Login and Password Security Best Practices

Published July 19th, 2011


The following is a quick and dirty email I was placed in charge of sending to my current employers customer base. When writing it the email was meant to put as bluntly as possible the consequences of using weak passwords just after having two clients just this week being burnt by using passwords such as “12345″ or “mydaughtersname1″. The following was the email I sent out basically using the fairly simple easy for a layman to understand guidelines found within a great document I would suggest any client of mine or visitor to this site read over released from the NSA for which the link can be located at the end of this post. The following is the email I composed.

As of late the news has been filled with stories of compromised web sites leaking personal data such as email addresses and passwords all over the Internet, some of the data even comes from multibillion dollar corporations such as in recent months Sony. To help protect yourself as well as any data stored on the Internet or locally on your network I have compiled this document regarding password policies mostly put together using the National Security Agency’s (NSA) recommendations on the matter.

A strong password should be at least 10 characters long and contain multiple character types including lowercase, uppercase, numbers and special characters as well as be difficult to guess. The reasoning behind this practice is to make your password as hard as possible to be revealed through someone making guesses or using software created to either brute force, attempt logins over and over with different passwords or show passwords which have been encrypted and stored within your computer or on a website whose data may have been compromised.

Login information including passwords should always be unique and never reused across multiple web sites or the same as the password used to log into your computer at work or home. This practice prevents someone who may have compromised a password on one system from gaining control of your accounts on other systems. Simply put, if login information is compromised on one site and it is the same login information used for your email account, Facebook, PayPal, Amazon.com or any other sites the chances of those accounts being compromised as well becomes highly likely and could result in serious consequences not limited to but including defamation of your name or even financial losses and identity theft. In the more recent releases of data from compromised sites most to the financial and personal damage has been a result of people gaining login information from one site and using this data to log into other sites such as PayPal and Facebook using the same login data.

Many sites make use of password recovery using a question and answer system. The answer to these questions should not be readily known by others nor be available through search engines such as Google and Bing or through public records stored on the Internet. When using systems utilizing this type of security it is best to provide false answers to these questions making sure these answers are unique across all systems just as with passwords yet something memorable to yourself. Keep in mind a mother’s maiden name is easily found through a simple search of public records and the High School you attended can be found by simply viewing your Facebook profile.

It is also a good practice to disallow programs such as web browsers from remembering and automatically entering login name and password data into a web sites login page. There are many programs available on the Internet to allow a malicious person who is able to gain direct access to your computer the ability to easily gain a list of this information stored in applications such as Internet Explorer or a Firefox plugin.

For more information on personal security on the Internet as well as learning more on how you can better secure your own personal network it is recommend that you take a look at the document from the National Security Agency entitle “Best Practices for Keeping Your Home Network Secure” which can be found at http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf.