Password Security Tips


Updated 11/4/2011: Added additional password creation tips and included link to XKCD webcomic about password strength.

While good password policy may seem like security 101, recent high-profile cyber-attacks have revealed that not enough people take their password security seriously. That tells me it's a good time to go old school with some password security pointers. So here are some basic password security guidelines that anyone would be well-advised to follow.

1. Require a Minimum Password Length

Short, uncomplicated passwords are almost as bad as not having a password at all. Passwords like "cat" and "dog" may be easy to remember, but they're just as easy for someone else to guess. Enforce a minimum password length of at least 6-8 characters for all your users.

2. Change Passwords Often

A good rule of thumb is to force password changes every 90 days or so, but more frequent changes may be needed, depending on the business you're in. Windows IT Pro contributor Russell Smith suggests that IT pros who work at banks, hospitals, and other organizations that have tighter security requirements should enforce more frequent password changes.

3. Don't Use Dictionary Words, Common Phrases, or Common Text Strings as Passwords

Every IT pro knows some users that rely on such horrible passwords as "password", "letmein", or "qwerty." If a word exists in an English dictionary or is a common phrase or text string, don't let your users use it without modification.

4. Use Special Characters

Enforce the use of special characters in your passwords. Replacing "i" with the number "1" or "o" with the number "0" doesn't cut it. Establish and enforce some rigorous password complexity rules for all of your users.

5. Don't Share Passwords With Others

Many organizations that use a cloud service that employees share access to are guilty of this, as dozens (if not hundreds) of employees may have the same log in and password information. That may be acceptable if the information or service that password provides access to isn't critical, but there's always some risk involved. Here's the question you should ask yourself: If someone with malevolent intent gained access to that system, how much damage could they do? Even if the risk is minor, stockholders and customers usually don't like to hear about any sort of privacy or security breach at the companies they work with.

6. Don't Use The Same Password for Multiple Services

Far too many people use the same password for multiple online services and accounts. I'll readily admit that we all have to juggle dozens of account passwords, but using the same password for all of them is flirting with disaster, especially if you're using the same password for such critical services as online banking, managing your retirement and investment funds, or accessing your primary personal email account.

7. Use a Password Browser Plugin

Rather than resorting to keeping written lists of dozens of passwords or using the same password for everything, I'd strongly suggest the use of a browser add-in like LastPass, which automatically keeps track of all of your passwords for you in a secure fashion.

8. Consider Using A Nonsense Passphrase

Many password logins have hard-coded complexity and length requirements that may prevent this, but creating a long, nonsensical passphrase is another way to increase password security. For example, creating the passphrase "purple robot airplane donut" out of four random words is easy for humans to remember -- just think of a purple robot flying an airplane eating a donut -- but is much more difficult for brute-force and machine-driven attempts to bypass. (Hat tip to article commenter Daniel for the link to an XKCD webcomic that visually depicts what I just described.)

Do you have any password security tips you'd like to share? Send me an email or add a comment to this blog post with your thoughts.

Follow Jeff James on Twitter at @jeffjames3

Follow Windows IT Pro on Twitter at @windowsitpro

Related Content:

Discuss this Blog Entry 5

on Dec 15, 2010
Are the password security options in eg GP under Server 2008 much better than the very poor ones in Server 2003? Despite a reasonably tight password policy in Server 2003 users can get away with complying with only 3 out of more set parameters their PW must fit under Server2003 so they could get away with using Password1 as it fulfills 3 out of more criteria thanI have stipulated it uses A capital and lower case leter and at least 1 number (and is 8 characters or more long) but is hardly secure is it! We have quite a short password tiem period set but they can use Password1 then Password2 and so on! As ITC manager I am not allowed to normally know what password users are using so if they are using a week one how can I tell anyway?
on Aug 17, 2011 Better to have a long simple nonsense password than a short complex and cryptic one.
on Dec 16, 2010
We use a third party password enforcer. The cost is very low, but provides great flexibility in creating password rules. The software installs on each domain controller. There is a free, optional module that installs on workstations to assist in letting users know why a password is rejected if it doesn't meet the complexity rules assigned by the administrator.
on Dec 16, 2010
@dzpuma - they're the same. You'll have to go third party to get rid of passwords such as Password1.
on Dec 16, 2010
@dzpuma: Rich is right - there are quite a few password enforcement vendors out there, and is one of them. Regarding your second point, you may want to enlist IT leadership -- or even senior non-IT management at your company/organization -- to help communicate the message to users that password security is a big deal, and users should follow the guidelines that IT and senior management have determined are the best for the organization to follow.

@Rich: Do you use any other third-party software besides Anixis password enforcer for your security needs?

Please or Register to post comments.

What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×