With all the corruption we hear about these days between governments and software and web companies, I'm not so sure I'd trust storing all of my passwords in any sort of software. I say, think pen and paper, write that shit down and lock it up. If you can't remember one of your dozens of password be sure NOT to forget the combination to your safe and go look it up. But I assure you, if you store your password in a file on your computer, someone, sometime or another will hack that shit.
Eddie Awad
· 3 years ago
areyoukidding, are you kidding me? You're free to store your passwords where ever you want, but I would never store my passwords in plain text either on paper or in a file on a computer.
The main reason I use a software program to manage my passwords is because of password encryption. So, even if someone gains access to my password file, that person will not be able to read my passwords.
Jeff Kemp
· 3 years ago
All good advice, but a list of do's and don'ts is no way to "foster a culture" of anything - either users will take the advice on board or they will give up because it's all too difficult.
The exceptions are tips #3 and #10, which are things the company needs to do to foster a culture of security. In lieu of #10, #9 is probably a necessity but even that will not foster a culture of secure password management.
Eddie Awad
· 3 years ago
Regarding number 4, where I work, I am forced to change my Windows logon password every three months. This is more like force than foster. But I'm fine with it because it definitely is more secure that way. It is more hassle for me, but more secure for the company. After all, it's always a compromise.
Anjar Priandoyo
· 1 year ago
A bit agree, Mr Awads, but i think we should perform a 'small risk assessment first' into the area that consider as high security risk or lower security risk. The higher security risk need higher password management to.
Password is very important. And it should not be stored in computer. There are many differenct passwords for me. It is hard to remmeber all. So what I do with the password. I converted my passwords into my own codes and write them down on my small book. Even someone see my book but they could not understand the codes.
Marvin
· 1 year ago
There is a fundamental problem with password security which is epitomised in these rules/tips, it assumes that users are normal people. They aren't! They have no idea of the work that is needed to recover from a password compromise attack, no knowledge of the risk to their business of data loss or theft, not a clue on what to do to limit the damage caused by an elecronic break in.
Why Should They? They are the users. That is what the Sysadmin does.
Thus I have a problem with tip 8. The automatic forcing of password changes every XX days is a bad practice. As is complexity management ie making people use very high complexity passwords on a regular changing cycle. If this is realy essential then companies should look for another method of security management such as CHAP or Biometrics. Forcing users to change passwords every xx days increases the chance of weak paswords. High complexity password increases the chance of the passwords being written down.
A far better method of good password management is EDUCATION!!! teach users to use sensible good passwords. Work with the users to ensure that they chose sensible passwords that are secure, manageable and above all private.
All Comments
With all the corruption we hear about these days between governments and software and web companies, I'm not so sure I'd trust storing all of my passwords in any sort of software. I say, think pen and paper, write that shit down and lock it up. If you can't remember one of your dozens of password be sure NOT to forget the combination to your safe and go look it up. But I assure you, if you store your password in a file on your computer, someone, sometime or another will hack that shit.
areyoukidding, are you kidding me? You're free to store your passwords where ever you want, but I would never store my passwords in plain text either on paper or in a file on a computer.
The main reason I use a software program to manage my passwords is because of password encryption. So, even if someone gains access to my password file, that person will not be able to read my passwords.
All good advice, but a list of do's and don'ts is no way to "foster a culture" of anything - either users will take the advice on board or they will give up because it's all too difficult.
The exceptions are tips #3 and #10, which are things the company needs to do to foster a culture of security. In lieu of #10, #9 is probably a necessity but even that will not foster a culture of secure password management.
Regarding number 4, where I work, I am forced to change my Windows logon password every three months. This is more like force than foster. But I'm fine with it because it definitely is more secure that way. It is more hassle for me, but more secure for the company. After all, it's always a compromise.
For better passsword management using http://passwordsafe.sourceforge.net/ is recommended
Why Should They? They are the users. That is what the Sysadmin does.
Thus I have a problem with tip 8. The automatic forcing of password changes every XX days is a bad practice. As is complexity management ie making people use very high complexity passwords on a regular changing cycle. If this is realy essential then companies should look for another method of security management such as CHAP or Biometrics.
Forcing users to change passwords every xx days increases the chance of weak paswords. High complexity password increases the chance of the passwords being written down.
A far better method of good password management is EDUCATION!!! teach users to use sensible good passwords. Work with the users to ensure that they chose sensible passwords that are secure, manageable and above all private.