Geeks With Blogs

Connected Systems Chilled Out Blog Hanging stuff together in a meaningful way with some fun added

It’s a Secret:

 

1. Passwords must not be written down

 

This is a simple rule. From my days working with the MOD I remember how easy it was to unlock safes and steal passwords as both were usually written down somewhere easy to locate. Favourite one for safes was on a colander not a million miles away from said safe! Don’t do it. Otherwise why bother…..

 

2. Passwords must be set

 

This is pretty sensible – how many of us have seen SQL installations with SA <blank>!

 

3. Require as few passwords as possible

 

If you come up with a goodun’ use it where you need it. My own personal favourite is to use a easily to remember phrase, as a few numbers add a ref to the site.

 

4. Staff must change their passwords regularly

 

A password that’s older than 3 months is past its sell by date.

 

5. Make new passwords new

 

Don’t just pay lip service and change a number or two change the whole password!

 

6. Avoid obvious words

 

Don’t use words period. Use the first letters of a phrase or saying + numbers + a symbol. For example: EWTWC@WI66* so what does it mean?? Well England Won The World Cup @ Wembley In 66 *

 

7. Think long - but not too long

 

10 to 12 characters is about right, less is just too short.

 

8. Automate password changes

 

Call for the change automatically don’t just rely on the user, he won’t do it!

 

9. Educate staff

 

Make sure the staff understand why passwords are so important!

 

10. Look to the future

 

Plan for bio, fingerprint and federated security. 

Posted on Monday, May 29, 2006 6:24 PM | Back to top


Comments on this post: Password Advice

# re: Password Advice
Requesting Gravatar...
I think these points do seem valid at a first look but get seriously in your way when applied all. We have here some brain dead SAP system which does enforce a password change every 3 month where I must pick a new password which is not forbidden by about 12 rules and a big negative password database. This results in many password changes where I get a sensless error messages that my new password violates one of the rules or is on the black list but I does not say which rule I did violoate! Now I generate a random password write it down and I am fine with it. Some do even store it on a file on the PC because it is easier to look up. Password security is overrated because the admins seem to have lost the sense for real security threats. At least we have a password that should suffice. My money at my bank is much unsafer there. I can go there and transfer money from anybodies account to my own account. If the signature does roughly match (they check only above 10k$ anyway) then the money is gone. There is no passport check no foto or bioscaner at my bank! Why should I secure my e.g. salary database so tight when the real money is much less secured? Whhen I write my passwords down and put it into my pocket they are equally safe as my money. If my password is stolen now my pocket with the money has also gone. This sort of safety is enough in 99% of all cases. And no I do not put my pin number of my master card into my pocket but it is stored in a safe place elsewhere.
Left by none on May 29, 2006 8:02 PM

# re: Password Advice
Requesting Gravatar...
Good post, and I like the ideas. The only one I have to mention is enforce password strength policies if you are an admin. I know a lot of administrators of domains that don't have a password strength policy set.
Left by vcsjones on May 29, 2006 10:40 PM

Your comment:
 (will show your gravatar)


Copyright © BizTalk Visionary | Powered by: GeeksWithBlogs.net