I am going to start a Security Awareness Series.  On a monthly basis I am going to post a Security Awareness topic based on Best Practices & Industry Standards.  The first topic of the series is going to cover Password Best Practices.

Create a strong password

Use strong passwords to protect your computing resources. Here are some rules to create strong passwords:

• Use two numbers in the first eight characters.
• Pick long passwords, at least 8 characters in length if the system allows it.
• Don’t use a common dictionary word, a name, a string of numbers, or your User ID.
• One of the easiest to remember and hardest to crack password methods is the pseudo-random password. The actual password is generated from an easy to remember phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will never forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.
  • personal phrase: "My first dogs name was the best…"
    password: my1donawa…
    method: Chose first two letters from each word until a total of eight characters resulted.
  • personal phrase: "I love to drink Landshark Lager…".
    password : iltdll22
    method: Chose first letter from each word, followed by your age.
  • personal phrase: My Brother’s Birthday Is april(4) Twenty Two Nineteen Sixty three(3)
    password : mbbi4tt19s3
    method: Chose the first letter from most words, and substituted numbers for letters.
• Certain special characters may be used. However, note that some applications may not accept special characters. If this problem is encountered, changing your password to a combination of letters and numbers should solve the problem. Examples of permitted special characters are shown below:

$     .     ,     !     %     ^     *

Avoid a weak password

When creating passwords, avoid the following:

• Easy to guess passwords such as a blank or "password"
• Your name, spouse’s name, or partner’s name
• Your pet’s name or your child’s name
• Names of close friends or coworkers
• Names of your favorite fantasy characters
• Your boss’s name
• Anybody’s name
• The name of the operating system you’re using
• String of numbers or letters, like 1234, abcde
• The hostname of your computer
• Your phone number or your license plate number
• Any part of your social security number
• Anybody’s birth date
• Other information easily obtained about you (e.g., address, town, alma mater)
• Words such as wizard, guru, password, nimda,and so on
• A username in any form (as is, capitalized, doubled, etc.)
• A word in the English dictionary or in a foreign dictionary
• Place names or any proper nouns
• Passwords of all the same letter
• Simple patterns of letters on the keyboard, like asdfg
• Any of the above spelled backwards
• Any of the above followed or preceded by a single digit

Protect your password from misuse

• Do not let anyone else know or use your password.
• For optimum security, don’t write your password down.
• Be aware of when a password is sent securely across the Internet. URLs (Web addresses) that begin with “https://” rather than “http://” are secure for use of your password. The "s" in "https" means that the Web site is encrypted and cannot easily be read by other people.
• If you suspect that someone else may know your current password, change your password immediately.
• Change your password periodically, even if it hasn’t been compromised.
• Don’t type your password while anyone is watching.

Be on the look out for the next topic Social Engineering in The Security Pubs Security Awareness Series.