How to Create Secure and Meaningful Passwords

November 18, 2011 - 0 Comments

Shore up your organization’s password security by following these easy guidelines

Dozens of times every day, your employees perform a simple, yet crucial, task: They enter their passwords to log in to their computers, your local network, and the Internet. Just a few brief keystrokes stand between your company’s network and cybercriminals, identity thieves, and disgruntled employees. Unless employees’ passwords are complex, they’re easily guessed by experienced attackers or by their password-breaking computers. Creating meaningful and secure passwords isn’t as difficult as many people think, and it’s critical to the security of your small business network.

First, everyone should eliminate all of their obvious passwords, which are used far too frequently. They shouldn’t use any numbers that can be tracked back to the individual, including birthdates, social security numbers, addresses, and employee numbers. Even details that seem too personal to be guessed—such as your dog’s name, your kids’ names, or your pick for the World Series—should be avoided. You have password “tells” all around your office, including pictures and tchotchkes.

Common words are easily guessed as well. Hopefully no one still is using “password” or “user” as a password, but neither should they enter words like “love” or “secret.” In fact, any word in any language that can be found in the dictionary is risky; an attacker can easily use a computer program to hammer away at your network logins with every word in the dictionary. Attackers can use a similar brute-force method to hack PINs based on the keypad, such as “5683,” which spells “love.”

Unique and memorable passwords

The trick is to come up with unique, secure passwords for all of the different devices, networks, and websites you log in to without creating a password management nightmare. The most secure password is a combination of at least 10 letters and numbers plus a special character, like a punctuation mark. Consider ”!blaz45sf3.” It’s secure, but difficult to remember.

Choose a phrase that you can remember but that won’t be easily guessed, then swap out some letters for numbers, misspell it, and add a special character. For example, “ILoveRedDogs” would become “1LuvR3adDawgs!”

This is an excellent password, but it should be used for only one login. However, it can be used as a base for additional passwords, so you don’t have to remember much more than your original password. For this to work, though, you need a repeatable system for pre-pending and post-pending the base password. You could bookend the base password with the first and last letters of each secure website, for instance, or you could add the type of device you’re logging into.

For example, if you’re going to set a password for your company’s Western Cargo online shipping account login, you’d start with ”1LuvR3adDawgs!,” then add ”W“ and ”O“ to create ”W1LuvR3adDawgs!O.” For your laptop login, you could use “Lap1LuvR3adDawgs!top.” Whatever you choose, the important things are that the base password is unique and not a real word, and your system for adding to the base is memorable and repeatable.

Replacing passwords with tokens

If you want to replace passwords for critical logins with something stronger, such as for remote access to your local network, consider an authentication system that uses security cards and tokens. You can set many access control systems, such as your VPN login system, to accept randomly generated tokens instead of or in addition to passwords created by employees. The employee uses a security card, fob or mobile device to generate a numeric password, called a token, each time the user types in his or her passphrase into the device to request one. Each token can be used only once to log in, and they usually time out if the user takes too long to enter it.

The VeriSign Identity Protection (VIP) authentication system is an option with Cisco SA500 Series Security Appliances. Besides working with the SA500 for VPN access, it also works with the authentication systems of several other companies’ public websites, such as banks, so employees can use their security cards to generate tokens for personal logins, too.

Share these guidelines with your employees to beef up your organization’s password security. Encourage them to use these techniques for secure, meaningful passwords for their personal logins as well, for everything from their smartphones to their on-line shopping accounts. Tapping in a password might be a simple step, but it can have significant consequences to the security of your small business.

What steps have you taken to make your employees’ passwords more secure?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.