Password Security Guide – Security Guide – Steve Schmidt

Advice for choosing and using passwords.

Passwords are the keys to the kingdom...
Choose them carefully and guard them wisely!

Some critical passwords require the strongest protection.

• Passwords such as these:
  • Your Windows login password.
  • The BitLocker password used to startup your computer.
  • Your email account password.
  • Financial services website passwords and PINs.
  • The startup and lock screen PINs for your cellphone and tablet.
• Memorize these few critical passwords!
• Any of these passwords can be changed if you have forgotten them.
• Don’t let your Web browser save any of these critical passwords.
• Only write them down if you can store them in a safe!
  • Never store the purpose of these passwords with the passwords themselves.

Other passwords can be handled differently.

• You can allow your Web browser to save less important passwords.
• It’s also okay to record them in documents stored on your computer.
  • Use a separate text file or Word document to store each password. For example:
    • File named:
      2022-03-25 Substack.com Password.txt
    • File contents:

      Website: czmyt.substack.com
      Username: czmyt
      Email: steve@czmyt.com
      Password: 4R6h!S(%xk
      Security Q&A: First pet? furlong seattle
      

• Don’t store them within email messages.
• It’s not worth recording some less important passwords because they can be changed easily if your Web browser forgets them.

Choose good passwords!

• For critical passwords:
  • Choose four random words: pick them from a dictionary or thesaurus, not things that you see around you.
  • If the system has special rules, use the four random words plus the same number, symbol and pattern of capitalization.
  • Never use your birth-year, names of family members, or anything that relates to the company or you personally.
• For less important passwords:
  • Choose 10 random characters: open a blank text file or Word document, don’t look directly at your keyboard, then type 10 random characters, some while holding down the shift key.
  • Copy and paste that new random password into the Web browser password field.

Don’t reuse passwords!

• Never use the same password or PIN more than once for anything.
• Never use a simple variation of a previous password.

If one account gets hacked, your other accounts should remain safe.

Treat password recovery questions and answers as if they themselves are passwords.

• Never use the same security answer more than once for anything. They’re subject to being hacked just like passwords.
• Never use real info for security answers and especially not publicly-available info.
• Write down your security questions and answers in case you need them to recover forgotten passwords.

Don’t share passwords with your coworkers.

• If we need your password, the request will come directly from a technology staff member or senior management.
• You should change your password when we tell you we’re finished needing it.
• Don’t share passwords with outside technology support unless it’s okayed directly by internal technology staff or senior management.
• Make sure to change any passwords that were shared with outside technology support when their help is over.

Don’t let people see you type your passwords.

• Consider not using your work laptop computer in public places.
• Use your smartphone or tablet instead if you can.
• If you have to type passwords in a public place, drape your jacket over your head and computer to make a cone of privacy. It’s geeky but effective.
• Be careful of people peering in through windows to watch you type.

Change your password if someone finds it out.

• Change it as soon as you can get to a private place.
• Contact a technology staff member if you can’t change it quickly.

Change temporary passwords.

• When you receive temporary passwords, change them immediately.
• Contact a technology staff member if you have problems with password changes.
  • Don’t give up and continue using temporary passwords.

Don’t send passwords via email.

• … nor via cellphone text message.
• Avoid mentioning them over the phone when possible.
• When exchanging any passwords with authorized staff members, whisper to them in person, or use a secure smartphone app like Signal Private Messenger (for Android) or Signal (for iPhone).

Don’t use password manager programs or services to store your passwords.

• Many of these password managers have an online component that has been hacked in the past. And they will be hacked again in the future!
• If you allow your Web browser to remember passwords, never sign into the website associated with your Web browser.
  • For example, if you use Google Chrome, DO NOT sign in to Chrome using your Google account because that will send all your passwords to Google!

Review

• Some critical passwords require the strongest protection.
• Other passwords can be handled differently.
• Choose good passwords!
• Don’t ever reuse passwords!
• Use fake info for password recovery questions.
• Don’t share passwords with your coworkers.
• Don’t let people see you type your passwords.
• Change your password if someone finds it out.
• Change temporary passwords.
• Don’t send passwords via email.
• Don’t use password manager programs or services to store your passwords.

Next topic: Email Security Tips

Public domain (Un)License incorporated herein.