Then

You know the history.  At first we had bad passwords.  Our dog’s name. Our kids names. The elementary school we attended.  Then we got more security minded, and we put an exclamation point in front of it.  Then we added a year that meant something to us.  We were SECURE.  Or thought we were. Then our corporate IT and early services we used on the web got into higher security.  We had to rotate every password every 90 days, and those calendars weren’t aligned.  Which meant for most of us that we were having to reset at least one password a week, usually several.  That meant, since we couldn’t just re-enter the same password since it had to be different each time, taking a 1 or 2 or 3 or 4 to the end of it so we could just rotate. Security!

See, here’s where that practice goes horribly wrong.  Our whole lives are on social media these days. So, there goes the kids names, and the dog. The hackers already know those.  And they knew the exclamation point trick and year trick before we did. It took them about one compromised security database to see the 1,2,3,4 trick and add that into their scripts.

What would be secure? OanS$#@(*Sojss9 would be great, but we’re humans. We can’t remember that.

So? What are we to do!?

Now

Now we need to use things like Password Managers.  Let’s stop writing it down on a sticky on the back of a keyboard.  You do NOT want to know how many times I’ve found a password there.  Let’s make one really good, but still memorable password, use it as the master password to our password manager and store EVERY other password in there!  That’s what we do at work here.  My usual suggestion our team is to pick four words, preferably in different languages (real or imaginary) and use those as your master password. Maybe, just maybe, with a little punctuation so it still feels like security.  That’s it.  That’s the whole trick.  One decent password and a password manager. With even NIST (National Institute of Standards and Technology) moving to recommend things like shutting off the forced password change at work, or turning on any ‘show password while typing’ conveniences, we’re not stuck anymore living in the past. (https://www.nist.gov/itl/tig/projects/special-publication-800-63)

If you’d like to talk about documentation, and password management, and other ‘fun’ like that, reach out to me.  I actually do like talking about it, because the science of security needs to blend with the art of productivity and usability. Best part? Most of the time those password managers are even available to sync onto our phones (pocket computers that they are these days) and we can authenticate into them with a fingerprint. So handy when you’re out of the office!

Talk with you soon,

Marc