I often use old addresses as passwords. I dunno about you all, but I had several homes while growing up, and wrote letters to relatives and friends, and had the addresses drilled into my head. They contain weird words and numbers, and I will never forget them - perfect!
Of course, if anyone else figures out that my password is the address of my aunt’s house in 1972* AND can remember what that address is, I’m screwed. But I’m thinking the chances of that are at least as remote as having someone find a password scribbled on a piece of paper in a wallet or desk drawer.
If they require special characters, I’ll usually just put a ! on the end. If I need to change it, I’ll change it to something like OU813 and then instead of a !, I’ll use an @.
A ! on the end is probably obvious, but really. . .how many people out there are doing dictionary attacks on my amazon.com account?
I use name of a planet plus my college student number (sometimes forward, sometimes backward) giving me 18 alternates.
I wish the FIRST question IT folks would ask is: Do we NEED super-duper security? In the remote email access application, you need to ask what are the consequences of unauthorized access? If your best answer is “well…er…uh…that’s just not good” then the chances are that 1) nobody WANTS to get into your precious system and 2) even if they did, it isn’t particularly significant.
One is an acronym of a sentence with numbers in it (as per Doctor Who’s suggestion above).
One is an abbreviation that my unit informally uses a lot at work, but has no meaning to people I don’t work with, and nobody I do work with would suspect that I use it as a password.
The third is a name I know with the vowels in LEET - A-4, E-3, I-1, o-0, and … well, there’s no U in the name.
I always use old phone numbers for voice mail passwords.
I use Windows Password Generator to make my passwords and keep them all in an password protected Excel spreadsheet. I find myself remembering the ones I use on a regular basis, even if they are 10 characters long.
If the employees travel (and that’s the point of the remote access, right?) then a different keyboard layout might cause problems. I know that the keyboards in Croatia caused problems for me.
I’d also consider what the password is protecting. If it’s something like a web based e-mail account, that probably needs less protection than if the user were logging in directly to their PC remotely.
Yep, used this type of method for years. Typically I break my password requirements down into “high security, high rotation”, “medium security, medium rotation” and “low security, low/no rotation”.
The ones in the low/no rotation need to be memorable. Mnemonics help with this. “Tennessee Ernie Ford, 16 Tons #9 Coal” = “TEF16#9c” That’s one of the more brutal ones. Baseball slang also makes good password fodder. “Two on, one out, Top of the Ninth” = “2o1oTot9”. A mis-mash of character names from books I like can form a long-term password. “Westley, Buttercup, Inigo, Fezzik, Vizzini, Humperdink, Rugan of the 6 Fingers” = “WBIFVHR6”. I prefer passwords longer than 8 characters, and I don’t like it when I have to use non-alphanumerics, but those can still be dealt with. “Bugs Bunny eats Carets and says, What’s up, Doc?” = “BBe^asWuD?”
Medium rotation is something I typically tie to the passage of time. For example, a co-worker has a muscle car calendar hanging on this wall and he swaps his password to whatever the featured car of the month is. So if the featured car is a 67 Shelby GT Mustang(Note I know very little about cars and I don’t remember if this was an actual model ever made) he may put “67SGTMustang”. Someone who knows the trick may be able to crack it, but it requires two layers of security pentration, physical(to be able to see the calendar) and logical(knowing his method). It’s an extra bonus having up to the past 12 months of passwords hanging on the wall if you need to go backwards for some reason. I sometimes tie these to events in my hobby, Magic: the Gathering. If a particular set was released that month, I may have a abbreviated/leetified version of the set name as a password. This also retains a sort of password history because medium rotation passwords often need to be recalled for a bit. I like to tie these passwords to external stuff that is somewhat regular and someone else tracks for me. There are tons of things like this. Music charts, sports team records, book bestseller lists, etc. Just pick your favorite thing which is published once a month(or quarter, or whatever period your reset cycle is on), and each time it is published mine it for a prominent phrase you can turn into a password. If the publishing group keeps the records online then you’re golden for a while. Your password history is tracked for you and no one even knows.
High-security stuff, primarially financial records, are rotated frequently and get more esoteric, although they will often use mnemonics or one of the other methods. I don’t worry about creating really memorable ones because they’ll be rotated soon. I’ve also used leet-speek versions of D&D or other RPG character names(which tend to be random and non-English already), model numbers from random gagets I happen to have laying around that month, mixtures of company and product names for things I’m working on at the time(and are thus etched into my mind). These I don’t care to keep track of beyond the thirty days or so the password doesn’t have to be especially memorable. Plus the randomness of the password selection method keeps it from being vulnerable to people who know the trick of looking at a calendar hanging on the wall.
