Safeguarding passwords

The comic strip Rhymes With Orange recently had an amusing story line. A cluster of people was gathered over the grave of their recently deceased pet. The person giving the eulogy was saying something like, “Dear Rover, though you will never again chase squirrels and greet us at the door with a friendly wag each day, know that you will live on forever in our hearts and as our computer password.”

The comic strip Rhymes With Orange recently had an amusing story line.  A cluster of people was gathered over the grave of their recently deceased pet.  The person giving the eulogy was saying something like, “Dear Rover, though you will never again chase squirrels and greet us at the door with a friendly wag each day, know that you will live on forever in our hearts and as our computer password.”

I snickered at that one, but it’s true; I do use my dearly departed pet’s name as a password from time to time. I’m sure no one would ever be able to guess that one, right?

OK, so let’s talk about passwords, since they are the primary way we protect against unauthorized access to our networks and all sorts of online accounts.  Despite their vulnerabilities, passwords likely will be with us until all our computers are like HAL in “2001: A Space Odyssey,” which responds to the operator’s voice – and that’s going to be a while.

After my series of articles on two-factor authentication for banks, one of my readers suggested this article about passwords.  He writes: “What frustrates me most about these online banking sites today is that when I set up my online username and password, I find myself forced to ‘dumb down’ my password in order to come up with something their system will accept.  They almost always insist on six or eight alphanumeric characters (no special characters).  This makes it impossible for me to use my preferred ‘UNIX-style’ password that I use at work for Kerberos authentication.” 

He continues his lament:  “Of course, one ends up with a terrible choice: either using the same simple alphanumeric username / password combination over and over again (so one can remember it) or writing down the new one and putting it in some ‘secure’ location.  My location of choice has turned into an e-mail to myself with 30+ username / password combinations for various sites (of various levels of importance) around the Web.  I keep this e-mail in a folder on our Exchange server at work – in truth, a TERRIBLE solution but it is better than using a Post-It stuck to my monitor.”

I can relate.  I have found myself using the same password for numerous online accounts, writing my password on a scrap of paper that I carry in my wallet, and storing passwords in a document on my PC.  I’ve done everything but the Post-It note trick (the darn note won’t stick to my monitor!).

Finding ways to remember a password can be tricky; not remembering a password at all can be frustrating.  How many of us have tried one guess after another to recall a forgotten password?  Or, how many of us don’t even bother trying to remember and simply use the “forgot my password” option so many sites offer, or the “password reset” function of the help desk?  I find myself resorting to those tactics for infrequently used accounts, like my online shopping.

Administrators want to believe that their users are smart about network passwords.  They force users to change the password every 60 or 90 days or so, and force them to use alphanumeric and special characters together.  While these are great practices, unfortunately, it’s often such procedures that lead people to the Post-It pad. 

It takes strong policies and procedures coupled with good user education to safeguard passwords.  It never hurts to remind users that a strong password:

* Contains both upper and lower case letters as well as numbers and punctuation characters.

* Is at least eight characters long.

* Is not a word in any language, slang, dialect, jargon, etc.

* Is not based on personal information, such as names of family members or birthdates.

* Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 …) are not strong.

* Should not be written down or stored online.

Among the best practices for passwords are:

* Always use strong passwords.

* If passwords must be written down on a piece of paper, store the paper in a secure place and destroy it when it is no longer needed.

* Never share passwords with anyone.

* Use different passwords for all user accounts.

* Change passwords immediately if they may have been compromised.

* Be careful about where passwords are saved on computers. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember a password. Selecting this option poses a potential security threat.

Microsoft gives its tips for password best practices here.  In addition to providing advice for end users, the tips help an administrator define good password policy for Windows Server 2003.

I’d like to hear from you.  Write me with your advice on how you keep track of multiple usernames and passwords.  How do you go about selecting hard-to-guess but easy-to-remember passwords?  What procedures have you implemented on your network to encourage people to select good passwords and keep them protected?   Let’s see if we can share some advice and help everyone strengthen our password policies and habits.  (Sorry, Rover.  May you rest in peace.)