Sitting at work today and I hear the team in the other room talking about passwords.
It’s all the things we’ve heard before, it’s people confused about what is a good idea, what’s a terrible idea, and what’s a reasonable level of security.
This is a mixed bag discussion and I’m always willing to discuss these points, please let me know your thoughts below.
Following on from our discussion today, here’s a run down of the password policy. I’m including Alex and Nicole because we’re going to be publishing these tips soon.
Only have two InterExchange Passwords
- Gmail and your computer
- Every other website you use
Memorable sentences, with simple character substitution
- The Penguin Eats Icecream on The Boardwalk =>
- ThePengu1nEats1cecreamOnTheBoardwalk =>
If you must, write the password down somewhere physically removed from your office. Your wallet is an alright choice, just remember if your wallet gets stolen you also need to do a password refresh when you’re calling your credit card company.
It’s even better if you can just remember it and literally destroy it once you have. Literally (preferably with fire).
Never reuse your InterExchange password for personal things, not ever. This creates an alternative attack route others and just increases the complexity of refreshing things if something goes wrong.
Never give your password to anyone, ever under any circumstances, you’re literally saying “Hey feel free to do whatever you want and I’ll take the fall for it” even if they’re a nice person, their problems become your problem.
Never give your password to anyone (I know I’m repeating myself), if a service ever asks for your password over the phone, or even worse emails you a copy of your password*, treat them as a bad website, use a unique password for them, and change that old password everywhere.
Never give your password to anyone (I’m really serious), if you feel you have to, call me in, I’ll talk you through it, there will be a solution other than giving your password to someone.
On bad websites (like the one above), don’t even give them a real password, my favorite thing to do here is to create a string of random words that I don’t try to remember. The next time I go there it is impossible to remember what the password is (because I don’t trust them with passwords), so I just do a password reset.
Your inbox is you, if this is compromised, everything is compromised. You can see where your account is signed in from the Google account device security page.
Refresh your passwords any time you have a gut feeling that maybe your password has been compromised.
* Originally this read “… you a copy of your website”, I sent a follow up email clarifying that sentence.