A chain is only as strong as its weakest link. In the security world, that weak link is the human element, and it manifests in the poor management of user passwords. As our society becomes increasingly wired we need to remember an increasingly large number of accounts, PINs, and passwords. I have at least 7 different email accounts, multiple network account/password pairs, building access codes, and bank PINs. Then there are my MANY various web access accounts. Everything we do needs a special code so that we alone can access our personal information. Passwords, pin numbers, access codes... Information overload!


In the perfect world none of this would be necessary because we could trust each other not to break into each others houses, telephones, bank accounts or send the boss offensive e-mails using each others accounts. Unfortunately, this is not a perfect world. Passwords are necessary to protect the security of our personal information, our business and our day-to-day transactions and communications.


The standard "memory" tricks or techniques or using post-it notes, birthdays, wife's name, and stock words or phrases are not recommended. I remember one end-user that complained about the need to remember so many passwords and change them at regular intervals. His solution was to use his wife's name for three months and then his anniversary date for the next three and then revert to his wife's name. It's no wonder our secrets aren't safe!



When creating new passwords, remember two main issues: security and efficiency. Passwords should be too difficult to crack, but still easy to create and remember. There are some simple tricks that make this task easier. One simple trick is to use two words together. This confounds most simple brute-force attacks that simple run through a dictionary of words. Another method is to purposely misspell a word in some manner that is easily remembered. Use both upper and lower case characters, in an unusual usage (unUSual cApiLIzation). Many people swap numbers for similar letters, such as replacing the letter "O" with a zero.


Passwords alone don't offer sufficient protection, even when following these recommendations. The proper use of passwords must be combined with strict security policies, and an overall positive security posture or climate. Security will only work when implemented from the top down. Proper policies must be established outlining mandatory security procedures. This must be reinforced by effective network administration. Consideration must be given to password length, expiration and lockout thresholds. Additionally, passwords should be required to consist of upper-lower case, special, and numeric characters. Combining all these techniques forces a would-be hacker to use a brute-force technique that is extremely time-consuming. Generally, if it takes too long, they just won't bother! And that's just what we want. After all, if your information is worth having, it's worth protecting.