Passwords

Passwords are the most important part of getting security right.

You must have a clear password policy and communicate it to all users, which, at the miniumum, requires users to follow the rules in “Strong passwords” below.

Your users have a responsibility to choose a secure password. They must take this seriously.

Authentication tokens

Authentication tokens must be used if your information is sensitive.

In all cases, the use of authentication tokens is highly recommended, especially if you don’t entirely trust your users to choose strong passwords.

Strong passwords

A strong password:

  • is at least 8 characters long
  • includes upper and lower case letters, numbers, and punctuation
  • does not include any information that other people know about you, for example, your wife’s name, your date of birth, school or place of birth
  • does not contain any word you might find in a dictionary, unless some of the letters have been replaced by punctuation or numbers
  • there are no repeated character sequences.

Some counter-intuitive advice

Given the ease at which automated software can guess passwords, it is better to choose a stronger password and ignore some outdated advice. If you have trouble remembering a strong password, consider:

  • Writing down your password — as long as you don’t leave it in an obvious place and it’s the only thing written on that bit of paper, this is far more secure than using a weak password which can be guessed and checked online by an automated attack system. Do not write anything else on the paper, particularly anything that would indicate which system the password accessed.
  • Never changing your password — eventually you’ll remember even the strongest password, so just use one password for each system and never change it. But remember to use separate password for each system you use.

Email password

The Haplo password recovery system will send a password recovery email to the email address that you use to log in. This email allows you to set a new password. This means that the security of your Haplo system is equivalent to the security of your email system, unless you are using authentication tokens as an additional security measure.

You must ensure that users set strong passwords for their email, and that those strong passwords are not used in any other system.

You must ensure that any device which stores the user’s email password is suitably protected, following the recommendations about mobile devices.

“Remember me”

You must not check the remember me box on any computer that you do not fully trust, especially not a public computer.

If your security needs are especially stringent, you can disable the “remember me” feature.

Your Name » System management » Configuration » Login options

On the same screen, you can invalidate all stored credentials. Use this option if any of your computers or laptops are stolen.

Password reuse

You should use a different password for each system you access.

There have been some notable incidents where online services have been compromised and all the users’ passwords have been made available to people with nefarious intentions.

While those services can protect themselves by forcing their users to choose a new password, there is a major risk if those users have used their password elsewhere. If you use the same password on multiple services, compromise of a low security system, like commenting on a news website, can reveal the password to your email, and through your email, access to every other service you use.

Use a different password everywhere. At the very least, your email and Haplo (and online banking!) passwords must not be reused elsewhere.

Technical measures

Haplo takes two technical measures to minimise the risk posed by weak passwords:

  • When choosing your password, Haplo ensures that it contains at least 8 characters and includes both letters and numbers — however, this only catches the really weak passwords and users still need to think about choosing a good password.
  • If someone makes too many incorrect log in attempts, logging in from their location is automatically blocked for a period of time. This means that automated password guessing software cannot make unlimited guesses.

Even with these measures, weak passwords compromise the security of your information.

Further recommendations

  • Do not share passwords with anyone.
  • Make sure no one is overlooking your keyboard when you type in your password.