Simple passwords are extremely easy to compromise. Complex passphrases are not, but they are more difficult to remember. The balance you require will depend on the sensitivity of your company’s data, which your password is there to protect. Your level of password complexity may also include further ‘authentication steps’ (i.e. two factor authentication) and depends on the impact (reputational and financial) which a compromise could cause.
A computer system is only as strong as its weakest link
‘Password Complexity’ requirements for network and PC use can be enforced at computer and network level. Password complexity for third party systems such as websites and other software is less likely to be enforced by your company. In an ideal world, everyone would learn the skills needed to diligently ensure their own good password hygiene.
Password Hygiene
Use a Password ‘Safe’
The best strategy is to have a different password for every different website or secure logon you have. Most people could not remember all of these, so the use of a ‘Password Safe’ (eg http://lastpass.com), unlocked with your ‘master password’ can be extremely useful. These can securely replicate your password database between your mobile phone, computer and websites to ensure your passphrases are available wherever you need.
A corporate account can also be useful as a central business repository, possibly as part of a Business Continuity Plan.
Choose multiple levels of password security
If you cannot use different passwords, try using different ‘grades’ – for example use 3 passwords with the simplest reserved for unimportant website logins, a more secure one for sensitive information including social websites or those which store your credit card details and the most secure as your bank and network logins.
Hints and Tips for a more secure Password / Passphrase
Change Regularly
Changing a password every 30 days can be frustrating and disruptive. IF the rest of your corporate security has been changed to strongly resist compromise, then this can be lengthened to an interval of 60 or even 90 days, depending on your environment.
Don’t include your name, relative’s names or other associated words.
If you told your password to your ‘best friend’, they should not recognise any link to you; no birthdays, children’s names, street name etc
Don’t include the word ‘password’
The word ‘password’ is one of the most common – and easily guessed – passwords.
Don’t reuse words from older passwords
Iterating your password (password1, password2, password3) greatly increases the likelihood of compromise.
Misspell words Password cracking tools initially rely on dictionary attacks. instead of ‘geology’ try ‘geeology’
Increase its Length
Minimum 8, preferably 10 or longer. Phrases can be useful (misspelt ‘a geology degree’ = ‘ageeologydegree’)
Capitalise
The more the merrier — alternating is even better: ‘aGeeologyDegreE’
Replace letters with numbers
o=0, l=1, e=3 etc… becomes ‘aGee0logyDegre3’
Special Characters
Add characters or replace letters with punctuation or special characters try replacing a with @, ‘@Gee0logyDegre3!’ note that this has become quite a secure passphrase.
More Examples of secure passphrases:
welcome home => W3lcome.H0me
merry christmas => !m3rry*Chr1stm@s
i believe i can fly => 1B3l1eve1C4n7ly.