Jump to content
Home
Forum
Join Us
What's New
Articles
Resources
About Us
Tapestry
Steve

Password setting advice

Recommended Posts

Although many Tapestry managers are already aware of the need to protect access to Tapestry accounts with strong passwords, it can also be tempting to try to make them easy or memorable enough for staff or parents to remember without needing constant re-setting. Although the temptation is strong it ought to be resisted, for one big reason: guessing a user's password is the single most likely way for anyone to gain access to the journals and their data.

In the following tutorial we'll discuss the most obvious weaknesses, and offer some advice on things to think about when establishing your password policies. Some of it might seem obvious, but hopefully some will also be useful. Remember that ultimately the Tapestry account manager is responsible for their account's password policy.

Here's the brief version:

  • Don't re-use passwords across different sites! This is the biggest source of insecure accounts on the internet. See last bullet point for advice on how to manage multiple passwords.
  • Don't use a 'formula' - eg "FatherofTomG"
  • For increased security include digits, special characters and upper/lower case combinations to enhance complexity. (see below for a useful method of creating hard passwords that are nevertheless easily memorable)
  • Longer passwords are more difficult to crack - eight or more characters is good.
  • Use a password manager program (suggestions here) to avoid repeating the same password across different sites
  • If you're interested in seeing government advice on setting passwords please click here

Below is a longer version of the above, with some explanation of why and how, as well as do and don't. It's worth reading through, and will help prepare you for the parents who may want to know what you're doing to protect their data, or alternatively why you won't set up their password to be 'abcdef' because it's easier to remember!

First of all, what does Tapestry, as a system, provide to help you with setting up your passwords?

The first thing Tapestry does is allow you to set the 'password policy' (ie the minimum level of complexity) for all your passwords. You can set differently for two different groups of users: parents and staff/managers. Here's the tutorial that shows you how to accomplish this.

Although you set the password policy, it needs to be level with, or greater than, a minimum level of complexity that Tapestry itself specifies. This is set fairly low to give you the flexibility to decide for yourselves on how strict you want to be, and we'd strongly recommend that you specify a greater level of complexity than this minimum level (currently you can set it to accept only letters and a length of six characters). We set this minimum level when we discovered that some parents were using three lettered passwords such as 'cat'. The default level (the level set when you first open your Tapestry account) is set at 10 characters, so you'll need to deliberately and consciously reset the number lower if you wish. We would recommend that at a minimum you use upper and lower case random letters (ie no common names and no template - see below) and with a minimum of 1 digit.

When setting up passwords for your parents or staff, Tapestry provides functionality that enables you to:

  • automate the process of activating accounts and passwords
  • allow the parent to activate the account themselves via an email
  • change their password themselves, but only to a minimum level of security specified by you, the manager

There are occasions where this automated approach may need to be circumvented, and for it to be necessary for you to set a password manually. For example, your parent has forgotten their password and is not getting the email links to reset using the method above. This can happen if, for example, an email program has decided that these emails are spam and is deleting or diverting them into a spam folder.

If this happens, Tapestry allows you to choose not to activate or reset a password via an automated email, but for you to enter a manual password yourself, and give it to the parent personally. Please note that the system still compels you to set a password that conforms to your own password policy in terms of minimum length, and upper/lower case, digit and special character requirements.

Over the years, people have become very good at cracking passwords. As this happens it has become necessary to increase the complexity of the passwords you use, to defeat them. The use of a common word or string these days is a complete no-no (using 'password' for example, or '123456' - many sites exist giving, for example, the most common 1,000 passwords). Hackers use programs that will take a database of common passwords and fire them automatically at a login page.

So passwords need to become more complex, with combinations of upper and lower case letters, digits and special characters. They need to be longer (eight characters and above is good) and they need to be used uniquely (ie not re-used across different sites). But how can we do this and still be able to remember them? Almost everything requires a password these days - I may never be able to use my fridge again if I forget it....

 

 

 

How to make an easily memorised very complex password

Here's one tip many people have begun using, that enables you to memorise a seemingly random password consisting of upper/lower case, digits and special characters:

First of all think of a sentence you feel you'll be able to memorise quickly and easily. Some people like to use the lyrics of a song or a poem; however I think this removes a certain amount of the randomness of the resulting password, so I prefer to make up a sentence of my own - although it may take a couple of days to remember what you've created, you don't need to make too many of these. So, for example, I could think of the following (this obviously means it's one I'll never be able to actually use...):

I have a dog called Finlay who was born in 2005. He's a spaniel!

Ok, let's take the initial letters of all of those words, including the special characters, using all numbers and preserving the upper and lower cases. We end up with the following:

IhadcFwwbi2005.Has!

What you end up with is an incredibly strong password the mnemonic for which, within a few minutes or over a period of a few days should be firmly fixed in your head. And while you're doing so you can scribble the mnemonic down in a notebook somewhere - your friends will probably just assume you're losing your memory and need to record your dog's age and breed.

Actually the length of the above (19 characters) is probably well over the top for most purposes. It's currently recommended that really vital passwords should be 11 characters. But as a demonstration you can see how easy it is to build a strong password that is nevertheless easily memorable.

Alternatively you can use a list of three or more random words

Although you shouldn't use just one word, the government recommends that you combine three random words into a long string, an example of this is: dancingcreaturelog. As well as being much more secure than just using one word, especially if that word relates to the site you are setting up the password to, passwords set up like this can lead to amusing imagery which makes them easier to remember!

Why shouldn't I use a formula (eg "FatherofTomG") to issue manually created passwords?

This might seem like a handy way to create a password, but it is also a real giveaway to parents who might like to see what's going on with the journals of other children. It doesn't take a genius to work out that another child's journal might have a password of "MotherofDeanD" and email addresses are easy to come by.

If I've got a good strong password I should stick with it shouldn't I?

So you've got a really good strong password. Excellent. It might seem a reasonable thing to do then, to change all your old simple passwords out for this new uncrackable one, and keep re-using it for all new sites. Why shouldn't you do this?

Well, if you do, what you're effectively doing is to trust every site you add it to, with this password. You don't really know how carefully they look after your password - although they really shouldn't, you don't even know if they encrypt your password; they may be storing it in plain text. Even well known organisations such as Adobe and LinkedIn have had their sites hacked in the past. If this were to happen with a site you have entrusted your password to, the hackers will be able to add this to databases of passwords they have harvested, making it much easier for them to get into other sites you might have used it in. To back this up, read these recent words from someone responsible for the security of one of the biggest sites available:

 

""The reuse of passwords is the [number-one] cause of harm on the internet," Facebook's chief security officer, Alex Stamos, told attendees at Web Summit in Lisbon. "It turns out that we can build perfectly secure software and yet people can still get hurt.""

 

So, I have to remember loads of sentences like the one about Finlay or phrases like the one about the dancingcreaturelog?

Not exactly. This is where technology can help save you from insanity. A solution to the problem of mulitple complex passwords is:

 

Password Managers

Password managers are programs that securely store passwords for you. They work in different ways, but one common feature is that they require a password (the reason for this ought to be fairly clear...) to open them. So, if you can remember a very strong complex password to open this program up, you'll have access to other really strong passwords that you don't actually need to remember. That's actually given rise to the name of one of them; LastPass (as in, the last password you'll ever need to remember).

One great feature of these is that they usually have apps and add-ons for browsers that will, once installed, recognise which site you're visiting, and enter the details for you.

We like LastPass here at FSF HQ (there's a free version and a paid version with more features) but there are others - here's a recent review of some options.

If you read this far, well done you with the stamina! :1b

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×