I recently asked the question of my Linkedin connections ”how do professionals managed to design a password strategy so that it was usable and secure”. I had some great answers.
Andy Foote’s answer to the password question is worth repeating - ”Take your next door neighbor’s dog’s name, if it is a bitch, start with the first letter, if a male, start with the last letter, add a vowel and the letters ‘eze’ or ‘nuts’ ,and then add the last two numbers of your birth year. Do this every time you move address or the postman gets bitten.”
I like it, but that’s just me.
John Ross and Stacy Sneeden point out that complicated passwords and biometrics are a choice, but complicated passwords are a pain for the users and biometrics are an expense for the SMB.
Jeremy Lee made the excellent point that humans are horrible random-number generators, and that there is a relatively simple way to provide secure passwords that users will use. He asked “What’s wrong with writing the passwords down?” (as long as it is not under the keyboard). Keep it in a wallet, purse, glasses-case or something else physical and personal. This then becomes a poor-man’s two factor authentication.
Something you know: “Where I hid it, and possibly how it’s recorded”
Something you have: “My wallet”
I love it. It has something the SMB loves (not expensive) and something his users love (not complicated). So I am going to suggest a modified solution that my company (a managed services provider) has been using for sometime.
One of the complexities that faces the SMB is that very often the password change affects the network login, Exchange access, smartphone email, and etc. My company takes responsibility for changing and recording the users passwords for our clients. What we do is to simplify by having a portion of the password that is common to the company that all the users knows (i.e. Acme Manufacturing Co. has all their passwords start with AMCo*). We then follow this with a 4 digit addition to the passcode (AMCo*1234).
The strength is that the passcode is 1) 9 characters, 2) non-dictionary, 3) has all four types of chacters, and 4) the users only have to remember 4 numbers. The weakness is that 1) it still goes on the bottom of the keyboard, and 2) it is relatively easy to break for an internal ne’er-do-well (but they’re all on the bottom of the keyboards any way).
So why not give out a business card with the number of the help desk on it, and on the back: the date the card was issued (version control) and the 4 digits that the user has to remember. Voila, if there is a problem the user calls the help desk and the card fits easily into a wallet or purse. It is easy for the help desk to issue a new one when your password changes and we get to advertise on it.
Thanks to all input to the article from my friends at Linkin.
Posted by dwpia 
