Security

Tips to help users remember their password

Do your users constantly forget their passwords? If so, we've got a few pointers to help you solve this dilemma.

A recent support call reminded me of a frustrating problem faced by users and support technicians alike—remembering passwords. Passwords were around long before the first computer and will probably be here for as long as there are people around to forget them. This permanence makes it essential that people better equip themselves to memorize and recall this information quickly.

Unfortunately, we are bombarded every day by relentless requests for all sorts of miscellaneous information: Social Security numbers, phone numbers, birth dates, PIN numbers, and so on. It’s no wonder we have trouble remembering yet another six-letter word that we use for less than five seconds during the mad rush to start the workday. However, there are steps that can be taken to help users better remember their passwords and lessen their frustration when unlocking their computers.

Password recall made easy
Here are some pointers to make sure your users can remember their passwords as painlessly as possible:
  • Choose a secure yet memorable password. Suggest that your users choose a password that is familiar to them: their first pet’s name, their father’s middle name, their favorite sports team, or a combination of these. However, discourage them from using words such as “password” or numeric combinations such as “123456.”
  • Avoid gibberish or bizarre character combinations. While character combinations such as “dfFe#*23” might be hard to guess, they are also difficult to remember. I know these passwords are less susceptible to brute-force attacks, but such activity can be combated in other ways, such as limits on incorrect logon attempts.
  • Don’t change the password too frequently. Users are more likely to forget a password they will only use for a short period of time. It’s not necessary to have your users change passwords every week. A good average is 90 to 120 days, and I’ve found that most users can deal with this.
  • Don’t use an excessively long password. Discourage users from using the entire alphabet or the preamble to the Constitution as a password. Depending on the system, some passwords have a maximum and minimum length. Pick something in the middle that users can remember and easily type. I’ve found that using six to eight characters works wonderfully. Users are less likely to mistype or misspell a password of this length.
  • Write the password down, but keep it in a safe place. I know this a no-no among security enthusiasts, but if all else fails, this may be the user’s only hope. This is especially true if the user has a password not easily remembered or that they seldom use. Have them write down their password and put it in their wallet or purse. Suggest they tape their password to the inside of a locked desk drawer.

My most recent experience
Remembering a password can help in normal circumstances, but there can be unusual situations where dumb luck can help prevent a potential crisis. I was working on a client’s hard drive problem and wanted to check the BIOS settings. During the boot process, I pressed Esc and entered the BIOS setup. Everything was proceeding as planned when suddenly, to my dismay, a password prompt appeared. The last time I had worked on this PC, a BIOS password had not been set, and I was not sure why it had one now.

My client, while not a novice, did not have the skills or motivation to configure her PC’s BIOS settings. Neither was she the hyper-inquisitive type prone to changing system settings without knowing the consequences. I was stumped, and after five minutes of trying common character combinations such as “password,” “12345678,” and “abcdefghi,” I was losing hope.

Luckily, the client was there with me, and although she had no idea what the password might be, she inadvertently solved the dilemma. “Why don’t you try ‘Mandy?’” she asked. (This was her daughter’s name, although I’ve changed it to protect the innocent.) “Everyone uses ‘Mandy,’” she continued. “If you want to get on any of our computers, just use that.” Sure enough, I entered her daughter’s name, and it worked. Although this situation was ultimately resolved with little frustration, it had the potential for disaster and could have been avoided with a little planning and documentation. It also brought up the issue of security, since “Mandy” was apparently this department’s universal password!

Balance security with convenience and your environment
When creating your password policy, remember this cardinal rule of security systems: People will only use a security measure that’s not terribly inconvenient. People will always find a way to circumvent security systems that are time-consuming, cumbersome, or prevent them from working efficiently. Also, consider the user’s environment when determining a suitable password policy. If your client works for the CIA and has sensitive national secrets stored on their computer, they shouldn’t use their daughter’s name and then tape it to their monitor. They also shouldn’t use the same password as all of their colleagues (e.g., Mandy). However, there is no need for the average user’s computer to be locked down like Fort Knox. Balance your client’s need for security with their desire for convenience, and you’ll both be happy.
Do you have problems with users forgetting their password? Have you created an ingenious method of solving this problem? We want to know. Post a comment or send us an e-mail.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

0 comments

Editor's Picks