A Guide to a Good Password Policy.

February 13, 2010

As we all know, passwords form one half of the details required to uniquely identify us to permit access to secure information.  It maybe your computer or an on-line account but they are common place throughout the web.

However, the problem is that too many of us use the same password over and over again.  Now whilst using the same password fulfils our natural inability to recall the number of passwords we have it does introduce a much bigger problem; namely that if one account is compromised then access to all our other accounts is too.  Your email, your Facebook, on-line shopping accounts or even your Bank Account

Password Policy

The answer is to try to create a policy that works for you.  This can be as complicated or a simple as you like but try to ensure it fulfils a number of simple criteria.

  • Minimum Length – try to ensure that your password is at least 8 characters long.
  • Maximum length – the longer a password the more secure it is but do not make it too long. 14 characters is about the right length.
  • Complexity – the more varied the characters you use the less likely your password will be guessed. So you should try to use three of four of the following four types of characters:
    1. Lowercase
    2. Uppercase
    3. Numbers
    4. Special characters such as !@#$%^&*(){}[]

It is important to remember that passwords are nearly always case sensitive.

Using your password

Before you create a password it is essential that you follow a few critical rules;

Do not use the same passwords for all accounts.

  • Do not write your password down.
  • Do not send your password via email or post it anywhere on the internet without it being encrypted.
  • Do not use the same password on your computer that you use to logon to a web site.
  • Do not use the same passwords for all accounts. – If you use only one password everywhere and someone gets this password you have a problem…a serious problem. The thief would have access to your e-mail account
  • This one is so important I am going to repeat to. Do not use the same passwords for all accounts.
  • Do not reveal your password on a security form or questionnaire.
  • Do not share your password.
  • Never give your password to someone over the phone.  Hackers regularly use social hacking to gain access to your account by falsely representing the IT department or web site company.
  • Be aware when using a password on the internet.  Sites that begin with “https://” rather than “http://” are secure and encrypted so safe to use your password. If the website address does not start with "https://" then the password can be easily obtained with free tools from the internet.
  • Do not store your passwords automatically.  Avoid the "Remember my password" check box because it is very easy to reveal the password with a few simple, and freely available, tools.

Choosing your password

The success to a good password is to create one that is easy to remember but difficult to guess.  Too often people use things that are close to them such as a child's name, a pet's name, their favourite football team or an easy date, like their birthday.  The problem is that if you make it too simple you make it to easy to guess.

Passphrases not Passwords

The biggest problem when choosing a memorable password is that we too often do just that…select a word.  But these are very easy to crack because hackers keep lists and databases of many common and known passwords so a brute force attack is an easy mechanism to obtain your password.

Using a phrase with as little as two words dramatically increase the complexity of the password.

Passphrases made easy

By far the most simplest way to create memorable but complex passwords is mix and match data.  And the process that works very well is mnemonics.

Using mnemonics is the best way to create a near random looking password. And when used in conjunction with the policy above you will easily be able to create strong memorable password. For example.

  • "Ali Baba and the Forty thieves!" becomes ABat40t!.
  • "My wedding anniversary is on September 5th" becomes Mwaio0905.

You can also use a simple system where a word in the phrase is then translated into the numeric representation of the alphabet; where A=1 and Z=26, So Tim would be:

   T   I   M
  20   9  13  = 20913

So the following phrases could be;

  • "What is my best friend called?TIM" becomes "Wimbfc?20913"
  • "My initials NIK are easy to remember" becomes "Mi14911ae2r" and this could be complicated further by adding punctuation."M!,[14911]ae2r"

Too Many to remember

As explained earlier, many of us hold multiple accounts and aside from the ones we use frequently, we often forget them.  This has become less of a problem in recent years as many websites now offer password retrieval systems.

So you can consider using a password keeper. These software packages act as a secure vault for all your passwords.

The obvious and immediate problem is that you now have all your password in one place but providing you make the master password extra strong this system could work for you. It is certainly better than storing all your password in an Excel Spreadsheet…which I have witnessed on more than one occasion.

Summary

If you only take one piece of advice from this article then it has to be "Never use that same password twice".  This is all too common but presents the greatest risk to your security, identity and money!