How To Fix Your
Memory for Passwords
One of the biggest problems that Network Administrators face, is dealing with user passwords. Actually, getting users to use a complex password, rotate it on a regular basis, and remember their passwords. The challenge is that in order to conform to network security policies in most companies with any sizeable network, password usage rules must be enforced on users. Rules like:
Here are a few ways of creating passwords that you can remember, will meet the complexity rules and will be easy to rotate.
1) Dont use passwords, use pass phrases!
This can be something like:
The sum6 is simply the first three letters of the season + the last digit of the year.
In the above example passphrase, you get to express your true feelings about the guy enforcing the rules :), it meets complexity rules, it can be rotated for 10 years!, you can remember it easily and it certainly meets the length requirement. In fact the negative side of this is if you have to type it 10 times per day, it will get old very fast, even though you get to tell the network guy what you think of him many times per day!
2) Use a password construction scheme.
This is a formula in which a few easy to remember parts create
your password. For example: My spouses initials + My birthyear + Month (2 digit)
+ Year (2 digit)
This is simple and would be good for 100 years of rotation, although, I would hope you would get sick of it and change your scheme after a year or so.
Let's try another:
The above examples may or may not meet the complexity requirements of your network or application.
Tip! Most corporate network password policies do not allow you to write passwords down, however, most do not keep you from writting down your password scheme to help you remember. If the parts of your password scheme are very personal, then it is still secure even if someone finds your postit with the scheme written on it.
What NOT To Do
1) Don't use password generators.
Password generators are best for creating cryptic passwords that no one can remember. The only saving grace can be that most password generators will provide a Phonetic Pronunciation for the password. For example:
b3Ef8afR - (bravo - Three - ECHO - foxtrot - Eight - alpha -
foxtrot - ROMEO)
If you like program generated passwords, these were generated at: Winguides.com
(Side comment: I find it interesting that the above site, WinGuides.com is running on Linux/Apache/PHP. Quite ironic!)
Tip to Net Admins!: The worst thing you can do to users, is force generated passwords on them like the above. Network/System admins that do this are just asking for trouble. Most any user is going to write this down on a postit and stick it in his/her desk drawer, or, create a Word doc or text file on their file system somewhere with passwords in it. A disaster waiting to happen.
2) Don't use Hackereze
Many supergeeks will recommend that users utilize hackereze for passwords. Problem is that unless you use this in your daily communications, it may not be very easy for a user to remember. Plus, there are a number of hacker language variants such as from the Warez and Crackerz subcultures. But, the biggest problem is that it is not secure because most brute force password crackers include the hacker version of words in their dictionary.
My recommendation is to use password construction schemes. These are very flexible to meet the needs of any corporate password policies and still easy to remember. Using parts of your scheme that no one else would know, makes it quite secure, kind of like those password reminder questions that many web sites will ask you for. Of course, you will need to ask your network administrator or refer to the password policy of your company to create a scheme that works for you, meets the complexity requirements, and will meet the rotation requirements.
For more from Dean goto
All rights reserved TheNetworkAdministrator.com
Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.