I was just talking about this issue with my sys admins after being given a new fairly strong password that I will never remember. Have to keep somewhere or ask for repeatedly when needed.
I’ve long advocated multi-segmented password policies for companies.
Essentially you have a personal password plus a prefix and suffix. Different logins would correspond accordingly.
> company prefix might be ‘wanu3’
> personal password might be ‘catpi11ar’
> site/server suffix would vary
– ‘ved3xob’ (development server)
– ‘mbx’ (mail box)
– ‘navalforce’ (ie: for salesforce)
OR a pattern (such as no vowels).
What this would do is multi-fold. First there is a generic corporate prefix. This can be changed periodically across the board. (Say once a year, or after a big layoff.)
Then there is a personal password, this makes it so that a password is unique to you. Now in the case of system passwords, you might have a generic for this be it for a sysadmin account or a database authentication virtual user.
Than finally you have a suffix, this distinguishes each device. It should be fairly simple and easy to remember for all devices (such as a pattern). But this helps make things more secure by ensuring that if one site is compromised (web server) they cannot simply use that password against other infrastructure elements (ie: your database). Because they’ll be different.
Essentially, you’re reducing the passwords to only three significant components. Now your users need only remember three things for all their corporate passwords. The current corp password, their personal password, and the device pattern.
You can have passwords that are extremely complex from a technical point to break. Symbols, spaces, numbers, etc. While being easy enough to remember rather than being kept on sticky notes under keyboards, in drawers or text files on local machines.
Thanks to Aral Balkan for his recent post which was the inspiration in my sharing on this topic.