How To Secure Company IT With Simple Password Rules
Originally published on March 16, 2017 by Thomas Timmermann
Last updated on January 23, 2024
•
11 minute read
Passwords are annoying. The more complex they are, the greater the effort to memorize and enter them. As an administrator, you are responsible for the IT security in your organization - and secure user passwords are an essential component. This is where you become an "educator": Help your users with a simple strategy to create secure passwords.
Entering your domain password in the morning, logging on to cloud services like Salesforce or Paypal, checking your private email on Google-Mail, or logging into NetFlix after work: everything needs a password. Add up all the passwords you need and each “digital person” ends up with 30, 50 or even more passwords in total. The key question is: How do you make your users a) use secure passwords and b) remember all of them?
Complex Password - Simple Rules
Basically, complex passwords are safe but difficult to remember. And human nature is to look for simple solutions. As long as you do not provide your users with simple rules for passwords, they will use their own rules and methods. Colleagues from the IT sector are likely to use secure and efficient methods, but non-IT users will tend to have very simple passwords. In the worst case, the user has a single, very simple password that he uses everywhere. From a security perspective the absolute worst case.
Make It Easy For The User
Single sign-on is the next, logical step towards a user-friendly and secure password policy. Active Directory and other LDAP solutions allow you to securely log into many of your internal systems with a single password. This makes it easier for the user, he only has to remember one password for the internal systems.
Another way to help your users handle many different passwords is a so-called password safe. There are lots of password safe systems on the market which store passwords for multiple domains and web sites, and many will automatically log in the user when the web page is called. In the simplest case, this functionality is already built into the browser. But this alone does not guarantee that the password itself is secure.
Enforce Secure Passwords
The question remains about the security of the password used. In the case of domain passwords or internal web applications, secure passwords can be enforced using defined rules such as requiring special characters, upper and lower case, numbers, etc. This solves part of the problem, but creates a new one: colleagues who regularly come to your desk to have their (forgotten) password reset. Or who have a piece of paper with passwords in their desk drawer or stuck to their monitor. In addition, Active Directory cannot be used for cloud services or Web services.
For Safety Reasons
Pass the responsibility on. The security of your IT infrastructure is more important today than ever before, and the whole company needs to do their part. Your management should also be sensitized and should provide you with the appropriate backing when it comes to getting your colleagues on board. How about, for example, short lectures or, even better, workshops about security? Bring funny examples - the web is full of lists of the dumbest passwords. Ask your colleagues about the methods they use to generate their passwords.
And ensure that one of the workshop’s results is a simple and comprehensible system for generating secure passwords that are easy to remember. In the following, we present a relatively common method. This is one possibility among many: The best method is always the method that the user has worked out himself.
Secure "Rememberable" Passwords
There are a number of methods for creating secure passwords. Before we get started, however, we should first be aware of the hurdles when creating a uniform password system.
- Password length
The length of the passwords will be different. Some systems require a minimum number of characters, while others limit the password length. Therefore, develop a method that allows you to create both short and long passwords. - Password changes
Some systems require the password to be changed regularly. - Password repetitions
Some systems do not allow you to re-use passwords that have already been used when changing the password. - New requirements
Many systems tighten the security requirements for passwords. Where 123456 might have worked two years ago, you must now use at least eight characters, including special characters, uppercase and lowercase, and numbers. - International keyboards
Have you ever tried to enter umlauts on an American keyboard? If you select special characters, restrict yourself to characters such as @ ^% & # etc. which are common internationally.
The "Secure Password" Method
Good passwords consist of a combination of characters in uppercase and lowercase, numbers and special characters. Never use "real" words. A general recommendation is to think up a sentence and use the first letters of each word as a password. Letters and numbers can then be linked with + or &, for example. So special characters are entered into the password in a simple and noticeable way.
Example: "My name is Donald and I'm 70 years old" becomes MniDaI+70+yo
This give us a single strong password. But since one password is not enough, we need a method to adapt this password to different systems or platforms. For example, there would be an option to include the systems in the password by prefixing with a variable and separating it with a second special character from the rest of the password:
Wo-MniDaI+70+yo (Work)
Am-MniDaI+70+yo (Amazon)
Tw-MniDaI+70+yo (Twitter)
If you need to change the domain password every half year, add the corresponding half-year:
Wo-MniDaI+70+yo-201701
Now we have a 22-character password, which can be learned over time, but it is quite long and complicated to type. So let’s simplify the whole thing. We keep the first variable Wo (work). We can replace the initial letters of our sentence with a real word: with the set of special characters and numbers that doesn’t create any big risks. Let's take Donald and let the numbers and special characters:
Wo-Donald+70-201701
Still 19 characters, but much easier to remember and type. If the password is still too long, take Don instead of Donald. Or D. You now have 14 characters, including various numbers, special characters, and upper / lower case:
Wo-D+70-201701
The Human Factor
You should never compromise on the password rules: numbers, special characters, uppercase and lowercase characters must always be included. But help your users: Everyone has their own logic, not every method works for everyone. Do not insist on adhering to a certain system, but help your colleagues develop the best and most comprehensible method for them. Don't forget: They're humans ;)
For example, I sometimes have the problem that I’ve forgotten my password and the website insists on a new password that I’ve never used before. So, I can’t follow my current method, because I’ve already used a password from that method for this website. I haven’t found a good solution for this issue yet. Adding the year or date doesn’t work. Versioning doesn’t help either: “Was it V2 or V3?”. If you have a good suggestion on how to solve this, please write to me – I’d be much obliged!