It’s A New Year! Make A Resolution To Take A Fresh Look At Your Password Policies & Practices

From the January-March 2007 Issue & 2007 Tax Season Survival Guide

Login please and enter your password. It’s that demand you see so many times every day. Want to log onto your computer? Enter your password. Check e-mail? Enter your password. Login to your secure company website? Accessing Instant Messaging? Enter your password. At times, it is all that stands between your vital business information and intruders, both outsiders and nosy insiders. Our passwords are supposed to make our data secure. But do they? Truth be told, many of our practices are often anything but protective.

What is often overlooked is that the user of the password is human, and we all know humans don’t operate with that same programmed routine as computers. So what’s the answer?

Let’s take a realistic look at how we behave and some simple changes that can help protect that vital data. See if you can relate to any of these typical office happenings:

Problem: You walk into an office and the person that usually sits behind the desk is gone. Bathroom? Water cooler? At lunch? It doesn’t matter, but what does is that the computer is still on and all their programs are wide open on the desktop. Anyone that walks in — anyone — now has full access to everything from e-mails to accounting.

Solution: It’s simple. Before you get up from your desk, stretch your fingers and press Control-Alt-Delete at the same time. Choose “lock computer,” and that’s it. It’s locked tight. When you get back to your desk, just re-enter your password and you are ready to go.

Problem: The password you selected was only known to you until last week when you shared it with your IT team to help you fix an error. You shared your password with a
co-worker who helped you out by doing some work on your system.

Solution: Develop password replacement policies to follow when passwords become known. Make sure you train your team to request new passwords when people learn theirs. They need to understand it protects them, too. Your administrator also needs to turn on Windows server password options that force users to change their passwords regularly. In our office, we require a change in password every 30 days. And just so you won’t get lazy, it won’t let you repeat the latest ones you have used.

Problem: You have limited access to your critical internal systems areas to your administrators. Then, life happens and a non-administrator (either internal or external) is given the password to address a real-time business need.

Solution: Have a policy in place that requires the issuing of a new Administrator password within 24 hours once it is compromised. Make sure you notify all the key players securely.

Problem: Your co-worker stands over your shoulder whenever you are logging in. You are concerned they will learn your password.

Solution: Teach them “Password etiquette.” Ask them to turn away when you enter your password. Even in a team-oriented environment, this needs to become your company standard.

Once you have decided on your password, go to a password checker website to test the strength of your password. Even then, don’t put in your real password, just one that is similar. Here are a few password checker websites to try:

Also remember to use common sense. If your password doesn’t look secure to you, no matter what the checker says, it probably isn’t.

Problem: Your Office Administrator is on vacation, and it’s time to order office supplies online. Your website manager is out sick, and you must make changes to your website. Both require a password. Now what?

Solution: Have backup access for non-critical areas when a “stand-in” helps out. More importantly, make sure you develop and maintain a process of storing vital passwords that management can access for just such a circumstance.

: Turnover. It’s been a month since the last two employees left, and their passwords are still active. And it’s not just internally, they also still have active passwords with your primary vendors. How do you spell exposure?

Solution: Create a master list of who has access and to what they have access. That way, it’s easier to be sure you are removing their access to all areas where they may have had free reign. Think about it. We so often overlook our external business relationships. Team members may have access, on the business’s behalf, to your customers, your vendors and suppliers, payroll services, online banking and more. It is absolutely critical that you be sure someone removes the ex-employee as a user on these systems and that the external company is aware that they are no longer employed.

: You have team members who love using the Automatic Sign In feature many programs offer. It keeps them from the hated typing and retyping of passwords. At their direction, the system saved their user ID and/or password and let their computer recognize them when they sign in. This may be great at home, but not in a business. Just think about it. If your computer is on, anyone can run any program for which you have saved an automatic login. Just how secure is that employee information for which you are responsible?

Solution: Save the automatic sign-ins for non-critical needs. Make sure they are really non-critical, and don’t give access to private business information. For everything else, don’t ever accept that free pass to keep your User ID and password.

In the end, even if you are following all the solutions outlined above, it comes down to just how strong is your password. There are lots of thoughts and tools for you to improve password creation. There is no one right answer. Using a secure, memorable password that is easy for you to remember and hard for others to guess is the goal. Here’s some sound password tips:

  • Passwords should be at least eight letters; the longer the stronger. Don’t forget to balance your team’s need for security with the ability for people to remember their passwords. Also include at least three of the following elements: uppercase letters, lowercase letters, numbers and symbols. Pick your letters, numbers and symbols from all over the keyboard.
  • Don’t use the same password for everything. If it becomes compromised and someone finds it, then the rest of your identity is at risk.
  • If you have lots of passwords to remember, establish your own internal rules that will help you remember them, suggests Gina Trapani, editor of LifeHacker. For example, choose something like “asdf” as your base and then some formula that combines the service name. So your password for Yahoo! might be ASDFYHAO, and your password for eBay would be ASDFBYEA.
  • For another option, take the first letter of each word of a memorable sentence like “Oh say can you see by the dawn’s early light.” This creates a nonsensical word. In this example, you’d get “oscysbtdel.” Add complexity by mixing uppercase and lowercase letters, symbols or numbers. Your password could become “OsCy$BtDeL.”
  • Don’t include your name, your kids or spouse. Basically, any easily attainable personal information is not the way to go.
  • Try to use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as “shoulder surfing”). Don’t forget password etiquette to help on this.
  • DO NOT write a password on sticky notes, desk blotters, calendars or store it online where it can be accessed by others. Contrary to popular belief, there is nothing wrong with writing passwords down. They just need to be adequately protected in order to remain secure and effective. In general, passwords written on a piece of paper safely stored are more difficult to compromise.

Passwords today are a fact of life. Like good nutrition, the right passwords and processes can enhance your feelings of security and well being. Don’t let them overwhelm you, but do take them seriously. And pledge to start now by following these easy rules. Now there’s a New Year’s resolution that you can keep!


Lisa is President of L. Kianoff & Associates, Inc., which she founded in 1986. Her computer consulting firm has been a leader in helping companies strengthen their business performance with award-winning accounting and business management systems.