Password Tips for Privacy Real-world solutions for choosing (and remembering!) secure passwords Ariel Gilbert-Knight - May 13, 2012 In a perfect world, you would use a different long, complicated password for everything you want to keep private. But let's get real — nobody's perfect. Here are some down-to-earth tips to make your passwords more secure. In a perfect world, you would use a different long, complicated password for everything you want to keep private. Even those of us who should know better don't always do that. So let's get real. If you can't quite follow ideal-world guidelines, here are some down-to-earth tips to make you more secure. Think About What Your Password Is ProtectingNot all password-protected information is created equal. Some information is very sensitive, and other information is not sensitive at all. There are two major categories of logins: Nuisance logins are for things like news or other websites that don't store any personal or financial information (about you or about your constituents or clients). Unless you are very concerned about privacy, it's probably OK to use the same simple password for all of these sites. Yes, someone could steal your password, but what are they going to do with it? Sensitive logins, on the other hand, secure things like your personal online banking site, or your organization's constituent relationship management (CRM) or fundraising database. For these kinds of logins, you should follow all of the password guidelines below. Before you select a password, think about what kind of information your password is supposed to keep secure. Then choose your password length, strength, and complexity accordingly.How Hackers Guess Your PasswordsStrong passwords are really more like "passphrases," because they aren't just a regular word. A strong passphrase has these characteristics: Long: Passwords should be eight or more characters. For mission-critical or highly confidential systems, consider increasing this to more than 10 characters. Complex: include a combination of uppercase and lowercase letters, numbers, and non-alphanumeric characters such as * $ & # ^ % ) ? ( @. In some systems, special characters may not be allowed. In that case, you should use the most complex password your system allows. Hard to Guess: Avoid dictionary words, your name, your account name, the name of your organization, the names of family, pets, friends, co-workers, movie or TV characters, etc. Also avoid using birthdays and other personal information such as addresses and phone numbers, and avoid word or number patterns like aaabbb, qwerty, 321123. For mission-critical systems, consider using truly random passwords. Changed Frequently: Passwords should be changed every 30 to 90 days. Varied Between Accounts: Use different passwords for accessing different accounts, wherever possible. At minimum, use different passwords for work and personal accounts. A password manager — discussed in greater detail below — can help you keep track of all these different logins. Not Sure What to Use?There are a number of sites that can help you strengthen your passwords. For example, Strong Password Generator will generate a truly random password for you. And Microsoft's Secure Password Checker will evaluate your password's strength. Another easy way to create a strong password is to start with a phrase you know and will remember and develop your password based on that phrase. What to DoExampleStart with a phrase you will remember, maybe a song title, affirmation, or favorite quotation"Be the change you want to see in the world."Create a password using the first letter of each word in your chosen phrasebtcywtsitwAdd capital letters and special charactersBtcyw2sitw!Guidelines for Password SecuritySome general guidelines for password security include Do not share passwords with anyone. All passwords should be treated as sensitive, confidential information. A system administrator who is responsible for installing, maintaining, and supporting your organization's systems would be one of the few logical exceptions to this rule. Passwords should not be written down. Your desk drawer is not a good place to keep your password list. If passwords must be written down, make sure the document is in a locked location away from any entry points. Don't reveal passwords via telephone, email, chat, or other online communication. Log off before leaving a computer unattended. Change temporary and default passwords immediately. Passwords like "admin" and "password" should also be changed to a stronger password immediately. This also holds true for your wireless networks: The default SSID (network name) and default password should be changed immediately when setting up your network. Secure your mobile devices. Passwords won't prevent a mobile device from being stolen. But if your device is lost or stolen, password protection is your first line of defense. At minimum, you should turn on your device's password lock feature. This means you'll be required to type in your password every time your phone comes out of sleep mode. For added password securityRequire that certain passwords are changed periodically for critical systems or especially sensitive data (this can often be automated). New passwords should not be based on a small change to an existing password. For example, changing from password1 to password2 (both of which are very bad passwords anyway). Automatically lock an account after a specified number of failed password attempts. Some devices also have a setting that allows you to automatically wipe all data from the device after too many incorrect password attempts. To learn more, see Microsoft's article, Tips for Top-Notch Password Security for small businesses. Keeping Track of It All with a Password ManagerGiven the number of times we log in to different sites and programs every day, people have a natural tendency to reuse passwords. It's easier to remember one complicated password than dozens. But reusing passwords means a hacker who gains access to one account could easily gain access to others. A password manager can make password security much less burdensome. A password manager is a kind of software that remembers all your passwords for you. You create one super-strong password to log into the password manager, and that's the only password you actually have to remember. This means you can create long, complicated passwords to your heart's content, but you don't actually have to remember them. There are a lot of password management tools out there. A few well-reviewed ones are LastPass, Roboform, and Keepass. For more information, TechSoup Canada has a good roundup of additional password manager resources, including advice about what password manager features to look for. Every organization should have a password policy to help staff use passwords correctly and securely. If you're in charge of creating password policies for your organization, here are some suggestions. What to include in your organization's password policy:General guidelines for password security, including guidance on creating strong passwords. Expiration: How often passwords should be changed. Reporting and Enforcement: How your organization will handle breaches in password security. A few other tips: Be realistic. If you impose a rule that no one will follow, you're no better off than you were without any policies. Wherever possible, let users set their own passwords. A password they create for themselves will be easier to remember than one you create for them. Train your staff. Be clear about why passwords matter to your organization. Your rules will seem less arbitrary if you explain why they are important. Is data sensitive? Confidential? Is it vulnerable to theft or vandalism? Or is it subject to extra protection due to legal statutes? For a sample policy, see the SANS Institute's Sample Password Policy (pdf). This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.