Passwords...a quick set of 10 things to consider!

Got asked to put some thoughts into the password issues, AND on combating the problem, here's a few of the suggestions...if nothing else they should raise a smile.

1) End user education, HELP them understand it’s NOT just company assets they are having to protect it’s their own personal on-line identity.

2) Dumb passwords are DUMB… and your adversary is anything BUT dumb….. make some changes, make some philosophical change in how you construct a password OR even better a passphrase!

3) STOP accepting or conforming to the lowest common denominator. Websites that don’t allow you to use special characters or only allow 6-8 characters need to be SHAMED into changing (especially given the fact that many of them simply know better!)

4) The excuse that “the password is hard to remember” is bullshit… there is technology around today to help you store (securely) and recall one-time-use passwords etc…drag your sorry assess into this century and stop using 123456 as your password “because it’s easy” …..you make it too easy for me to hack you, and you are my prey.

5) Little Johnny or little Alice might be your best kid or your favorite grandchild, but guess what, because you plastered them all over social media I know it too, so I AM going to try those as passwords. Again education on passwords and passphrases.

6) IF your corporate password is 6-7-8-9 characters long I’m going to crack it in under 5 minutes IF I get hold of the encrypted hash file (from breaking into your computer or your servers)

7) NEVER give your password to anyone, Ever, NEVER. eBay, Facebook, Yahoo, the FBI, the Police NONE of them are going to call you up on the phone OR send you an E-Mail asking for your damm password…if they do it’s a scam. The help desk at your company should NEVER ask you for you password, if they do you are probably within your legal right to taser them until they stop. AND none of them are going to send you a link to “click here” to reset your password…again it’s a scam (AND if you are reading this AND your company DOES send out those links…then congratulations you are propagating and teaching the wrong behavior!)

8) Multi-factor authentication IS your friend, IF you implement it correctly and seamlessly then it’s great… if you make it overly burdensome then someone IS going to find a way round it, and you are back to square one.

9) Hiding your password in your draw, under your keyboard, in your spare-change tin, under mouse-pad etc…I find them ALL the time when we are doing physical break-in’s… stop it!

10) ALL the passwords in the world are useless if you don’t back up that control with encryption…your laptop, your phone, your iDevice etc…they have encryption capabilities..USE THEM!

Hope this helps :)