By Thomas Timmermann • Mar 17, 2017

How to secure company IT with simple password rules

Passwords are annoying. The more complex they are, the greater the effort to memorize and enter them. As an administrator, you are responsible for the IT security in your organization - and secure user passwords are an essential component. This is where you become an "educator": Help your users with a simple strategy to create secure passwords.

  • Password length
    The length of the passwords will be different. Some systems require a minimum number of characters, while others limit the password length. Therefore, develop a method that allows you to create both short and long passwords.
  • Password changes
    Some systems require the password to be changed regularly.
  • Password repetitions
    Some systems do not allow you to re-use passwords that have already been used when changing the password.
  • New requirements
    Many systems tighten the security requirements for passwords. Where 123456 might have worked two years ago, you must now use at least eight characters, including special characters, uppercase and lowercase, and numbers.
  • International keyboards
    Have you ever tried to enter umlauts on an American keyboard? If you select special characters, restrict yourself to characters such as @ ^% & # etc. which are common internationally.

The "secure password" method

Good passwords consist of a combination of characters in uppercase and lowercase, numbers and special characters. Never use "real" words. A general recommendation is to think up a sentence and use the first letters of each word as a password. Letters and numbers can then be linked with + or &, for example. So special characters are entered into the password in a simple and noticeable way.

Example: "My name is Donald and I'm 70 years old" becomes MniDaI+70+yo

This give us a single strong password. But since one password is not enough, we need a method to adapt this password to different systems or platforms. For example, there would be an option to include the systems in the password by prefixing with a variable and separating it with a second special character from the rest of the password:

Wo-MniDaI+70+yo (Work)

Am-MniDaI+70+yo (Amazon)

Tw-MniDaI+70+yo (Twitter)

If you need to change the domain password every half year, add the corresponding half-year:

Wo-MniDaI+70+yo-201701 

Now we have a 22-character password, which can be learned over time, but it is quite long and complicated to type. So let’s simplify the whole thing. We keep the first variable Wo (work). We can replace the initial letters of our sentence with a real word: with the set of special characters and numbers that doesn’t create any big risks. Let's take Donald and let the numbers and special characters:

Wo-Donald+70-201701

Still 19 characters, but much easier to remember and type. If the password is still too long, take Don instead of Donald. Or D. You now have 14 characters, including various numbers, special characters, and upper / lower case:

Wo-D+70-201701

The Human Factor

You should never compromise on the password rules: numbers, special characters, uppercase and lowercase characters must always be included. But help your users: Everyone has their own logic, not every method works for everyone. Do not insist on adhering to a certain system, but help your colleagues develop the best and most comprehensible method for them. Don't forget: They're humans   ;)

For example, I sometimes have the problem that I’ve forgotten my password and the website insists on a new password that I’ve never used before. So, I can’t follow my current method, because I’ve already used a password from that method for this website. I haven’t found a good solution for this issue yet. Adding the year or date doesn’t work. Versioning doesn’t help either: “Was it V2 or V3?”. If you have a good suggestion on how to solve this, please write to me – I’d be much obliged!