Blessed are the Geeks, for they shall internet the earth

How To Fix Your Memory for Passwords
Dean Chafee
This is not about replacing a stick of RAM in your computer, but rather a How To Fix Your brain kind of article.

One of the biggest problems that Network Administrators face, is dealing with user passwords. Actually, getting users to use a complex password, rotate it on a regular basis, and remember their passwords. The challenge is that in order to conform to network security policies in most companies with any sizeable network, password usage rules must be enforced on users. Rules like:

  • Using complex passwords with a minimum length
  • Changing passwords on regular basis (like at least every 90 days)
  • Protecting passwords with rules like don't tell anyone, don't write it down

The Solution

Here are a few ways of creating passwords that you can remember, will meet the complexity rules and will be easy to rotate.

1) Dont use passwords, use pass phrases!

See Wikipedia for Passphrase

This can be something like:
The network guy is a butthead! sum6

The sum6 is simply the first three letters of the season + the last digit of the year.

In the above example passphrase, you get to express your true feelings about the guy enforcing the rules :), it meets complexity rules, it can be rotated for 10 years!, you can remember it easily and it certainly meets the length requirement. In fact the negative side of this is if you have to type it 10 times per day, it will get old very fast, even though you get to tell the network guy what you think of him many times per day!

2) Use a password construction scheme.

This is a formula in which a few easy to remember parts create your password. For example: My spouses initials + My birthyear + Month (2 digit) + Year (2 digit)
The result would be something like xyz19720806

This is simple and would be good for 100 years of rotation, although, I would hope you would get sick of it and change your scheme after a year or so.

Let's try another:
my Favorite Beer + the first three of my zip code + the first three of current month
Result: SamAdams913aug Again, easy to remember, however, only good for a year of rotation every month.

The above examples may or may not meet the complexity requirements of your network or application.

Tip! Most corporate network password policies do not allow you to write passwords down, however, most do not keep you from writting down your password scheme to help you remember. If the parts of your password scheme are very personal, then it is still secure even if someone finds your postit with the scheme written on it.

What NOT To Do

1) Don't use password generators.

Password generators are best for creating cryptic passwords that no one can remember. The only saving grace can be that most password generators will provide a Phonetic Pronunciation for the password. For example:

b3Ef8afR - (bravo - Three - ECHO - foxtrot - Eight - alpha - foxtrot - ROMEO)
- or-
n7ayiuko - (november - Seven - alpha - yankee - india - uniform - kilo - oscar)

If you like program generated passwords, these were generated at: Winguides.com

(Side comment: I find it interesting that the above site, WinGuides.com is running on Linux/Apache/PHP. Quite ironic!)

Tip to Net Admins!: The worst thing you can do to users, is force generated passwords on them like the above. Network/System admins that do this are just asking for trouble. Most any user is going to write this down on a postit and stick it in his/her desk drawer, or, create a Word doc or text file on their file system somewhere with passwords in it. A disaster waiting to happen.

2) Don't use Hackereze

Many supergeeks will recommend that users utilize hackereze for passwords. Problem is that unless you use this in your daily communications, it may not be very easy for a user to remember. Plus, there are a number of hacker language variants such as from the Warez and Crackerz subcultures. But, the biggest problem is that it is not secure because most brute force password crackers include the hacker version of words in their dictionary.

In Summary

My recommendation is to use password construction schemes. These are very flexible to meet the needs of any corporate password policies and still easy to remember. Using parts of your scheme that no one else would know, makes it quite secure, kind of like those password reminder questions that many web sites will ask you for. Of course, you will need to ask your network administrator or refer to the password policy of your company to create a scheme that works for you, meets the complexity requirements, and will meet the rotation requirements.

For more from Dean goto

http://www.HowToFixYourStuff.com

 

 

 The Information Technology Survival Guide -- Douglas Chick




E-mail your comments to dougchick@thenetworkadministrator.com
            
All rights reserved  TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.