Peter picked a perfect password

We always suggest that user accounts are protected by passwords and that these passwords conform to the following specification: 

• Contain a minimum of 1 character from at least 3 of the following groups:
  • Uppercase letters (A, B, C…..Z)
  • Lowercase letters (a, b, c…..z)
  • Numbers (0, 1, 2…..9)
  • Special characters such as (!”£$%^&*()_+-=}{][@:’;?><,./)
• Are at least 7 characters in length
• Do not contain the username
• Are not re-used
• Are changed periodically
• Are not shared – keep your password to yourself!

We always suggest that your server is configured to require complex passwords (As above) with a lifespan of 42 days and no repetition within 24 changes. 

How to create a strong password 

Strong passwords do not need to be difficult to remember – in fact a password that is difficult to remember will often end up being written down which immediately makes it the weakest password of them all!

Most companies choose to use passwords such as December05 or Summer87, these meet the criteria for a strong password and for 99% of users they provide all the security that is required.  However critical passwords (Such as the password for an administrative account) need to be more substantial, this is how we go about creating a highly secure password: 

• Think of a phrase that you can easily remember - if your company has a slogan that is a good starting point
• Add minimum of 1 number if none exist within the password
• Take the 1^st letter from each word
• Add minimum of 1 special character if none exist within the password

Examples:

• “We are in the EC4 area” could become WaitEC4a?
• “You will take 10 years to guess this” could become Ywt10ytgt!
• "Don't drown in IT problems" could be Ddiip=03 as we started the company in 2003 - but don't worry, we don't actually use that one :)

Unlike other passwords, these passwords are not changed frequently, every 6 months or so is fine. Nobody will be logging into the administrator account regularly so a password that takes time to remember and enter is not a drawback.

In addition to this there are other tricks that we use such as substitution (i=1, e=3, a=@, s=5) and capitalising compound words (Password/PassWord). Another trick is to move the last character of the password to the beginning, particularly if it is the only special character.  For example our WaitCE4a? password would become ?WaitEC4a using this method. 

The administrative password should be known by very, very few – ideally no more than 2 or 3 people. We recommend that you do not send this password by email or write it down on a scrap of paper, instead we suggest that the password and any subsequent changes are distributed by text message.