TechSoup.org The place for nonprofits, charities, and libraries

Password Selection Tips?

Password Selection Tips?

  • How has your nonprofit dealt with passwords? Do you have a formal, organization-wide policy?

    Share your tips for selecting secure passwords here.
    senior editor, TechSoup
  • I like passphrases. Creating a passphrase is as simple as remembering a saying, for instance, "an apple a day keeps the doctor away" and using a letter from each word. So if I used the first letter of each word in the preceding passphrase, my password would be "aaadktda". Not the best password in the world, but certainly more complex than most.

    To make a more secure password, include non-standard characters like $, %, or &. And longer passwords are more secure. Fourteen, fifteen characters or more are ideal.

    I've been using passwords for 10 years now (remember the ol' days when we only needed one 4-digit pin?) and I classify them now. I have one I freely use for non-critical uses, such as this forum. That particular password I have no qualms about sharing with someone else There's others I've garnered thru the years, whether from ISP's to work to passphrases. My most secure passwords are combinations I've daisy-chained together for 15 character or more.
  • Our password policy is -

    Minimum 8 characters, renewed every 40 days, must contain 2 of either: upercase, numeric, or special character - i.e.

    M@dh@ter!
    Ch33se&3gg
    Num3r!c@1
  • Share your tips for selecting secure passwords here.


    For any passwords of significance, I tend to use the Keepass application's password generation utility. It allows you to specify the password length and which characters to include, then prompts you for some "random" input (mouse or keyboard) to generate the password.

    Keepass is also a handy-dandy utility to keep track of all those 100-character passwords, too. :cwm11;

    Info on program: http://keepass.info/
  • Another nice little open source utility for generating random passwords and storing them is Password Safe available from http://passwordsafe.sourceforge.net/
    The program and the database are small enough to store on a USB thumb drive and since the "safe" needs a combination (password) and the database is encrypted, no danger if it's lost. With Password Safe you only need one strong password which you can generate with the program to access all your user names and passwords. I'm a sysadmin with dozens of passwords to remember and I couldn't live without it.

    Rick Goodwin
    System Administrator
    ValleyNet
    www.valley.net
  • I'd add this after the 'not sure what word to use?' section:

    If you keep many highly-sensitive logins, it may not be possible to remember them all without writing them down, let alone changing them periodically. How do you ‘write down’ a password without really writing it down? Answer: use a code.



    For example, you might use the 'famous quote' method to generate a good, secure password. In this case, if you used "four score and seven years ago," the code to that generated password might be ‘lincoln.’ You would write down ‘lincoln’ as the password for that account, and this serves as a personalized reminder of which generator phrase you used. Then you remember how you did it, and recreate the '4sa7yaof' password. When I code my passwords this way, I also code the email address associated with them: I have nicknames for my email accounts which mean something only to me, and they don't contain the '@' symbol. Sometimes I even encode the names of the service or website to which the password applies! This way, I am able to keep a list of dozens of passwords in my smartphone, but anyone who found it would have no luck deciphering the passwords (the file I keep them in isn't even called 'passwords!'). Use this method only if you’re good at creating and remembering codes (try it out on a few passwords to find out).
  • I think these are all great password suggestions. One suggestion I'd like to make from extensive information security training experience is that you should let users know why you are implementing password controls.

    Often times people will try do the bare minimum and end up with passwords that are very breakable to a dedicated attacker (e.g. password123 or [insert sport team name/child's name here]2007 ).

    Let users know that the reason for these controls and for account lockouts is because attackers can automate the login process and try an entire dictionary of words in a matter of minutes. People regularly break into systems that do not implement strong password controls.

    You'll find that when users have an undestanding as to risks behind insecure passwords they are much more likely to choose truly secure passwords - although there will always be a few who just don't care.