Password management dos and don’ts
- Dan Lautman
- April 15, 2014
The Heartbleed bug probably has you shaking your head and wondering when, why, and how to change your password – just when you’d actually memorized it! There are resources to tell you when and why; here’s how – or some basics of maintaining secure passwords beyond this particular incident, because the aftermath of Heartbleed shouldn’t be the last time you change your password!
Some of the most common calls we get from users to our Network Operations Center are password related. Someone forgot their password. Another entered the wrong one too many times and got locked out. Yet another might need to change someone else’s password. You get the picture – this seemingly simple stuff quickly feels complicated.
Protect Your Data By Regularly Updating Your Password
Passwords are a very frustrating part of information technology because, by nature, it is a hurdle that the user must overcome to access data. Even more vexing, your passwords may have to be changed on a regular basis. Why do we need to keep changing our passwords? What should I do, and what should I avoid, when choosing passwords? How am I supposed to remember them all?
Before you throw up your hands in despair or, worse, start creating weak passwords, here’s some advice.
Why are password policies so complicated?
Two aspects of password-based authentication are frustrating to users: password complexity and password aging (having to change it every so often). However, both of these characteristics are necessary in order for passwords to be effective.
Information systems require passwords in order to prevent unauthorized parties from accessing sensitive data. One type of unauthorized party would be a hacker repeatedly attempting to guess your password. For this reason, systems require a complex password (upper and lowercase, special characters, and so forth).
Another type would be someone who already knows your password: maybe an assistant, a former employee, or someone who gained access to another account of yours that has the same password (how many of us use the same password for our Windows logon and our Amazon logon?). For this reason, systems may require you change your password on a regular basis.
How should I pick a password?
DO: make it something hard to guess. That doesn’t necessarily mean hard to remember, but make it something that would be difficult for a hacker or even someone who knows you to deduce. You could make your password a sentence, for example “I have 8 amazing cats!” (complete with spaces, exclamation point, and number).
DO: use different passwords for each and every service. Don’t make your work password the same as your personal email password. Don’t make your personal email password the same as your cable company password. Why? Because you don’t know who on the other end can see your password, or what they might do with that information. Some companies (unfortunately) store your password in plain text, meaning someone working for the company can see your password. Maybe that’s fine for a particular case – I would expect my cable rep to have full access to my account –but what’s to stop them from trying to use that password on another one of my accounts, like my personal email? Another reason is if you give a coworker your work password (“I’m out sick, can you send an email from my computer?”) they might deduce that the same password would work for another account of yours.
DO: use two-factor authentication where available. This increasingly popular method sends a text message to your phone for additional verification. It combines the security of something you know (your password) with something you have (your phone), making it much harder for someone to trick or guess their way into your account.
DON’T: share passwords. Even if two people require access to the same data (for example, a shared mailbox), you should create two separate accounts and two separate passwords. As my colleague Tobin would say, “Passwords are like toothbrushes.” Sharing is icky.
How do I keep track of my passwords?
Everyone has their own system. The bottom line is to use one that works for you, and keeps your information secure. Here are two recommendations:
DON’T: save all your files in an Excel or Word document. Such files are easy to open and compromise, even if you have a password on the document itself.
Looking for more information about information security? We’ve got you covered. Check out our infographic Is Your Organization Protected from Cyberattacks? for more information on threats to your organization’s security and how you can prevent your data from being compromised.