Passwords & Underpants
I don't know how I missed it before, but I stumbled upon a little InfoSec analogy that has been floating around for a while now. It goes a little something like this: "Passwords are like underpants...". They then proceed to list all the things that passwords and underwear have in common.
This unique way of promoting good password policy originated at the University of Florida, Information Security Department. I thought it was clever and gave me a good reason to finally do a simple write up on good password policy, even though its been done to death.
I just wanted to reiterate what everyone else has said about passwords and underpants and also add my own.
Passwords Are Like Underpants:
- They should be changed often
- They shouldn't be shared (with anyone)
- They shouldn't be left lying around
- They should be mysterious
- The longer they are, the better
- You need more than one
I added that last one. I don't know how much the one about length really applies to underwear unless you are an old cowboy or miner, (those guys always seem to have long johns on in the movies) but it helps make the point. Expanding on these points and adding in a few others gives us a great foundation for password policy and increasing security on the Internet.
Good password Policies
They should be changed often
Passwords, just like underwear should be changed regularly, although underwear probably a little more frequent. The frequency in which a password should be rotated will depend on the sensitivity of the information or service it protects. For instance your online banking password probably should be changed a bit more often then the password to your favorite forum. When setting up accounts for services it is a good idea to take a minute and determine how important the information is and then establish a schedule for changing that password. For sensitive information (banking, email, etc.) I would suggest every 90 days, but definitely no longer than once a year.
They shouldn't be shared
Passwords should always be kept private. They are the keys to accessing our most sensitive information. In a company setting, every employee should have their own set of credentials for everything they need to do. I know in the real world people are going to share passwords with family members and friends on occasion. You're stuck somewhere without Internet access and need to pay a bill for instance. You call up someone you trust and have them log in. Just remember this rule and change that password ASAP. This situation also emphasizes the "You need more than one" quality of passwords and underpants.
They shouldn't be left lying around
The fact that passwords shouldn't be shared, should also hammer home the point that we shouldn't leave them lying around. With the need for different passwords for each account and increased requirements for password complexity, we will be tempted to write them down on post-its and stick them to our monitor. I've seen employees of large companies following this practice, with admin credentials! Password vaults help with keeping passwords safely stored, so we can always find them when we need them. We just need to remember the master password without writing it down for everyone to see.
They should be mysterious
This is an interesting point. I guess flashy/crazy underwear is a way for all of us to be a little wild and let loose without others knowing. The point about passwords is to not be predicable. In the age of social networks and sharing every detail about ourselves online, its easy for hackers to figure out what our mother's maiden name is, or our dogs name. Passwords should not have any relationship with personal details or interests. I'm a bit paranoid as a security professional so I follow this advice even with security questions. I use random answers for the common questions presented. For instance: "What is your mothers maiden name?", answer: 1nf0$ec (Note: not my mom's maiden name). With most password vaults you can add in notes or other information for the account. This is a great place to store these security questions and answers.
The longer they are, the better
Everyone loves long johns, right? The longer your password is the more difficult it is to guess, generally. A good guideline here is 8-15 characters. You also want to mix it up with both lower case and capital letters. Also throw in some numbers and symbols and you got a solid password. A great way to come up with long, complex passwords is to base it on a phrase or sentence. Take the first letter of every word, use @, and & as substitutes for their corresponding words, and also substitute the number "2" for "to", and "too".
You need more than one
I already touched on this above, but with the frequency of data breaches and stolen passwords from websites, we don't want to put all our eggs in one basket. If we use the same password for every site and every account, we must change and update every single account we have before we can be sure we are safe after a compromise. A password vault comes in handy here to help us keep track of all those different passwords. PCI DSS Password Requirements For those that have to be PCI compliant, I just wanted to highlight the password policies it requires. These are a great guideline for all of us, and provide a solid base to build upon. Remember, the more sensitive the data being protected the stronger the password policy protecting it should be. The PCI DSS outlines password requirements in section 8, specifically requirement 8.5. Here are the exact requirements for passwords in the PCI DSS:
- 8.5.9 - change user passwords at least every 90 days.
- 8.5.10 - Require a minimum password length of at least seven characters.
- 8.5.11 - Use passwords containing both numeric and alphabetic characters.
- 8.5.12 - do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.