Okay, another debate just popped up about password complexity.  I'm starting to get frustrated with all this discussion on exactly what is the perfect, complex password.    At some point it does not matter, good enough is good enough.  The reason I'm concerned is organizations may loose focus on the big picture on passwords. There are other risks besides complexity, risks we need to be addressing, risks such as ...
  1. Never Share Your Password:  You do not know how many times I find this to be a problem at organizations, including having supervisors asking employees for their password.
  2. Public Computers:  Do you have employees logging into work (or banking online) from that computer in the hotel lobby or from a cyber cafe?  Teach them the issues of using non-secured computers to login to secured accounts.
  3. Re-use:  Use different passwords for different types of accounts.  Your work password should be different then your personal passwords.  Your personal banking passwords should be different then your personal fun accounts.
  4. Questions:  Explain to people that password resets are really nothing more then another password.  If they are answering personal questions with information that can be found on Facebook, LinkedIn or Google they do not have secure passwords (Sarah Palin anyone).
  5. Two Factor: Make sure people are aware of what that some sites offer two factor authentication (like Google).  Explain to people what this is and encourage them to use this option whenever possible.
  6. Writing Passwords Down:  How am I supposed to remember my 100+ passwords if I do not write them down?  The key is explaining to people how to do it securely.  Yes sticky notes are bad, but give people secure alternatives.  Explain there are security programs that can securely store their passwords, or if they are written down have them in a secured safe.
  7. Getting Owned:  Want to protect your password, then don't get infected!  Zeus anyone?
Notice how in almost every case I just described it does not matter how complex your password is, you are still owned?  Yes complex passwords are important, however my concern is we forgeting the bigger picture and confusing alot of people in the process.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.