Online Security

This afternoon I spent several hours reading through computer and online security policies for my company. They are not different from what you would find at any company concerned about making sure sensitive information remains so. While there is a lot that I read, the interesting point I would like to share today is with passwords.

I am going to start by saying that I hate my company's password policy. My company laptop password has to be a minimum of 12 characters, contain upper and lower-case letters, contain at least 1 number, and can optionally contain symbols. Furthermore I have to change the password every 90 days but cannot change it within 2 weeks of creating a new one. Why? So users don't just cycle through difficult passwords until they get back to their familiar one. We cannot use the same password again for a really long time. That means our password system remembers quite a few of our old passwords and won't let us re-use them. Of course, we are not allowed to write our passwords down. While this all sounds cumbersome to me, it actually has merit and should be adopted by others concerned about security.

Instead of looking at long passwords as being difficult to remember, I now look at them as ways of creating short sentences. For instance, when I have to create a password for someone and give it to them with the instruction to change it immediately, I always use something funny like "MattIsT0tallyAwesome!" It is longer than the 12-character minimum and is filled with upper and lower-case letters. I have also replaced one of the letter O's with a zero so I get a number in there. Then I end with the exclamation point which is an optional symbol.

The other thing that can get confusing is having to change my password so frequently. While I have come up with a short sentence for my first password, in 3 months I will have to change it again. Instead of coming up with a new password, I simply create a follow-on sentence. One example might be "YesHeReally1s!". Notice how all the rules are followed again with the number one replacing the capital letter I in the word "is". Once again I have used an exclamation point at the end but could have used another symbol just as easily. By the time I have changed my password 10 or 20 times, I have a fairly funny dialog that has been going on. The only trick is remembering which sentence I am on for my current password, but that is much easier than remembering a bunch of random characters.

For the record, I have never used either of my example passwords and they only serve as ideas. After all, what good is having a clever password if you post it somewhere for everyone to read?