Edit: I am marking this post a “work in progress”, as some of the feedback I’ve gotten has brought me slightly back to the drawing board. Keep it coming!

Edit 2: A real “how to write secure passwords” post has now been written and is available here.

Recently I have begun several regular maintenance projects to improve the level of security here at work. Simple things, but things many companies (especially this one) often overlook bececause they are so simple, and therefore easy to forget.

One of these has been a cyclical update of Domain Admin passwords. Every 30 days, every domain admin (including service accounts) must have their passwords changed.

Before doing this exercise, there were 12 people who had domain admin rights. When I listed them, my coworker said “uh, only 6 of these should have them”. Another benefit of regularly checking this stuff: less things fall through the cracks.

So, we cleaned up the permissions and had 6 domain admins. Still, getting 6 people to change their passwords every month to something long enough, secure enough and easy to remember was difficult.

So I held a 15 minute ‘class’ on how to keep secure, easy to remember passwords. My requirements for passwords were:

1. A new password (not an old one with a digit added, for instance)
2. At least 9 characters, though 12-15 was best
3. Must contain at least one of: lower case letter, upper case letter, number and symbol

The reason for the stringency (beyond the obvious: requiring each of these puts the computing power required to crack the password at somewhere near a supercomputer level)? Typical HSC password: password1, goodfornow and TempPassword (these have all been changed now). So, stringency is best when everyone’s become so lax.

In 15 minutes I had to convey all this, as well as remind / teach these guys how to create simple, secure passwords.

So, I developed a simple progression based on a password already in use elsewhere (all passwords changed to protect us, but the concept is the same):

Original password: monkey
Alphanumeric password: m0nk3y
Secure password: W#Bm0nk3y

The ‘word’ behind this password is: webmonkey. Simple. The length is 9 characters. And it has all the characteristics.

The domain admins simply hold down shift for the first word (typing alphanumerically): web becomes w3b becomes W#B. Then, they type the second alphanumerically (vowels become numbers).

We’ll eventually be requiring users to change their passwords on a regular basis as well (enforced); which will require a simpler, more trimmed down version of this to be in the newsletter.

I’ve already had conversations with users and managers, as the key really is to show the benefit and reasons so that they don’t mind the occasional hassle. Sadly, it simply isn’t part of the culture here for security to be a priority. Have to see if I can work towards slowly changing that here (like at my last place of work).

Edit 2: A real “how to write secure passwords” post has now been written and is available here.