News, views, tips and tricks on Oracle and other fun stuff

Top ten tips for better password management


There is an article on about how companies can manage their passwords. The author offers the following tips for fostering a culture of secure and more effective password management:

  1. Passwords must not be written down.
  2. Passwords must be set. When the password is “ChangeMe”, then change it.
  3. Require as few passwords as possible. Balance how much password protection you need with how many passwords can reasonably be managed.
  4. Staff must change their passwords regularly. This limits the likelihood of old passwords, shared between colleagues in less-secure times, coming back to haunt you.
  5. Make new passwords new. Old password = “Rowanda1”. New password = “Rowanda2”. Not good.
  6. Avoid obvious words. Passwords must be more complex than a single word which can be hacked with a dictionary attack.
  7. Think long – but not too long. A password which consists of at least eight characters with a mix of upper case, lower case and numbers is a good start.
  8. Automate password changes. The process of making staff reset and choose secure passwords must also be automated.
  9. Educate staff. Ensure password policy is written into employment contracts and that all staff understand why and what that entails.
  10. Look at long-term solutions which will eventually replace passwords – such as biometrics.

I believe that most of the above applies to individuals as well. In fact, tip number 10 is already a reality for the average consumer like you and me. Search Google for “biometric password manager” to see what I mean.

Personally, I have tens of passwords I need to keep track of. Since I avoid writing passwords down and it is impossible for me to remember them all, I rely primarily on my password manager software and sometimes on my memory when I am faced with “Please enter your user name and password”. Maybe I should try this new APC Biometric Password Manager, or something similar.

Filed in Security, Technology on 16 May 06 | Tags: , ,

Reader's Comments

  1. |

    With all the corruption we hear about these days between governments and software and web companies, I’m not so sure I’d trust storing all of my passwords in any sort of software. I say, think pen and paper, write that shit down and lock it up. If you can’t remember one of your dozens of password be sure NOT to forget the combination to your safe and go look it up. But I assure you, if you store your password in a file on your computer, someone, sometime or another will hack that shit.

  2. |

    areyoukidding, are you kidding me? You’re free to store your passwords where ever you want, but I would never store my passwords in plain text either on paper or in a file on a computer.

    The main reason I use a software program to manage my passwords is because of password encryption. So, even if someone gains access to my password file, that person will not be able to read my passwords.

  3. |

    All good advice, but a list of do’s and don’ts is no way to “foster a culture” of anything – either users will take the advice on board or they will give up because it’s all too difficult.

    The exceptions are tips #3 and #10, which are things the company needs to do to foster a culture of security. In lieu of #10, #9 is probably a necessity but even that will not foster a culture of secure password management.

  4. |

    Regarding number 4, where I work, I am forced to change my Windows logon password every three months. This is more like force than foster. But I’m fine with it because it definitely is more secure that way. It is more hassle for me, but more secure for the company. After all, it’s always a compromise.

  5. |

    A bit agree, Mr Awads, but i think we should perform a ‘small risk assessment first’ into the area that consider as high security risk or lower security risk. The higher security risk need higher password management to.

    For better passsword management using is recommended

  6. |

    Password is very important. And it should not be stored in computer. There are many differenct passwords for me. It is hard to remmeber all. So what I do with the password. I converted my passwords into my own codes and write them down on my small book. Even someone see my book but they could not understand the codes.

  7. |

    There is a fundamental problem with password security which is epitomised in these rules/tips, it assumes that users are normal people. They aren’t! They have no idea of the work that is needed to recover from a password compromise attack, no knowledge of the risk to their business of data loss or theft, not a clue on what to do to limit the damage caused by an elecronic break in.

    Why Should They? They are the users. That is what the Sysadmin does.

    Thus I have a problem with tip 8. The automatic forcing of password changes every XX days is a bad practice. As is complexity management ie making people use very high complexity passwords on a regular changing cycle. If this is realy essential then companies should look for another method of security management such as CHAP or Biometrics. Forcing users to change passwords every xx days increases the chance of weak paswords. High complexity password increases the chance of the passwords being written down.

    A far better method of good password management is EDUCATION!!! teach users to use sensible good passwords. Work with the users to ensure that they chose sensible passwords that are secure, manageable and above all private.

  8. |

    Good points Marvin.