New password policies for next year
I am proposing two big changes to the district's password policy. The two big changes are: 1) Passwords will never automatically expire; and 2) Passwords will have to be fifteen characters long and have some complexity. These go hand-in-hand. If the passwords are long and complex, they probably won't be cracked, so they won't ever need to be changed.
Why will they never expire?
Research on IT best practices shows that the more frequently passwords are changed, the simpler they become. We also know that changing a password regularly doesn't necessarily stop bad things from happening- it simply blocks out an intruder who happens to get your password. Also, we know it's annoying when passwords expire.
Why will they have to be fifteen characters long?
Again, IT best practices show that long, complex passwords are more secure. There are many reasons for this, but there are two I'm focusing on.
First, there is a very easy password cracking tool that students use (yes, even Oregon students have used this) which can crack any Windows password with a length of fourteen characters or less. Adding the fifteenth character might not seem like much, but the exponential increase in complexity, combined with the way that Windows hashes passwords makes this a huge difference. The second reason for complex passwords is that if a student happens to see or hear a password, it should be something that's difficult to remember. For example if you write down your password (in your wallet or some other place where people won't see it) and a student catches a glimpse, they could remember "BrianJoeErica1990" more easily than "mfdwmfswam3m0ri@lu"
How can we remember all that gibberish?!?
The secret is that it's not really gibberish. The password above, "mfdwmfswaM3m0ri@lU" only looks like gibberish. In fact, it's based on a phrase that has significant personal meaning: "My first date with my future spouse was at Memorial Union." (I just made this up, it's not true, but if it were, it would be memorable. Choose your own phrase.)
See how I got the password? I took the first letter of each word, then the entire word "Memorial" but substituted a "3" for the "e", a zero for the "o", and an "@" for the "a". The resulting password has lots of complexity- it includes capital and lowercase letters, numbers, and symbols. And after a while, your fingers will just get used to typing it. Remember- you won't have to change it every month.
Related resources:
No comments:
Post a Comment