Updated 11/4/2011: Added additional password creation tips and included link to XKCD webcomic about password strength.
While good password policy may seem like security 101, recent high-profile cyber-attacks have revealed that not enough people take their password security seriously. That tells me it's a good time to go old school with some password security pointers. So here are some basic password security guidelines that anyone would be well-advised to follow.
1. Require a Minimum Password Length
Short, uncomplicated passwords are almost as bad as not having a password at all. Passwords like "cat" and "dog" may be easy to remember, but they're just as easy for someone else to guess. Enforce a minimum password length of at least 6-8 characters for all your users.
2. Change Passwords Often
A good rule of thumb is to force password changes every 90 days or so, but more frequent changes may be needed, depending on the business you're in. Windows IT Pro contributor Russell Smith suggests that IT pros who work at banks, hospitals, and other organizations that have tighter security requirements should enforce more frequent password changes.
3. Don't Use Dictionary Words, Common Phrases, or Common Text Strings as Passwords
Every IT pro knows some users that rely on such horrible passwords as "password", "letmein", or "qwerty." If a word exists in an English dictionary or is a common phrase or text string, don't let your users use it without modification.
4. Use Special Characters
Enforce the use of special characters in your passwords. Replacing "i" with the number "1" or "o" with the number "0" doesn't cut it. Establish and enforce some rigorous password complexity rules for all of your users.
5. Don't Share Passwords With Others
Many organizations that use a cloud service that employees share access to are guilty of this, as dozens (if not hundreds) of employees may have the same log in and password information. That may be acceptable if the information or service that password provides access to isn't critical, but there's always some risk involved. Here's the question you should ask yourself: If someone with malevolent intent gained access to that system, how much damage could they do? Even if the risk is minor, stockholders and customers usually don't like to hear about any sort of privacy or security breach at the companies they work with.
6. Don't Use The Same Password for Multiple Services
Far too many people use the same password for multiple online services and accounts. I'll readily admit that we all have to juggle dozens of account passwords, but using the same password for all of them is flirting with disaster, especially if you're using the same password for such critical services as online banking, managing your retirement and investment funds, or accessing your primary personal email account.
7. Use a Password Browser Plugin
Rather than resorting to keeping written lists of dozens of passwords or using the same password for everything, I'd strongly suggest the use of a browser add-in like LastPass, which automatically keeps track of all of your passwords for you in a secure fashion.
8. Consider Using A Nonsense Passphrase
Many password logins have hard-coded complexity and length requirements that may prevent this, but creating a long, nonsensical passphrase is another way to increase password security. For example, creating the passphrase "purple robot airplane donut" out of four random words is easy for humans to remember -- just think of a purple robot flying an airplane eating a donut -- but is much more difficult for brute-force and machine-driven attempts to bypass. (Hat tip to article commenter Daniel for the link to an XKCD webcomic that visually depicts what I just described.)
Do you have any password security tips you'd like to share? Send me an email or add a comment to this blog post with your thoughts.