​

ORGANIZATIONS CAN potentially face strict regulatory fines for leaking sensitive data. In many cases, the key to such data is a password created by employees. The trouble is, few companies teach employees how to make passwords strong.

That’s according to Joe Popinski, director of network security consulting at IEDynetics, a high-tech consulting firm in Huntsville, Alabama. Popinski gave a presentation on password practices at the Computer Security Institute 2007 conference in Arlington, Virginia.

IT and human resources departments should work together to develop ways of teaching staff about strong password practices and of constantly reminding them about the importance of following them for the company, says Popinski. In terms of creating passwords, some key points are to avoid writing them down and to aim to use as many different kinds of characters as possible, “which can make them much less vulnerable to password cracking programs,” he explains.

One problem is that people already have too many passwords to remember. While average users have between five and nine, an IT professional might have 30, Popinski says.

Fortunately, there are many tricks to make passwords both strong and memorable, and Popinski shared a few. One is to think of a memorable phrase that combines upper and lower case letters, numbers, and special characters. “If your favorite show is Judge Judy, you could make it JudgeJudy@4:00pm.” Another technique is to take the first letter of each of the words of a favorite poem or novel passage. A substitute process can then be added. “Like ‘1’ for ‘I,” the letter ‘o” for zero, and a dollar sign for the letter ‘s’… Passwords like these can be 30 characters long and also look really random.”