Ten tips for managing passwords

Passwords are fatally flawed, it's true, but for now they are the best option for many companies. But almost everybody could be managing them more effectively.

In all likelihood passwords will remain a problem until the very day they are replaced by technologies such as biometrics, which is the direction the industry appears to be heading. However, until that day comes, below are some tips for fostering a culture of secure and more effective password management.

1. Passwords must not be written down
If it seems incredible that we are still talking about password management at all, then it is unimaginable that we have to make this first point.

If staff are writing down their passwords, having been told why they must not do so, then the system is too complex and too much is being asked of them. Companies must strike a balance between security and usability because a failure to understand the latter can easily undermine the former.

So consider whether employees have been properly educated about the need to keep passwords secure and then consult the measures below if you need to update your password policy.

2. Passwords must be set
And you thought the first tip seemed obvious? It's staggering to hear instances where systems have been compromised because the password was still set as a default 'password' or 'changeme' or similar.

3. Require as few passwords as possible
Balance how much password protection you need with how many passwords can reasonably be managed. Identify which networks, systems and applications have the highest priority. If staff have to remember 10 passwords -- from ones guarding highly sensitive data to ones that really serve little or no purpose - they may be unable to manage all of them.

What's to say the one they write down and lose isn't the most sensitive?

4. Staff must change their passwords regularly
This limits the likelihood of old passwords, shared between colleagues in less-secure times, coming back to haunt you. It also limits the window of opportunity if passwords subsequently fall into the wrong hands.

How often they are changed must again be a balance between security and usability. If staff are required to come up with a new password every week, they will likely become confused and start writing them down. In fact longer periods between changes -- 90 days rather than 30 days for example -- can actually prove beneficial as knowing a password will have a longer lifespan makes a more complex password far more manageable and may encourage staff to give it more careful consideration.

5. Make new passwords new
When passwords are changed users must not distinguish them from a previous password by just one character. RandomW0RD1, RandomW0RD2, RandomW0RD3 becomes a pattern that is pretty easy to figure out.

6. Avoid obvious words
Passwords must be more complex than a single word which can be hacked with a dictionary attack (using software to automatically enter all the words in the dictionary as well as proper nouns). Names, addresses and other words which are easily linked back to the individual should also be blocked from use. It's alarming how many instances there are of staff using their name, their partner's name or their pet's name.

7. Think long -- but not too long
A password which consists of at least eight characters with a mix of upper case, lower case and numbers is a good start. If the minimum requirement is too long staff may be encouraged to be lazy and use repeat characters or obvious strings: ABCDEFG123456789.

However, a minimum with a reasonably high upper limit would allow staff to be creative. One suggestion is to use phrases rather than words. Certainly 'mYd0g1sCALLEDf1d0' is less likely to be guessed that 'Fido'. Again, it's a step in the right direction towards creating more secure passwords.

8. Automate password changes
The process of making staff reset and choose secure passwords must also be automated. Do not rely on staff to remember how long it has been since they last reset it, what passwords they have used in the past year or what types of words are off-policy. It's not a question of trust. It's a question of history showing us that policies are never adhered to by choice.

9. Educate staff
Ensure password policy is written into employment contracts and that all staff understand why and what that entails. Hopefully, if all other measures work, the most serious human piece of the jigsaw will be the requirement for staff not to share their password and not to write it down. Such wording should also prohibit repetition of passwords between services -- particularly between those outside and inside the enterprise. A corporate login is likely to be more sensitive than a newspaper subscription login which may be shared with friends and family.

10. Look to the future
Finally, look at long-term solutions which will eventually replace passwords -- such as biometrics and two-factor authentication. Passwords are flawed and the above tips are recommendations for how they can be more secure -- for now.