Don't Fall Prey to Lazy Password Practices

By Lauren Simonds | Posted October 26, 2006

Earlier this week I was at a client site setting up a PC. Everything was going fine until the system needed to be authenticated to the network. In order to accomplish this, you need to be using an account with administrative privileges. The one I was using didn’t have them, so I needed the office manager to handle this part of the installation for me. However, she was in the middle of a meeting and could not be disturbed.

Just as I was getting ready to write her a note regarding my whereabouts, I noticed something attached to the base of her monitor. Can you guess what it was? That’s right: a yellow Post-it note with her password written on it. Right out in the open for anyone to see. Since her password was available, I used it to finish setting up the new PC.

Despite the fact that her carelessness proved helpful for my situation, the fact remains that the password to her administrative user account was left out in the open, completely unsecured and accessible to anyone who stepped into the room -- whether that be a cleaning person, a visiting guest or an employee with a grudge. No matter how you look at it, this is a very serious breach of security and has potentially disastrous ramifications.

However, this scenario is not a unique one. The biggest offenders are typically older office associates or absent-minded CEOs who can’t be bothered with such petty things.

Proper password management is crucial to maintaining the security of your network. The way it works is simple, your network account provides you (and theoretically ONLY you) with the means to access confidential and potentially damaging network resources, while simultaneously denying the same access to anyone who isn’t authorized to be viewing or using them. The only thing that maintains this secured environment is the diligent protection of your user account. And the only thing protecting that is your password. This is why you need to protect your passwords, make them strong and change them frequently.

In case you need a little motivation, here’s something you might not be aware of. Did you know that you are accountable for ALL activity conducted on the network with your user account? Sharing your password potentially makes you accountable for the activities of others, and in most cases, is a major violation of a company’s security policy. In some cases it can even be grounds for dismissal. Also, depending on where you work and the type of resources you have access to, a breach in network security due to your negligence could expose you to potential criminal charges as well.

It’s in your best interest to change your password to one that complies with the established guidelines for strong and secure password creation and then adopt responsible practices for keeping it from falling into unauthorized hands.

Your password should never have any of these characteristics:

  • Personal data such as a child’s name, birthdays or a favorite possession
  • Any easily guessed, repetitive or sequential numbers, letters or words (“111111”, “123456”, “abc123”)
  • contain more than three consecutive letters from your network account
  • be less than six characters long

And, most importantly, don’t ever write down your password in an unsecured manner or share your current password (or even a previous password) with anyone. Not with your boss, not with a co-worker, not with your administrative assistant. Even your IT team would never need to ask you for your password. If needed, they could reset it.

What Makes a Password Strong
Now that we know what not to do, we have to ask the question “what constitutes a strong password?” In order to ensure maximum protection, your passwords should be at least eight characters long. Microsoft recommends at least six characters, but eight characters will be significantly harder to crack. For optimal security, they should also contain a mix of alpha-numerical characters, in both upper and lower case, as well as special characters like !#%$&amP.

Ideally, it shouldn’t even be a real word, just random characters. The more random the sequence of characters, the more secure the password will be. An example of a secure password would be something like”Hgs3@4j55nKX!s!“. This password is 15 characters long and contains a combination of numbers, symbols, upper and lowercase letters. Also, since it’s long and totally random, it will be far tougher for someone to hack.

Regrettably, though, most people don’t conform to these guidelines. The primary reason for this is simple. A proper password is generally so complex that most people can’t remember it without writing it down. However, a strong password doesn’t have to be hard to remember -- just hard for someone else to guess. To help get you started here are some tips for constructing a strong, yet easily remembered password.

Numbers for Letters: Some numbers bear a strong resemblance to letters and vice versa. For example, the number”1” looks a lot like the letter “l” or “I”. Substituting a look-alike number for a letter ensures your password won’t be looked up in an online dictionary. The numeral “5” looks like “S,” “2” can look like “Z” and “3” resembles an “E.”

Substitute Special Characters : You can try substituting a “$” sign for a capital S, an “!” for a lower case l or upper case I. You could even use the symbolic version of a word. For instance, use a “$” for the word “dollar,” “&” for “and,” and “@” for “at” or vice versa.

Splitting Words: A simple word or phrase with some sort of significance to you can be a good starting point. You can then “split” the word with a number or special character. For example, I watch a show called “The War at Home”. A good password based on this would be “War@H0m3”.

Favorite Movie or Quote: Take a favorite song, movie or quote. Remove the first letter of each word, up to eight words. Throw away the rest. Example: Star Wars: The Empire Strikes Back, Episode 5. This could be “SWt3$be5”.

Foreign Language: If you’re fortunate enough to know two languages, try mixing two words from each. (Can’t really help you here, but get creative)

As an added precaution, Microsoft recommends that you change your passwords every 90 days. A server can be configured to prompt you when your network password is about to expire and will prompt you to change it when the time comes. In most cases, you’ll have up to 14 days to make the change. Hint: Whenever possible, try to reset passwords on a Monday. This will give you the rest of the week to dedicate them to memory.

Adapted from PracticallyNetworked.com, part of the EarthWeb.com Network.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date