Creating strong computer passwords for your business is no longer as easy as using a combination of letters and numbers. After all you’re not just the keeper of your own information; you may be responsible for customer information as well. The last thing you want is a news report that includes the name of your business along with the phrase “security breach.”
Passwords can be stolen in many ways: shoulder surfing (someone watching you key them in); phishing scams; or programs that guess passwords based on personal information found on the Internet (think of everything you put on Facebook), in dictionaries (English and foreign), or by “brute force,” a method that attempts random combinations of key strokes until it gets lucky.
A password policy is threefold. First, you must create a system that forces employees to periodically change passwords using certain parameters, such as length and complexity. Secondly, you must instruct employees on how to create strong passwords. And finally, you should provide a way for employees to keep safe the new passwords they have to create.
Your Password Policy
Employees must not only be taught good password practice but be forced to use it. This means you require them to change their passwords at least every six months, disallow them to reuse passwords within a certain period of time (12 or 24 months), and enforce certain password parameters, such as length and complexity. You or your technology person will need to configure password policy settings on your system to enforce these rules. Microsoft offers directions on how to do this.
The following rules can help you create secure passwords:
- Use a mix of uppercase and lowercase letters, numbers, and symbols.
- Use at least eight characters; 14 is even better.
- Never use a word that can be found in a dictionary, including foreign dictionaries and common abbreviations.
- Never use anything that can be identified with you (names, birth dates, phone number, location, etc.). Don’t use those items spelled backward either.
- Don’t use sequential keyboard strokes, such as QWERTY.
- Don’t use the same password for different uses.
- Change passwords often and don’t write them down.
While there are a few methods for creating hard-to-crack passwords, mnemonics is a favorite. Use the first letter of each word of a favorite phrase, song lyric, or just a memorable sentence, and then throw in capital letters, symbols, and numbers in a way that makes sense to you. For example, the initials of “If you don’t eat your meat, you can’t have any pudding” (with apologies to Pink Floyd) are iydeymychap. Now start mixing it up. Cap the first letter and then the M and the P; since they’re foodstuffs, you can remember that. Change E to 3 and H to 4 because those letters and numbers resemble each other. Do the same with symbols: The letter A looks like @ and C looks like a parenthesis. Now check out your password of steel: Iyd3yMy4@p.
Similar methods include creating a pretend vanity license plate (P@$$w0rdsRH@rd), using two short words that include numbers and are separated by punctuation ($oap*&*0p3R@), or using a secure password generator and memorizing it phonetically.
Now how do you make a different password for everything you use? One method is to add two different codes to the end of your regular password: one three-character code for categories (e-mail, finance, social networking, etc.) and then another three-character code for the specific site. So you might add F!9 for finance and then b0@ for Bank of America. You can also use these codes to periodically change things up. Switch out F!9 (finance) for M*9 (money), for example.
When you are done, use Microsoft’s Password Checker to test the strength of your new password.
Don’t write your passwords down on a sticky note and leave it on your monitor, and don’t save them in a text file on your computer. But let’s be reasonable. Memorizing these complex strings of letters, numbers, and symbols that change often isn’t terribly easy, even if you use memory tricks. Luckily you have a few choices for storing these monsters.
First you can write them down, but never in their original form and only in a code that will spark your memory. Using the previous example, you might write “Pink Floyd” on a piece of paper, plus the codes you use, but not in their exact form. Instead, you might write “boa constrictor” and “finite.” Who will know what that means but you?
Or you can turn to the Internet for help. Services such as KeePass, Clipperz, and NeedMyPassword.com work by encrypting your passwords either on their servers or in a file locally in your browser and usually offer an offline method of retrieval. You, of course, need to make sure your password to these services is ridiculously complex and airtight. Some people don’t entrust their passwords to a service and choose to create their own encrypted files for passwords.
Even if you never write down your passwords, there are other ways for you to breach your strongly constructed security: typing a password in front of someone, entering your password into a public computer (library, Internet cafe), or giving out your password via e-mail, which no company will ever ask you to do. Always protect your passwords as if they are thousands of dollars in cash, which is only a portion of what a terrible security breach could cost you.