Thursday, November 25, 2010

Best Practices for Password Creation

Over the past couple of months, I helped several friends and family members recover their account passwords for Hotmail, Yahoo, Facebook, Skype, and even a bank accounts. The reason? Someone was able to gain access to at least one of their account by guessing the password or by workarounds (mainstream media likes to call this “hacking” an account). In most of the cases that I helped with, every single one of the users’ passwords were exactly the same imagefor every one of their online accounts. After I help them recover access to their accounts, I go through a list of dos and don’ts pertaining to password management and pray that they don’t have this problem again. I feel that it is time to create an article on this and post it to the world. So here is my list of best practices for password creation.

1. Strong Passwords

Strong passwords are the bare minimum for most websites and most businesses. A basic strong password is a minimum of 8 characters long and has at least 3 of these 4 rules:

  • Capital Letter
  • Lowercase Letter
  • Number
  • Symbol (!,@,#,$,%,^,&,*,(,),_,+,?)

Some examples of poor passwords are “computer” or “joseph”. But an acceptable strong password may be “C@mputer01” or “m1cr*s0fT”. Now, I don’t suggest that you use any of these strong passwords that I have just typed but I hope you get the point Smile

Microsoft has a free Password Strength Utility online. Simply type something in the box and it will automatically rate the text. I suggest nothing short of the “Strong” rating (which is 3 out of 4 bars). The same type of visual aid is automatically loaded when you change or create your Facebook account password.

2. Do not have any personal information or confidential information in your password

Even though your password is personal only to you, do not include ANY personal or confidential information anywhere in your password or any variant of personal information in your password –> and I do mean ANY VARIANT. If your address is “123 Password Lane”, do NOT include “123”, “pass”, “word”, “lane” or “ln” in the password. If your child’s name is “Johnny Cage” do not include “John”, “cage”, “jcage”, “johnnyc”, etc.
Personal information in a password only makes it easier for someone to guess it. And if someone is able to get into your account, it provides clues to other information about you, eventually leading to more identity theft. For example, you all know me as a technical individual. If my password was “computer” it makes it very easy for someone to guess it. But a password such as “DumDum12#” doesn’t make sense to anyone. I would even go as far to say don’t include any information about your personality in your passwords.

Personal information includes (but is not limited to):
Your Name (first, middle, or last)
A Family Member’s name (first, middle, or last)
Your Best Friend’s name
Pet names
Hobbies
Your Favorite Vacation Spot
Favorite Movie or quote from the movie
Name of a song or artist
The model of your car
Your Bank
Your Social Security Number
Your phone number
Your address
Your school
An organization you are a part of
Any other personal or confidential information

3. Have a different password for every online account

That’s right. Do not have the same password for any of your online accounts. Keep each account password unique to itself. Believe it or not, this is not difficult to do. Once you come up with a password, it should mark some type of pattern which will make it easy to create or change passwords in the future. Something that is even easier to do is make the password similar but not the same as your other online accounts. This helps you to remember your different passwords and maintains a pattern for you to change your passwords.

4. Do not write down or share your passwords

This should be obvious, but do not tell anyone your password, write it down, or save it to a file.

5. Change your passwords regularly

It is good practice to change your password at least 4 times per year (think every 90 days or every 3 months). Most websites will not remind you to change your password. They leave this task up to you.

6. Make the passwords easy to type and easy to remember

Make sure the password is easy to type and is easy for you to remember. One thing that helps are patterns. Patterns help you remember things better. So, apply the same concepts when you create your passwords.