One issue that organizations often ask us about with exasperation is passwords. That necessary headache that everyone has a different way of managing badly.
How do you manage them?
Do you have a text document where they’re all listed?
Do you keep a hard copy in the tank of your toilet?
(These three questions usually come one right after another). The truth of the matter is that having an “easy way to remember and manage passwords” goes against the very nature of the password. The best passwords are unintelligible gobble-de-gook full of letters, numbers, symbols and LOLcats.
Password Management Tools
The majority of these tools work by storing your complicated passwords for a variety of web sites and programs so that you don’t have to remember them. You then make a master password to access the password manager and thus all of your passwords. This comes with the obvious caveats:
- What if someone gets access to my master password?
- How do I make it work for more than one person?
- What happens if I’m not on my usual computer where my password manager is installed?
- What if I’m in a coma and someone needs to access our accounts at work?
I mean, if you’re in a coma, you’ve got bigger problems to deal with, but you get the idea. These password management tools are not without their security holes.
Rule-Based Password Management
Another management technique that we usually recommend organizations follow is a rule-based password management technique. Basically you come up with a rule that dictates what the password will be for where you go. The rule can be anything you want as long as you can remember it. Let’s look at an example:
In this case, we pick a symbol, any symbol. Let’s say %. The Variable is the thing that changes based on what you’re setting the password for. Let’s say our variable is the root URL without .com or www. So if I was setting a password for an account on www.google.com, our variable would be google. The Root is another word, number or phrase that doesn’t change. Let’s say our Root is chicken17. Using this method, when signing up for an account on Google, our password would be:
If we were signing up for an Aol account (stop laughing. some people still do):
The password is different each time but all we have to do is remember the rule.
This is an easy way for organizations to manage the different passwords across different accounts. If everyone knows the rule (or those who need to know *evil laugh*), passwords don’t need to be stored because they’ll follow the rule. Also, your passwords are not tied to a specific program installed on a specific browser or computer so passwords are remember-able outside of your natural computer habitat. Regularly, organizations can then change the root or variable convention to increase the security of accounts by getting rid of stale passwords that may have gotten compromised (are you imagining you’re in 24 yet?)
Lastly, if you insist on keeping your passwords in a text document chilling on your computer desktop? Do me a solid and at least split up the files so you have the user names in a separate file from the passwords. Thanks.