Okay, another debate just popped up about password complexity. I'm starting to get frustrated with all this discussion on exactly what is the perfect, complex password. At some point it does not matter, good enough is good enough. The reason I'm concerned is organizations may loose focus on the big picture on passwords. There are other risks besides complexity, risks we need to be addressing, risks such as ...
- Never Share Your Password: You do not know how many times I find this to be a problem at organizations, including having supervisors asking employees for their password.
- Public Computers: Do you have employees logging into work (or banking online) from that computer in the hotel lobby or from a cyber cafe? Teach them the issues of using non-secured computers to login to secured accounts.
- Re-use: Use different passwords for different types of accounts. Your work password should be different then your personal passwords. Your personal banking passwords should be different then your personal fun accounts.
- Questions: Explain to people that password resets are really nothing more then another password. If they are answering personal questions with information that can be found on Facebook, LinkedIn or Google they do not have secure passwords (Sarah Palin anyone).
- Two Factor: Make sure people are aware of what that some sites offer two factor authentication (like Google). Explain to people what this is and encourage them to use this option whenever possible.
- Writing Passwords Down: How am I supposed to remember my 100+ passwords if I do not write them down? The key is explaining to people how to do it securely. Yes sticky notes are bad, but give people secure alternatives. Explain there are security programs that can securely store their passwords, or if they are written down have them in a secured safe.
- Getting Owned: Want to protect your password, then don't get infected! Zeus anyone?