CISO Memo: 2011, “The Year of YOUR Password”

David Sherry

I’m sure many of you have been to a Chinese restaurant that has placemats describing which year it is (the year of the horse, rabbit, etc).  I’m also confident that some of you have read or heard of any certain year being designated as “the year of” something or other.  I’m proposing that we unofficially consider 2011 “the year of your password.”  That’s right, your password.

In my line of work (and with relatives and friends), I continually hear complaints about passwords. Some ask why we need them. Others complain of having too many, or of cumbersome rules on creating them. In 2010 there was even a well-thought out (and highly criticized) paper on whether passwords are even necessary. Have you ever had any of these thoughts?

Passwords are a foundational line of defense to keep what you desire (or need) to be private, actually private. I know of many people who use weak passwords for non-critical access, and stronger ones for more important areas. While this is widely utilized, ALL passwords are becoming more and more important, as our online lives gather more and more data about us, and breaches can oftentimes have downstream effects. 2010 witnessed some highly publicized compromises of passwords, including those that protected Gawker, Google, and others.

Password strength is important when creating any and all passwords. Always remember that you are attempting to defeat random guessing, password-cracking tools, and brute force attempts to access an account. Strength is derived through randomness, length, and complexity. That is why there are “cumbersome rules” that are often required. You may think that we put such rules in place simply to annoy end users, but I can attest that this is not the case.

As overall computing, as well as higher education, become increasingly under the guidance of federal mandates on protecting information, we will soon see the need to have a university policy on changing passwords at a specific timeframe. This will not only help us to comply with regulations that require it of us, but it will also help to keep the University and your individual accounts secure.

Brown’s email policy indicates that your password must be between eight and fourteen characters, contain both upper and lower case, and be alpha-numeric. The complete policy and rules can be found in Brown’s Computing Passwords Policy.

For now, the policy also strongly recommends that passwords should be changed every six months. When was the last time you changed yours? Would not the turning over of a new year be good time to consider changing yours?  For some guidance in this area, please visit the ISG page on strong passwords.

So, we have waved goodbye to 2010, and have welcomed in 2011. Do you have big plans for the coming year?  Some resolutions perhaps? Whether you do or not, why not make this year the year of YOUR password? Start the year off strongly, and securely.