Over the weekend I was killing time at a Hallmark store looking for a birthday card. It was probably my first time in a Hallmark store in years, but I needed to kill 15 minutes at a mall and I would rather browse aisles of birthday cards than be chased down the mall by people trying to get me to sign up for a new credit card to get a free shirt. After finally deciding on a card that wasn't too brainless or sappy, I went to check out and noticed a book being sold called Forgot Your Password?™: a confidential handbook to keep all of your usernames, passwords, websites at your fingertips.
As I opened the book, I was hoping to find a satirical book about the annoyance of passwords or perhaps a survival handbook on good password practices. Apparently, I'm a bit naïve. Instead, I found what is perhaps one of the most terrifying sites for someone who fights fraud on a daily basis. His “book” was filled with empty pages for the buyer to enter his/her favorite websites, usernames, passwords, security questions and answers. It goes without saying that filling out this book would be a dream for any hacker. In fact, I am not convinced that a hacker group is not responsible for this book.
I am pretty realistic when it comes to best practices for passwords. If users are asked to use unique passwords (using a combination of uppercase, lowercase, numbers, and characters) on all 327 of their accounts and have to change their password every 6 weeks, users will probably do the exact opposite and use the same static password across all of their accounts. Password best practices shouldn't be intimidating, otherwise the average user will just ignore them. So, instead of giving a long list of tactics about how to make the strongest possible passwords, here are two simple suggestions for how to balance convenience and security:
Leverage a service like LastPass to manage passwords across accounts. It is free and easy to join. Change one or two characters across different accounts to prevent multiple accounts from being compromised if a password is stolen. For example, instead of making golfer72 a password for both Gmail and Facebook, use golfer72gm for your Gmail account and golfer72fb for your Facebook account. While a stronger password can certainly be created, this method still adds a significant level of security over using the same password.
If you are going to ignore the advice and you still insist on writing down passwords, you can do a lot better than writing down passwords in a Forgot Your Password? book. If you insist on using paper, write down your passwords in a secure location and do not put all of your passwords in one place. Use a hint for remembering the password. For example, write down “favorite sport + susans birth year” instead of golfer72.
At work, security best practices can focus on offering convenient solutions that aren't overwhelming and intimidating to new users, yet also provide a higher level of security. Make a few changes to your password practices instead of a complete overhaul. And most importantly, save the $5 from purchasing the Forgot Your Password? handbook and use it for something far more important -- like maybe a birthday card.