption, including your phone
- Share your password with anyone, including other employees. This includes anyone you talk to for computer support, supervisors and personal assistants
- Reveal your password over the phone or in an email to anyone
- Talk about your password in front of others or hint at what it might be
- Tell your family your password, or give it to co-workers if you’re off sick or on holiday
- Reveal a password on questionnaires or security forms
- Type in your password when someone can see the key strokes used
No matter how complex you think your password is it must be changed on a regular basis to stop it becoming compromised. As you start the process of rolling out your new password policy you may want to run a security awareness training programme. This will help your users understand why securing company as well as personal resources with complex but easy to remember passwords is so important.
Latest posts by Tony Cohen (see all)
- How remote managed IT solutions can help your business - February 10, 2017
- Simple ways to keep your business secure - October 20, 2016
- What the cloud means for your business - September 30, 2016