That’s an incredibly insecure convention to suggest. How many license plates do you know? Just those that are quite close to you, usually. Pretty easy for a coworker (or anyone else aware of that convention) to observe the vehicles in someone’s life. It’s not easy to guess but trivially easy to research, and with a very simple pattern for brute force attacks.
It might be somewhat useful for an individual, if nobody knows the rational for it, but to have everybody in the company set their password that way? :eek:
Not too hard to remember? I can’t even remember my own license plate numbers, let alone the plates of somebody I know. (Although I have a kid who knows not only ours, but everybody’s on the block.)
If you assign your users random passwords and force them to change passwords regularly, they’re going to write them down, guaranteed. Guaranteed. People can memorize a random string given enough repitition, but they will refuse to memorize a new random string every 60 days. And that goes more than double if they have more than one account, two accounts are more than twice as hard to memorize as one account.
A random password taped to the monitor is about 5 million times more insecure than a simple “soft” password that the user has memorized. And a brute force attack, even a sophisticated one using dictionary words, can be easily defeated by disabling the account after X failed logins. Any system that can be hacked into by systematically trying random strings isn’t going to be made more secure by forcing assigning the users random strings and forcing them to change passwords every week.
I didn’t get the impression that the OP was looking for one distinct solution / pattern to apply to an entire company; but a group of them to suggest to users. While it’s not explicitly stated, I assumed that the OP will set the initial password & the user will be required to change it upon first login to something secure, that hopefully won’t be written down & taped to their monitor.
Some people remember different things. I’ve got an eye for plate numbers. For example, I use the LP of an attractive young lady I saw at a bus stop ~5 years ago. Good luck tracking her down!
People are either going to find a pattern they can remember, or their going to write the password down. So, give 'em some pattern options.
No suggestion about what kind of passwords to enforce, but here is my pet peeve:
A program prompts me to enter my new password or change my old password. Never (I am quite confident in saying never) will it list all of the following, which are the minimum info needed for people thinking up of a password:
a) minimum number of characters
b) maximum number of characters
c) list of characters allowed in the password
d) (for western european characters, or any language with capital letters) is password case sensitive?
I remember one website that told me “your password needs to contain at least one special character” without listing the special character, and then have the software complain that “^” was not allowed, “” was not allowed, etc. Would it be too hard for you to tell me what you think special characters are? :mad:
Heck, while I’m at it, I’ll give you my opinion on the password issue:
How important is it that no one be able to guess the password? What would happen if someone did guess the password? Would someone be able to launch an e-mail telling the UK minister of defense to launch the Bomb, or is the worst that could happen is that someone can hijack an e-mail account and send a message to the VP saying “you are a poopy-head and I hate you!” ?
For an e-mail application, I would vote for eliminating dictionary words in the language(s) common amongst the users of the application, and leave it at that.
Unfortunately, this isn’t actually possible with this particular webmail app and in any case, the user authentication is system-wide; if they were to change their webmail password, their desktop mail client back in the office would no longer work (unless they edited the preferences to use the new password, and I don’t want them doing that).
Probably the worst that could happen would be that a mail account would be hijacked and abused (perhaps deletion of stored messages) or misused (used for sending spam, abusive mail, or fraudulent orders appearing to come from the company). The severity of this is hard to predict, but everyone’s email would theoretically be at the same level of risk of compromise; from the office junior to the chairman of the board.
If it’s only used for e-mail, then I would go with “only eliminate dictionary words” approach. The fact of the matter is, the more arcane or complex rules you choose for your passwords, the more people will want to write them down, which defeats the purpose of having a secure password.
Prepare a word document on how to choose a secure password (many ideas being easily found through a Google search or Wikipedia). e.g. the method suggested by Doctor Who which seems to be in vogue right now and is almost always mentioned in any article about how to choose a good password (first or last letters of each word in a sentence or expression that you can easily remember): My grandfather Peter was born 19 april 1932 in Greece; using all digits and last letters of the word gives yrrsn19l1932ne.
Some security experts advise against the password expiration schemes (forcing users to change their password every X number of days), but I am in favour of it, especially in the environment where people are prone to share passwords with other people (less common for an e-mail password probably), for example when people need a username/password to do a certain part of their job like entering orders, so Employee A will tell new Employee B “just use my password until they give you your own.”