Not A Political Post (Really!)

“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” 

– Benjamin Franklin

Franklin was a technologist. He was the Steve Jobs of his day, creating innovative tools that people didn’t know they needed until they got them. Things like bifocal glasses, improved stoves, electricity. (Okay, that last one is probably suspect.) He was also, of course, one of country’s our founding fathers. He was asked when coming out of the Constitutional Convention,

Well, Doctor, what have we got, a republic or a monarchy?

A republic, if you can keep it. 

With a slight tweak, Franklin’s quote on liberty can be applied to Information Technology, specifically security.

Those who would give up essential security to purchase a little temporary accessibility, deserve neither security nor accessibility. 

Okay, it’s not going to stick in anyone’s memory, but still it’s a good point. Computer system security is a constant trade-off between ease-of-use and securing systems. Think about your password. You probably picked something memorable. Does your company have a password policy? Most are something like this:

• Must be at least 8 characters long (longer passwords are harder to guess, but interestingly also easier to crack in some ways
• Must include a combination of letters, numbers, special characters and at least one capital and one lower case letter
• Cannot match any of your previous passwords (Typically the last 25)
• Cannot be changed more than once every three days
• Will lock you out if you get it wrong three times in a row
• Cannot include numbers or letters in sequence (123 or ABC for example)
• Cannot include any part of your name or userid
• Cannot be a word found in the dictionary
• Must be changed regularly (Typically every 30 or 90 days)

These rules are important. They are designed to prevent someone else from accessing your company resources. Unfortunately, get too strict on your password policy and you prevent the people who need access to the system from getting in. We all know that you shouldn’t write your password down. And yet, if your password were 

hY4#bnfq&Ilio0z

let’s face it, you are going to write it down. Your need for accessibility trumps your company’s desire for security. And the danger for the company is that they lose both. Users cannot easily get into the system, but because they write their passwords down, they also make it possible for hackers to get in. 

The solution is a balance, of course. And there are entire IT disciplines devoted to finding the right balance and implementing it. I’m not going to go into the details of a robust security policy. However, I’ll share a couple of hacks that might make your life just a little easier. 

Write it Down

Let’s suppose you just absolutely must write down a password, or a credit card number or a social security number? Never happens, you say? I was talking to my friend Dave when his neighbor wandered over. The neighbor was a mortgage agent. I was thinking about buying a house, but wasn’t sure my credit was good enough. He offered to check my credit score for me, but he needed my social security number. He’s not going to remember it. I didn’t have a phone. So, I wrote it down

3449073641387

You might think that is too many numbers. You’re right. I wrote that out and then told him, ignore the first two and the last two numbers. If that paper gets into someone else’s hands, It’s worthless to them. You can do the same thing with passwords, or bank account numbers or birthdays. 

Keep The Same Password

I have the same password that I’ve had for ages. And yet, it meets my company password policies. My password has a pattern like this

Fredwasabear22

Each time I have to update my password, I add aad one to the number at the end. If I am logging into a system I haven’t used in a while and my password doesn’t work, I just start rolling back the numbers that I try

• Fredwasabear21
• Fredwasabear20
• Fredwasabear19

Next time I have to change my password, My password will be Fredwasabear23. 

Ah, but suppose your company won’t let you add numbers? 

• Fredwasabeartwenty-two
• Fredwasabeartwenty-three

I think Mr Franklin would agree. It makes it acessible for me and secure for my company. Just make sure you don’t tell anyone your. . .oops. 

Please don’t tell anyone about this. 

Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren. 

Follow him on
Twitter (@rodneymbliss) 
Facebook (www.facebook.com/rbliss) 
LinkedIn (www.LinkedIn.com/in/rbliss)
or email him at rbliss at msn dot com

(c) 2016 Rodney M Bliss, all rights reserved