It’s a Secret:
1. Passwords must not be written down
This is a simple rule. From my days working with the MOD I remember how easy it was to unlock safes and steal passwords as both were usually written down somewhere easy to locate. Favourite one for safes was on a colander not a million miles away from said safe! Don’t do it. Otherwise why bother…..
2. Passwords must be set
This is pretty sensible – how many of us have seen SQL installations with SA <blank>!
3. Require as few passwords as possible
If you come up with a goodun’ use it where you need it. My own personal favourite is to use a easily to remember phrase, as a few numbers add a ref to the site.
4. Staff must change their passwords regularly
A password that’s older than 3 months is past its sell by date.
5. Make new passwords new
Don’t just pay lip service and change a number or two change the whole password!
6. Avoid obvious words
Don’t use words period. Use the first letters of a phrase or saying + numbers + a symbol. For example: EWTWC@WI66* so what does it mean?? Well England Won The World Cup @ Wembley In 66 *
7. Think long - but not too long
10 to 12 characters is about right, less is just too short.
8. Automate password changes
Call for the change automatically don’t just rely on the user, he won’t do it!
9. Educate staff
Make sure the staff understand why passwords are so important!
10. Look to the future
Plan for bio, fingerprint and federated security.