The biggest single preventable IT problem that my clients seem to encounter is lost, forgotten, or mis-remembered passwords
I know it wasn’t long ago – see this blog on passwords – that I recommended writing down all passwords – manually – in one place. OK, I can see the obvious flaw in this advice. However, the practical reality, in my experience as an IT Support Consultant, is that almost everyone needs some simple but rigid discipline to ensure that they can always find any of their passwords.
So why am I bringing it up yet again? Because some online organisations have started taking it upon themselves to force us to change our passwords before allowing us into our accounts. I think I’ve seen it with Apple in the last few weeks and I encountered it with the Dropbox website recently. With Dropbox you can simply re-use the same password (which defeats their aims of improving your security), but with Apple you can’t re-use one that’s been used in the last year.
This development adds a further layer to the complexity and frustration caused by online passwords. Being forced to change a password before you can carry on with what you were doing is just going to increase the likelihood that you will invent a variation of the existing password, fail to write it down, and then get locked out the next time you try to access that account.
I’ve been trying to think of a way to make changing passwords easier – eg add 2 digits to the existing password that represent the month it was changed. The problem is, of course, that when you come to enter the password you won’t necessarily know when it was last changed so you won’t know what the current password is. It’s also true to say, of course, that any method that makes it easier for you to remember your own passwords makes it easier for someone else to crack them.
I don’t often see written advice on this subject. My guess is that anyone who is going to commit themselves in writing on the subject feels the need to be seen as “responsible” – hence all the common advice:
- Passwords for all account should be unique.
- Make passwords at least fifteen characters long.
- Change them every month.
- Never re-use them.
- Always use a mixture of upper and lower case letters, figures, and special characters.
The only secure and comprehensive solution that I know of is to use password manager software. I’ve been using this approach myself for ten years or so. The reason I’ve not routinely passed it on to my clients is that its security depends on being absolutely certain that you have access to a working copy of the password program and backups of the data files. Frankly, a lot of people’s backup regimes are not rigorous enough for me to recommend that they put all their eggs in one basket by relying on a password manager.
However, this latest development (forcing password changes on us) has finally convinced me that it’s time to create a practical solution for my clients, consisting of recommended software, installation and training. The solution will need the following features:
- Installation and training of a recommended password manager.
- Installation and training in multi-level backup procedures to virtually eliminate the chances of losing the data file (data backups are always, ultimately, the user’s responsibility).
- Ability to access the same password data whether you are currently using your Windows PC, IOS device (iPhone or iPad), Android device, or Mac.
I know the software to use as I’ve been using the specific software myself for at least six months and other software from the same company for at least five years. At this stage I’m not sure how long the installation and training of such a package will take, but I hope it can be done in a single session of, say, a couple of hours I’ll be aiming for simplicity and flexibility rather than sophistication. Please do let me know if you are interested.