Passwords: They should be made difficult to guess, they should be changed periodically, they shouldn't be written down, and they should be hard to remember. What advice should be given to users regarding password management strategy?
This question was actually asked of me recently when I configured a new financial software installation. I strongly suggested that the primary user (the office bookkeeper) create a new and unique user name and password, one that no one could possibly guess, and I advised her to not write it down anywhere. How in the heck am I supposed to remember it, she asked? It got me thinking about how reliant we are on passwords, how often we use them, and how vulnerable we are because of them.
What are the most common passwords? Password, 12345, qwerty, and so on, are pretty common. Your kid's or spouse's name, your pet's name, and such are also pretty common. I suppose that's because these are so easy to remember. However, they're also easy for busybodies, thieves, cheats, and swindlers to guess. Identity theft has become one of the most common crimes in today's technological world, and easy password theft plays a big part in that. And for the sake of corporate security and user privacy, passwords are used for any number of purposes.
E-mail account passwords, a second or third e-mail accounts password, document passwords, server log-in passwords, application management passwords, application user passwords, FTP site passwords, Web site passwords, vendor Web support passwords, e-commerce passwords (such as eBay, PayPal, and on-line banking), and the list goes on and on. One can't possibly use a unique password for each and every case, much less change it periodically -- all without writing it down. Yeah, right.
Here's the advice I gave to the user who asked me how to remember passwords.
For the relatively benign types of uses, I'll use something easy to remember, and one I'll never change. Something like a name or easily remembered number. For example, when Hewlett Packard or some other vendor requires a user name and password to download a driver or access some content, it's always the same one. I couldn't care less if someone else knows what it is. What's the worst that can happen? They download hundreds of drivers in my name? Who cares? For these types of things, I use the same one over and over again, I never change it, and I never will. If I have to go to that vendor Web site only once every couple of years, I don't have to rack my brain remembering its own unique password.
For things that might be of little consequence if someone guessed it, but I wouldn't really want it to happen, I'll use a different password. The worst that can happen is that someone stumbles upon it and causes a mild disruption, but it couldn't really do any significant harm. I might change this password from time to time, but certainly not on a regular basis. My TechRepublic password, for example, is something that's meaningful to me, something that I'll not forget, but it's not unique for only TR; I use the same one for several cases.
For uses that are very personal and private, ones that could have serious repercussions if anyone ever gained access, I do indeed follow the standard advice. This is what I told the user who asked me, because hers was such a case. I do indeed change them from time to time, probably about twice a year, and I never write it down. I make it extremely difficult for anyone to guess (or a program to hack), and I use a combination of numbers, characters, and letters, both upper and lower case. And to make it easy for me to remember, I pick something meaningful to me, but arrange it in such a way to be meaningless to others.
For example, I might remember Central High School class of 1982 and create the password CenHS-co82. (I didn't really attend Central High School, nor did I graduate in 1982.)
Or I'll remember the make and model of my first girlfriend's car -- the one I put a nasty scratch on, and the incident over which her father almost killed me! Remembering that 1965 Chevrolet Impala Super Sport (I scratched the fender) might result in a password, ChevI65SS+Istf. How could I ever forget that car? It was a red convertible with a 327 C.I engine. When it comes time to change my password, I could remember the same thing, but connected differently: 65ChevSS@327CI (I suppose I can never use these, since I just gave it away!)
If you have two kids, Mary and Billy, aged 16 and 12, respectively, you might be able to create a password, 2k-Ma16&Bi12.
Anyway, I advised her to come up with a phrase or a combination of things she could easily recall and condense them into upper and lower case letters, some numbers, and a character or two to connect them. After some time goes by and she might want to change it, simply start remembering something different.
That was my advice. Do you have a method to the madness of remembering passwords that you could divulge? (Without giving anything away, of course.)