How important are those Passwords?12 Sep, 2008 By: Carla Nasse imageSource
How important are those Passwords?
Last time, we scratched the surface on network security. With firewalls
and detection software, anti-spam and anti-virus software, there are a host of
things that we can put into place to protect our networks as much as possible.
One of the key tools left to look into is the strength and security of our
passwords. To thwart a thief, sometimes the only way is to
think like a thief.
You may have seen this scene in the movies. There they are, sitting in the
dark, working to get into a computer, but they have to get the password. They
have a dictionary program that very quickly goes through combinations and comes
up with “match found.” They’re in. They can now do whatever they want to the
data. What if this was your data? From this we learn that we shouldn’t be
using anything that could be found in the dictionary, no proper nouns and no
foreign words. Don’t try to use any of these backward. For example, “drowssap”
is not going to help you. Adding a number to the front or end of any of those
won’t help much. It’s no match for the password cracker’s tools.
Next thing to consider is “social engineering.”
It’s amazing how easy it is
to get someone’s personal information. So take your pet’s name, your hometown &
your street name off your list of possible passwords. Don’t use phone numbers or
street addresses. Beyond doubt – don’t use social security numbers! It’s too
easy to find out information about a person. Using any of this information as a
password won’t protect you very much.
Physical security must also be considered when talking about passwords and
Do you list passwords? If you’re like many people they are not far away. At
the office it’s common for passwords to be kept under the keyboard, taped to the
back of the monitor or in an easy-to-locate file. How long would it take
someone to find them? Another place on top of the list is in a wallet or
purse. After all, it’s something that’s with you all the time. What if your
wallet or purse is lost or stolen? At home, the number one place that passwords
are kept is in a folder next to the computer. Is that really going to help keep
your data secure?
A good password is like locking the vault door.
The company data can be stored in a vault, but if the door isn’t closed and
locked it won’t do much good. A good strong password will have length, width
and depth, just like the lock on a vault door. The irony though is, a password
is no good if you can’t remember it. Where is the balance for security and
usability? Here are suggestions: Use acronyms for phrases. Here’s a good
example– agPiE2rbH2g. A good password is easy to remember, but hard to guess.
Some other techniques include leaving the vowels out of a long word and
adding in some digits. Cm5mnct7ns = communications or mN4gmn9t = management
A good password is at least eight characters long and is a combination of
upper and lower case letters. Add numbers and even special characters like % or
& if it is allowed. It should include at least two digits. When a password is
changed, it shouldn’t include anymore than four of the characters from the
password it is replacing. So, the best password is one that is a completely
random combination of upper and lower case letters, numbers and special
Now that you’ve developed a good password, where do you keep it? A recent
study showed that over half the respondents kept their passwords in a file next
to the computer or on a post-it® note under the keyboard. That’s like leaving
the key to your front door under the welcome mat. Putting the file marked
“passwords” in the drawer next to the computer isn’t going to be much help
either. That “Remember Password” feature sure is handy, but it defeats the
whole purpose. When determining a place to keep your passwords, look around your
space. Determine an unlikely place!
Changing your password often is important. Just when you get comfortable and
are able to remember the password, it’s time to change it. The rule of thumb is
that passwords should be changed every 60 days. Having to create a new password
and then remember it for the next 60 days may seem like a daunting task, but it
is a necessary step. Some systems have a prompt bilt in and will pop up on
regularly scheduled intervals. If the prompt is ignored for a designated period
of time, access will not be granted with the old password. The IT help desk has
to be called and asked to reset the password. No one wants to make that call.
Hackers and crackers are unpleasant facts and I’m afraid they are here to
stay. How a company plans and executes to protect itself from them will
determine the level of risk. If the data is at risk, the company is at risk.
Can you afford that?
Carla Nasse is a member of CompTIA who helped develop the PDI+
certification for the document technology channel & specializes in IT training