Friendly Passwords for Greater Security
Account passwords are critical to security of company and personal data and systems. However, often passwords are weak and not managed well. This creates a serious and needless risk. In this article, we will show some simple methods to manage passwords to delight employees and reduce risk.
These days many of us access several password protected applications at work and at home. This creates a difficult situation. We have to remember all those passwords. How? To cope with that problem, people often use some bad practices to simplify their password lists.
Here are some common BAD practices:
-Using easy to guess passwords based on easy to find information (dog’s name, birth year, etc.)
-Using simple and common passwords (password, 1111, etc.)
-Using the same password for many accounts
-Sharing an account and password with other people
Good news: There are practices that companies and individuals can do which make passwords easier to use AND more secure.
For individuals at home and at work
A very good solution is to use a personal password vault. That vault can generate and store complex passwords in an encrypted file. The file is protected by a single password. That means a person only needs to remember a single password to access unique passwords and user ID’s for all systems. The passwords are copied and pasted in during login to a application, no typing long passwords! The encrypted file can be stored on a shared location so it is available from different computers or devices such as a smart phone. There are also third party applications to synchronize the vault to a mobile phone or tablet.
One such vault is KeePass (install instructions video). It is open source and free to use. There is a recent article in PCWorld about KeePass. It can generate a random complex password when creating a new account or changing a password for an existing account. There is the ability to search within KeePass. This is very useful when there are many accounts stored in its vault. There are mobile versions that sync via Dropbox or Google Drive. A similar password vault is Password Safe, also open source and free, and several mobile versions (see PWSafe).
Alert: without the master password there is no way to access the passwords in the encrypted file. There is no back door for either of these applications.
Security is about layers of protection and making it more difficult to gain unauthorized access. A good password policy is an important piece of an organization’s security approach. The best strategy for companies to reduce the risk bad password practices is to simplify password management for employees.
-Single sign on (SSO). Various technologies are available to allow the employee to authenticate one time and then automatically have access to all other systems. That one-time authentication is typically when the person logs onto the computer. The employee accounts are managed in a central identity management system.
-Single account. This is similar to SSO because the same user ID and password are used on all or most systems. Again the employee accounts are managed in a central identity management system. The only difference compared to SSO is that the person must enter the user ID and password for each system. This is beneficial because there is only one password to remember.
-Simpler password rules. Use longer, easier to remember pass phrases instead of short complex (mixed case, special characters, numbers) passwords. Security experts show that length is more important than character complexity (see Safe Password Management). A pass phrase is easier to remember. The password change frequency can be lengthened because the pass phrase is more secure and less likely to stored on a note stuck to the monitor.
-System Vault. Use KeePass or Password Safe for all system service accounts (e.g., application access to its database account) and other IT team shared accounts. The IT team password file can be stored in a shared location for the IT team. Each team member should also have a personal password file for that person’s system accounts. Some systems are not capable of SSO or may be externally hosted services such as salesforce.com.
More information about password management
- KeePass: Wikipedia info, Android, Instruction Video
- Password Safe: Main Page
- General password good practices
- Security issues beyond password management
- Commercial Password Vault, 1Password
- Password Management Web site with detailed information about good practices.
By Guest Blogger, Jim Berry, from Lorim Technology Advisors http://lorim.ivocados.com/