While most agency employees welcome the benefits of modern technology, the passwords needed to gain access to it are reflexively viewed as a nuisance, the workplace equivalent of tossing a quarter into a toll booth. We're accustomed to convenience, and it's easy to forget the damage a security breach can wreak on an agency and its customers.

It's essential that your staff understand that the most common reason for successful computer attacks is poorly chosen passwords. A single bad password can allow a "cracker" (the new slang for hackers who specialize in breaching network security) to not only compromise the performance of your network but also put your clients' private data at risk.What makes a password poor?Your procedures for handling your house keys illustrate the importance of passwords. Would you scatter house keys around your neighborhood–along with directions to where you live? Needless to say, you would never consider such a thing. But having a poorly chosen password is much like losing control over your house keys.Just like keys, passwords have two functions: making access as easy as possible for you and as difficult as possible for anyone else. The more predictable the password, the greater the chance that a cracker will gain unauthorized access to your network. The more difficult the password is to remember, the greater the chance that an employee will write it down and leave it "under the mat," where a cracker can readily find it.Here are some "don'ts" when deciding on a password:Don't share a password with someone else. Passwords should belong to one user, and one user only. Never tell anyone your password. No exceptions! The same rule applies if your agency is large enough to have a system administrator or IT person. These personnel have access to the server and can perform all their duties with their own logins.Don't use a dictionary word. If it's possible to find the word you choose as a password anywhere on the Internet–such as in a dictionary–it's possible to get into your system. Crackers are very skillful at creating programs that sniff out poor passwords. These programs search for dictionary words in any language, so you're not safe by using Korean or Chinese or even some entirely obscure language.Don't use your computer system's user name or the user name of anyone on the system. Also, users often try to simplify passwords by using the same one for all applications, such as for your agency management system and company sites. While it's important to choose easy-to-remember passwords, using the same one means that once a cracker has found his way in, he's in for everything.Don't use a password based on anything that can be found out about you. Even skillful users of technology can lose sight of how much information is readily available on the Internet. Avoid using passwords based on people, places and things in your personal life, such as your home address, birthday, kids' names and birthdays, license plate number, Social Security number, phone number, the first line of your favorite song, your favorite quotation, etc. You may think that your personal information is private, but always remember that you give information to most of the Web sites you visit.Don't use common passwords. You may think you've hit upon an original technique for choosing a password, but first see if it's included in this list below. There are many ideas that are surprisingly common:o Movie or song titles.o Passwords composed of all digits or all letters.o The host name of your computer.o Clever-seeming "magic words" from computer games (e.g., xyzzy) .o Simple keyboard patterns like qwerty.o Any of the above spelled backwards.o A password you've used before.Other commonly used passwords include God, love, sex, money, abc, baseball, football, iloveyou, myspace, monkey, princess, soccer, superman and 123456. If it's a password that you can easily think of, so can a cracker.Choosing a good passwordWhen choosing a new password, remember that it's the only thing standing between your clients' personal data and a cracker using, selling or destroying it. Not only do you have a moral obligation to your client, but your agency also has a legal one. The failure to protect non-public information about your clients is a violation of privacy laws. (See my column in last month's issue.)To demonstrate your agency's commitment to protecting staff and clients, create password-selection standards for all employees to follow. Here's a simple two-step process for creating safe passwords:1. Create a sentence that can be easily remembered. For example:o I have two kids: Jack and Jill.o I like to eat Dave & Andy's ice cream.o No, the capital of Wisconsin isn't Cheeseopolis!2. Then make a password from the first letter of each word in the sentence, and include the punctuation marks as well. You can throw in extra punctuation or turn words expressing numbers into digits for variety. The above sentences would become:o Ih2k:JaJo IlteD&A'ico N,tcoWi'C!Also, consider the number and type of characters when choosing a password. Here are some additional guidelines:o The password must be at least seven or eight characters. Longer is better.o Use both uppercase and lowercase letters.o Use digits and/or punctuation signs in additional to numbers and letters: i.e., !@#$%^&*()_-+=[]{}:;'"|<>,.?/. (Some systems may restrict the use of some of these characters.)o Use blank spaces and control characters if your system allows it.o Substitute special characters for letters and numbers. Use "$" instead of an "S," or "1″ instead of an "I."Common concernsNever write down your password. If it's so complex that you need to write it down, choose another or devise a system for creating a password that's easy to remember. For example, your agency might establish that passwords will be created based on the following sentence: "My favorite vacation place is Hawaii." Each staff member would use his or her favorite vacation destination. Using the technique explained above, this password would be "mfvpih." For even greater security, employees could choose from a list of phrases.Changing passwords on a regular basis helps ensure a high level of security. In some workplaces, login passwords must be changed every 30 days. Whatever the interval, be careful not to use a predictable pattern, such as AxxxA / BxxxB / CxxxC, or janxxx / febxxx / marxxx.Don't store passwords on portable devices like laptops, smart phones or PDAs. Any device that can leave the agency can be lost or stolen. Losing control of passwords could mean that your agency is in violation of the Gramm-Leach-Bliley Privacy Act.Be careful how you dispose of such devices too. Unaware of the potential danger, an employee of a large corporation sold his cell phone on eBay. Shortly thereafter, the individual who bought the phone called the corporation and offered to sell it back because of the amount of private data that had been left on it.Software is available that can help your agency improve the quality of its passwords. Roboform is an excellent tool that remembers passwords and provides one-click logins. It offers the option to generate strong passwords and to secure them all with one master password. Proactive Password Auditor (PPA) is one of several password security test tools designed to allow Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Windows Vista-based system administrators to identify and close security holes in their networks. Microsoft Password Checker is a free product that assesses the strength of your password.As a rule, staff should not allow their computers to remember passwords. Current privacy laws require agencies to protect data from unauthorized access. PCs that store passwords could allow unauthorized individuals like repairmen to access client data.It's also important for agency employees to sign out of all applications when at lunch or away from their desks. This may be a nuisance, but privacy laws require this level of security and your clients deserve protection of their confidential information. One exception to this rule is an encrypted list of passwords stored in a password management tool like Roboform.A fundamental requirementPassword management does not require a lot of time and effort. A clear plan, consistently supported by management, will reduce stress and staff resistance. You can establish a sense of urgency and commitment by:o Taking time during staff meetings to discuss what is and is not a good password, and why managing passwords is so important.o Including password management as part of staff's performance review, so that compensation is affected by compliance with password policies.o Creating reminders that can be placed in work areas or around the agency. Use these signs to motivate and instruct staff about the importance of good password practices.o Including password standards and consequences for not meeting them in your employee handbook.As an owner or manager, demonstrating the importance of proper password use is your responsibility. Your agency is in the business of protecting your clients' financial future. Properly caring for passwords is a fundamental requirement for doing so.Ted Baker is the president of Advan-ced Automation, which for 17 years has offered agency consulting services addressing a variety of management and agency development issues. He also is an author and conference speaker. Ted can be reached at [email protected].