For most organisations that have a large user base, the enforcement of password compliance can sometimes seem like a rugged task for the IT security team. The strange thing though is that our lives are full of secrets like passwords and other such codes.

In his excellent book on passwords, Mark Burnett describes how intricate they are to our modern way of living and doing business. “We need them to withdraw money from an ATM or to connect to our online banking account. We use them to authorise financial trans-actions and to buy and sell items on the Internet,” he observed. In fact the list could go on and this is indeed one of the biggest challenges, humans are just not that good at carrying around so many passwords and there-fore we tend not to stray from simple variations of a theme. “When it comes to passwords, we just aren’t that clever… superman12, superman23, superman95, wonderwoman.” So just what are the best ways to enforce user compliance with a password policy?

transactions and to buy and sell items on the Internet,” he observed. In fact the list could go on and this is indeed one of the biggest challenges, humans are just not that good at carrying around so many passwords and there-fore we tend not to stray from simple variations of a theme. “When it comes to passwords, we just aren’t that clever… superman12, superman23, superman95, wonderwoman.” So just what are the best ways to enforce user compliance with a password policy?

Password polices have become harder to enforce as more and more passwords enter our lives. The more we depend on computerised systems the more we should expect users to reuse the passwords they are expected to know. This reuse of passwords will expose serious vulnerabilities. Recognising this problem allows an organisation to move to a managed system using strong two factor authentication like the RSA SecureID token to authenticate onto protected systems, but is this enough? Well the worrying thing is, probably not. We still have the human factor, most likely the weakest link in the security chain. Managers could still give their SecureID FOB to their assistant and tell them the PIN. Key logging could capture the PIN and then the SecureID fob stolen, in the worst case scenario what if the PIN is written on the reverse of the SecureID FOB?

On a return trip from America recently I arrived at the airport and entered the immigration hall at Heathrow London. There were long queues as a lot of flights had just arrived. However, I smiled and walked up to the Iris recognition immigration system (IRIS) booth that had no queue. I entered the booth and following instructions had both my eyes scanned and less than ten seconds later I was back in the UK. There was no human involvement, no password presentation just the science of biometric security at work and the quality assurance of the UK immigration service in establishing my identity before allowing me to register. But this is no panacea to our security needs. Rasool Azari highlights in his book, Current Security Management & Ethical Issues Of Information Technology, "There is a temporal aspect to biometric data." A measurement of a physical characteristic taken at a particular time provides a correspondence between that data and an individual. How-ever, the physical characteristic may quite naturally develop or change over time and future comparisons with that measurement may not match. Future security models will also need policies and procedures to make sure they stay relevant. This has indeed been already built into place by the UK Immigration IRIS service, my eyes are only valid until 2011 and then I need to re-register myself and my eyes.

No matter what paradigm of security model we operate within, due diligence, enforcement and quality assurance should remain at the top of the agenda for security engineers and IT managers. Whatever we do, we need to observe these wise words: “Passwords are like toothbrushes; they should never be shared and changed on a regular basis!”

CHOOSING A STRONG PASSWORD

1. SIZE MATTERS
Some sites put restrictions on pass-word length, but whenever possible try to choose the longest password you feel comfortable remembering.

2. TYPE A SENTENCE
If the keyboard pattern doesn't work for you, try using a short sentence. Instead of spaces between the words, insert symbols and numbers. It's not quite as secure, but it sure beats "password1." Bonus points for typing the sentence backwards.

3. DON'T RELY ON THE DICTIONARY
Using a word may make your pass-word easy to remember, but it also makes it vulnerable to a    dictionary attack. A dictionary attack is one where a hacker attempts to break your password by throw-ing every word in the dictionary at your account. Making up your own word or using a random series of letters and digits are some of the options.

4. USE NUMBERS, CAPITAL LETTERS AND SYMBOLS
Again, the less human readable the password, the greater the chances no one is    ever going to guess it. Throwing a bit of cartoon swear-ing, like @#$@$%#, in your passwords will make them more difficult    to guess.

5. USE A PASSWORD MANAGER FOR WEBSITES
Applications like 1Password for the Mac, or KeePass or Roboform for Windows, can    create and manage strong passwords for you. One of the key features in both is the ability to generate random passwords    for websites. That means you can have a very long, totally random password that you don't need to remember. The only catch    is that, if you use multiple PCs, you'll need to sync your password manager.

6. HELP FROM THE KEYBOARD
Want a random password for optimum security, but can't memorize things? Look at your keyboard and    find a pattern. For example, type straight up from the b key: "bgt5," and then back down from the 6: "6yhn." Throw a made    up word in the middle, complete with capital letters and a few symbols, and you've got a password no one is likely to uess (unless they've read this article too).

7. USE THE INITIAL LETTERS FROM A SENTENCE
Start with a sentence like: "I don't want to wait for access". Then shorten it to just the first character of each word and turn "to" into 2, "s" into 5, etc. That makes the above sentence into this garbage looking pass-word: "1dw2wfa" but easily remembered by you.

YOU CAN ALSO use a line in a song, possibly from the more obscure (and / or embarrassing) reaches of your musical tastes. After a while you may find the song just pops into your head when you see a site's login or front page. For example: 1c1nm0ydAmp5tf2B&W. I can't light no more of your darkness...! Just don't hum it as you log in!

—Richard Gough is a Charted IT Professional and a Fellow - BCS, The Chartered Institute For IT.