Wednesday, January 13, 2010

Overcoming Password Woes - A Presentation

With our recent change to everyone's password and the hardening of some of our standards, we've understandably got a bit of internal confusion over passwords. I decided to not only sort out our internal problems but also give our users some great tips for their internet passwords.

Here's a presentation I've prepared for our users. I've stripped off branding and names so that
you can use it in your own organisations. You have my permission to reuse it as you see fit.


Graham Dodge said...

All good stuff ... I liked the system of taking the first letters from a memorable phrase so that I can easily remember my password is 'mhall1fwwas' by combining 'Mary had a little lamb its fleece was white as snow. with a number/letter swap for the 'i'.

There are so many memorable phrases in IT:
* "No Computer Will 3ver Need More than 640k Of Ram".
* "Trust Me... 1'm A Consultant".
* "This 1s Another Fixed Price Development Project From ".
* "We Have Now Assigned To Your Project Because 1s No Longer With The Company".
* "1 Did Not Have Sex With That Woman".

giuliocc said...


Excellent presentation. I practice something similar, but I apply a basic principle with passwords.

I classify systems/web-sites into 2 categories, mission-critical, and non-mission critical.

For mission critical things like email passwords, I use a couple of super complex passwords. Whenever I register for non-critical sites that "need" an email account to verify my identity, I use a couple of non-critical passwords for those accounts.

The point being, if these other sites get hacked, they will see my email account and probably try the same password. So, if the password is vastly different between mission critical things and gaming sites or whatever, there is a reasonably good barrier to entry in trying to get to really sensitive stuff.

The other thing to is eliminating identity theft. Usually you will put your birth date or some other personal info into these sites as well. Designers of these sites are also inviting hackers to build a better profile of you. So, also, have a fictitious birth date. So, don't be too liberal with your personal identity, otherwise it's not going to personal for long.

Gavin Bollard said...

Great ideas guys. I know that this won't provide the most "perfect" passwords but there's a fine line between being too secure and too difficult. ... especially with our users.