Corporate Password Policies… Good and Bad

Posted by Kevin | December 3, 2009

As an information technology and computer services firm for small to midsized businesses, our project managers and engineers commonly wage a “battle of password policy” with the users and administration of the clients we serve. Our responsibilities to our clients includes ensuring the confidentiality and security of the technology infrastructure which many times starts at the end user computer with a password. Each company has their own password policy, sometimes dictated by a corporate compliancy standard, and at other times an adopted standard with loose terms. But for the most part requiring passwords on anything that needs to be access controlled is step one.

One thing that we will teach to senior management is that no matter how strong a password policy you have, it won’t do any good if people just jot passwords down on paper and stick it to their monitors. Most of the time our client is looking for tips from us and also asks us to train or enforce security policies. Here are some of the things we tell the users when it comes to passwords.

The Good:

  1. Most don’t fear passwords, they fear remembering passwords. Many users consider this embarrassing or a failure on their part if it happens. As strong as this fear is, never write a password down.
  2. Good passwords have uppercase and lowercase letters. They also can contain numbers, spaces or even special characters such as !@#$. With this in mind, try taking a password you can remember and converting it a bit to make it a bit more complex. Example: (current password) matilda – (new password) M@tild@ or M@T1lda. This increases the security of the password exponentially.
  3. Length of the password is also important. Six to eight characters is a decent size password when combined with these other methods. M@tild@ would be good, but L0vEM@tild@ is much better!

The Bad:

  1. Do not use plain English words by themselves (anything in a dictionary), such as ‘the, password, cat’. It is much better to break up the word i.e. ‘p22sswo44rd’.
  2. Do not use easily retrievable information by itself, such as your birthday, date of hire, kid’s birthday, phone number…etc.
  3. Do not make the password too short i.e. ‘rat’.
  4. Do not use common passwords for everything.

If you really need assistance in remembering a password and must write something down, then do the following:

  1. Write a sentence on a sticky note. For example purposes ,we will use “My daughter is two years old.”
  2. Now (mentally) take the second letter of each sentence: “yaswel”.
  3. Lastly, take your birth date, add it to the end: “yaswel22”.
  4. You can even capitalize it to make it more complex: “Yaswel22”.

Using this example, all you have to remember is to use the second letter of each word and your birth date and not some obscure random password.

Since we are in the business of managing these passwords for all of our clients, we have secure systems and databases in place that allow us to store this information and control who may see it. There are many choices for password management software nowadays which is much more reliable and secure than an excel spreadsheet or writing them all down on notepad paper.

No Responses to “Corporate Password Policies… Good and Bad”




XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

By submitting a comment here you grant Vision Computer Solutions a perpetual license to reproduce your words and name/web site in attribution. Inappropriate comments will be removed at admin's discretion.

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 1,229 bad guys.

 

+Pete Marsack