Simple passwords are extremely easy to compromise. Complex passphrases are not, but they are more difficult to remember. The balance you require will depend on the sensitivity of your companyโs data, which your password is there to protect. Your level of password complexity may also include further โauthentication stepsโ (i.e. two factor authentication) and depends on the impact (reputational and financial) which a compromise could cause.
A computer system is only as strong as its weakest link
โPassword Complexityโ requirements for network and PC use can be enforced at computer and network level. Password complexity for third party systems such as websites and other software is less likely to be enforced by your company. In an ideal world, everyone would learn the skills needed to diligently ensure their own good password hygiene.
Password Hygiene
Use a Password โSafeโ
The best strategy is to have a different password for every different website or secure logon you have. Most people could not remember all of these, so the use of a โPassword Safeโ (eg http://lastpass.com), unlocked with your โmaster passwordโ can be extremely useful. These can securely replicate your password database between your mobile phone, computer and websites to ensure your passphrases are available wherever you need.
A corporate account can also be useful as a central business repository, possibly as part of a Business Continuity Plan.
Choose multiple levels of password security
If you cannot use different passwords, try using different โgradesโ โ for example use 3 passwords with the simplest reserved for unimportant website logins, a more secure one for sensitive information including social websites or those which store your credit card details and the most secure as your bank and network logins.
Hints and Tips for a more secure Password / Passphrase
Change Regularly
Changing a password every 30 days can be frustrating and disruptive. IF the rest of your corporate security has been changed to strongly resist compromise, then this can be lengthened to an interval of 60 or even 90 days, depending on your environment.
Donโt include your name, relativeโs names or other associated words.
If you told your password to your โbest friendโ, they should not recognise any link to you; no birthdays, childrenโs names, street name etc
Donโt include the word โpasswordโ
The word โpasswordโ is one of the most common โ and easily guessed โ passwords.
Donโt reuse words from older passwords
Iterating your password (password1, password2, password3) greatly increases the likelihood of compromise.
Misspell words Password cracking tools initially rely on dictionary attacks. instead of โgeologyโ try โgeeologyโ
Increase its Length
Minimum 8, preferably 10 or longer. Phrases can be useful (misspelt โa geology degreeโ = โageeologydegreeโ)
Capitalise
The more the merrierโโโalternating is even better: โaGeeologyDegreEโ
Replace letters with numbers
o=0, l=1, e=3 etcโฆ becomes โaGee0logyDegre3โ
Special Characters
Add characters or replace letters with punctuation or special characters try replacing a with @, โ@Gee0logyDegre3!โ note that this has become quite a secure passphrase.
More Examples of secure passphrases:
welcome home => W3lcome.H0me
merry christmas => !m3rry*Chr1stm@s
i believe i can fly => 1B3l1eve1C4n7ly.