PINs, Passcodes and Passwords
Policy
Strong passwords should be used for access to any company accounts and services. We recommend creating passwords with a minimum of 16 characters and a combination of alphabetic, numeric and special characters.
Scope
This policy applies to all Lullabot employees and contractors.
Compliance
All employees and contractors are expected to create strong passwords for access to all Lullabot and client accounts.
Explanation and Implementation
The first layer of defense that we have for our online accounts is the PIN, passcode, or password. As such, it is extremely important to use good, unique passwords, and keep them well protected. A good password consists of a fully random string, the longer the better. Contrary to popular belief, the inclusion of numbers, characters, or mixed case does not matter nearly as much as the length of the password itself.
Because the human brain is not capable of remembering long random passwords, we need the help of some sort of tool, like a Password Manager.
Now that you are using one of these tools (right?), it is important to make sure that you are not using the same password on multiple services. Consider the event that one of these sites has its security compromised, and your username/password are discovered. Now, how many other places use that same combination? Are some of those important? Like maybe your email or bank accounts? This is why it is so important to use different passwords for different services.
Also, because you are now using one of these convenient tools, and would not be able to remember your passwords if you wanted to anyway, you might as well make them all super-secure. The length of a password is its primary strength. The longer it is, the stronger it is. These days, most security experts suggest passwords of 12-16 characters, minimum. But what does it matter to you if you are using copy/paste anyway? Crank those suckers up to 32 characters and be safe for the next millennium.
Finally, you should be wary of services that impose password limits, especially if they limit the length of the password. Any service that cares even a little about your security will store passwords using a well salted, secure hash which makes any password, regardless of length fit into a common length string. There is no excuse for a service to tell you that your password cannot be longer than 16 characters. If they do, they are most likely storing passwords insecurely, and if that is true, what other security protocols might they be skimping on?