Passwords have always been, and continue to be, the bane of both users and security administrators. To be effective, passwords must be difficult to "guess" or break. To achieve this goal, passwords should be relatively long and use randomly selected characters rather than meaningful words or numbers. This may sound easy, but it's amazingly difficult to create secure passwords.
Security policies define how many and what types of characters (letters, digits and special characters) passwords must contain. These policies often dictate how often a password should be changed and whether previous passwords can be reused. Although policies are necessary to promote access security, they also frequently frustrate users.
The first step in relieving some of this frustration is to use a random password generator tool. These tools allow you to enter password policy parameters such as password length and character types and generate virtually random passwords.
Good practice suggests using the maximum length and complexity (different character types) allowed for a password, which can vary for each account. For example, if an account requires (or allows) a combination of digits, upper and lower case letters, and special characters with a minimum length of 6 and maximum length of 12, create a 12-character password containing digits, uppercase, lowercase and special characters.
Longer, more complex randomly generated passwords are harder to break, but unfortunately they are also more difficult to remember. This raises the second issue—remembering passwords that are, well, hard to remember.
Compounding this issue is that security advisers recommend using a different password for each account to isolate vulnerability in case a password is compromised. For example, if you the same password for both Twitter and online banking and someone gets your Twitter password, your online banking account would also be compromised.
There are several methods for remembering long, complex passwords. Perhaps the simplest way is to use an encrypted password file. Just type your passwords in a spreadsheet and encrypt it using a utility like TrueCrypt. When you need a password, unlock the spreadsheet and just copy and paste the password in the log-in field.
Another method is to use a password management tool that allows you to easily encrypt, store and recall your passwords. Most of these tools, such as LastPass, also include a random password generator.
One final thought. It's up to you to protect your online accounts. And, the key to securing account access is a strong password that is virtually impossible to break.
By Harry Hiles, HBH Technology LLC — 2 Mar 2010
An Introductory Overview of ITIL V3
