Protect Your Passwords! – Believe it or not everyone has passwords and uses them more often than you think. Your check cards are secured by a password (a.k.a. pin), your cellphone voicemail has a password, and your home security alarm and possibly even your garage door have passwords. But how good is your password if you don’t protect it? As a security expert I’ve performed hundreds of IT security assessments and have seen the most secure passwords left unprotected. Here are 5 things you should not to do with your passwords:
- Don’t use dictionary words or sequential numbers – Don’t set your password to “password”, “Password”, or “123456”. The #1 password of the century is the word itself. The most common brute force attacks are successful because the compromised password is word taken directly out of the Dictionary or is made up of a combination of sequential numbers. You can view the top 25 worst passwords of 2011 HERE
- Don’t write your passwords down! – Don’t write your password on a Post It note and hide it under your keyboard, under your mouse pad, behind your monitor, or under your desk calendar. Don’t tape it under your desk, hide it in your desk, or write it on your phone directory taped to the wall of your desk. Trust me, I will find it!
- Never email your passwords – I don’t care if the world is ending and Superman needs your password to save it (Yes, even Superman uses email). Don’t email passwords, EVER. One of the most successful attacks I perform is sending an email to a sample set of employees. Using the IT Manager or CIO as the sender I ask for credentials. Depending on the sample size I have seen anywhere from a 25% to a 70% successful response ratio. That’s scary!
- Don’t share passwords – Don’t let your co-worker (or anyone) borrow your password. If you don’t reset it, they still know it and can pose as you anytime they want. Even your garage door or home security system has options for multiple passwords (for multiple users). So you don’t even have to share it with your kids!
- Don’t keep the default password – Whatever your password was when your account was created it shouldn’t be the same today. The majority of systems and applications have the capabilities of allowing the user to set and reset their own passwords. If you haven’t reset your password from the first time you used it then someone else still knows your password. Reset it.
Bottom line, the only person that needs to know your password is you, so protect it. Use strong passwords, change them often, don’t write them down, don’t share them, and if someone asks you for your password, don’t give it. If your Supervisor, IT Manager, or CIO requests it they should have the power to reset it, so let them. They can give you the new password. If they don’t have the power to reset your password then they shouldn’t be privileged to have the power of your password.