C2 IT Advisors - Passwords – Can not live without them!

Passwords – Can not live without them!

It seems that we need a new password every day. Whether it is a new application at work or simply the price we pay to work and play on the worldwide web everyone wants you to create a password. How are we going to remember all this information?

"We have too many passwords!" "I can not remember another password!" "The password changes too often!" "The password is too complex!" As a Certified Information Security Manager, IT advisor, and former CIO I hear these complaints all too often. The problem is that password pressure leads to undesired behavior by the users. Information Technology security professionals know that you have written down that password somewhere. Worse yet it is probably easy to find, like on your desk calendar or that sticky note on the side of your monitor. This simply defeats the purpose of a password.

You already know that passwords are important, so I will not bore you with why they are. Below are some tips to help you manage your password portfolio.

Passphrase

The more complex your password the better, but how do you develop and remember a complex password? Use a passphrase or saying. Just modify it so it is not obvious. Say you feel using names will help you remember a password. Then use components of name information to help. As an example, you have a child, Jonathan, born April 10, 1999, which becomes JonAp10((. Notice this password has the major components of good passwords, which are:

Length – it has over 8 characters
Combinations – it contains special characters, numbers, caps, and lower case letters
Illegitimate – it is not a real word

Note the “((“ represents the year Jonathan was born 1999 with the shift key depressed. This is of special importance of applications that force a periodic change of the password. This can be done with any memorable phrase. "One Thousand and One Arabian Nights" becomes !00!AraNig.

Schema

So many sites want a user ID and password to access their information. Try developing a password based on the site you visit. Say you shop one of those online stores – www.DealsBest.com. You could develop a password around the site name and some other information like your middle name and an important date. The password becomes Dar@Dea69 where the schema is the first three letters of the name Darren, the “at” sign as a reminder it is a web store, the first three characters of the web address, and the year you were born. You get the picture. Any schema is fine as long as it works for you. This is especially helpful for those sites that are rarely visited.

Secure Location

Let’s face it some of us feel better if the important information is captured somewhere else, instead of our brain. The tip here is to be smart about where you place your password.

Place	Bad, Better, Best	Why?
Word file on a network drive at work	Bad	Generally not encrypted, locked, or password protected Information stored on company infrastructure generally does not belong to you, therefore you can be quickly and permanently be separated from your information Not deceptive enough – too many people name the file “passwords” Too many individuals will have access to your personal information. Not always accessible or portable The one bright spot is that network files are regularly backed up and recoverable.
Word file on a home computer	Bad	1, 3, and 5 above. Generally not backed up.
PDA	Better	1 and 3 above. So portable - the risk of lost increases

Best – if you must, consider creating a password-protected file on a PDA or flash drive that you keep with you at all times, that is backed up on a separate device, stored in a locked location, like a fireproof safe. Obviously this step is for seriously important information. Mitigating the risks above is the real take away. All the above rules for password development discussed above apply.

Multiples

Since information has varying levels of importance you could take a multi-tier approach to passwords. Security professionals may not agree, but if the site is of low importance, does not hold personal private identification information, and registration can easily be re-created then you could use common passwords for all those research and give away sites, thereby reducing the number of passwords you have to remember. You must keep a different password for each of your financial transaction sites like banking, shopping, and investments.

Deception

Deception is a key element in the field of security. You may recall the hacking of Governor Palin’s mail account. The hacker used available and accurate information to reset the password to her account to his advantage. Here is an opportunity to bend the rules. If information is not attained to be cross-referenced then you should be at liberty to embellish a bit. Say a site requests your mother’s maiden name then bend the rules by using a code for the name. It is too easy to find birth records on the web. This can be done with any challenge question.

All and all passwords are important. I hope these tools will help you better secure your information in a manner that does not drive you crazy or makes you slide backward to less secure manners of tracking this information.

Security is a game of cat and mouse. An individual bend on getting to your information will stop at nothing to do so. For the average Joe this is not the case. The theft is merely a crime of opportunity and convenience. A strong password reduces the convenience. If you have a tip that does not show up on the list email me for inclusion on the next publication.