Ideas on passwords and security

I was just talking about this issue with my sys admins after being given a new fairly strong password that I will never remember. Have to keep somewhere or ask for repeatedly when needed.

I’ve long advocated multi-segmented password policies for companies.

Essentially you have a personal password plus a prefix and suffix.  Different logins would correspond accordingly.

> company prefix might be ‘wanu3’

> personal password might be ‘catpi11ar’

> site/server suffix would vary
– ‘ved3xob’ (development server)
– ‘mbx’ (mail box)
– ‘navalforce’ (ie: for salesforce)
OR a pattern (such as no vowels).
– dvsrvr3
– mlbx
– slsfrc

***

What this would do is multi-fold. First there is a generic corporate prefix. This can be changed periodically across the board. (Say once a year, or after a big layoff.)

Then there is a personal password, this makes it so that a password is unique to you.  Now in the case of system passwords, you might have a generic for this be it for a sysadmin account or a database authentication virtual user.

Than finally you have a suffix, this distinguishes each device.  It should be fairly simple and easy to remember for all devices (such as a pattern). But this helps make things more secure by ensuring that if one site is compromised (web server) they cannot simply use that password against other infrastructure elements (ie: your database). Because they’ll be different.

Essentially, you’re reducing the passwords to only three significant components. Now your users need only remember three things for all their corporate passwords. The current corp password, their personal password, and the device pattern.

B-I-N-G-O

You can have passwords that are extremely complex from a technical point to break. Symbols, spaces, numbers, etc.  While being easy enough to remember rather than being kept on sticky notes under keyboards, in drawers or text files on local machines.

– Jason

Thanks to Aral Balkan for his recent post which was the inspiration in my sharing on this topic.

Advertisements

1 Response to “Ideas on passwords and security”


  1. 1 Christopher Keeler June 27, 2008 at 8:26 am

    Cool idea Jason. I never thought about it like this, but I like it.

    -Chris


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




June 2008
M T W T F S S
« May   Jul »
 1
2345678
9101112131415
16171819202122
23242526272829
30