@@ -21,11 +21,11 @@ In the recommendations below, the term “organizational” is used to identify
:fire: Work flow disruption for staff
## Password and Authentication Security
:heavy_check_mark: **Use strong passwords for all accounts, organizational and everyday**
:rocket::wrench::fire:
*Strong passwords are generally longer that 8 characters, use a mix of symbols, numbers and both upper and lowercase letters, and do not include any dictionary words or personal information.*
:heavy_check_mark: **Teach everyone in your organization to generate strong passwords and make sure they are used for all accounts, organizational and everyday**
:rocket::rocket::wrench::fire::fire:
*Strong passwords are generally longer that 12 characters and use a mix of two or three different types of characters (from symbols, numbers and both upper and lowercase letters). Don't put uppercase letters, symbols or digits specifically at only the beginning or end of your passwords but mix them in throughout. Do not include any personal information like your favorite sports teams, places you lived, your kids or pets names or important dates or common phrases like song lyrics or poems. Don't use patterns like "123" or "xyz", especially ones that appear on a keyboard, or acronyms associated witih your work or organization.*
*There are many ways to generate strong passwords. There is an online guide to creating passwords as part of the the excellent [Security In a Box website]("https://securityinabox.org/en/guide/passwords"). Most password managers will also make a random password for you, as will other available software for that specific purpose. [Diceware]("http://world.std.com/~reinhold/diceware.html") is a fun and effective scheme for creating random yet memorable passwords using everyday objects and a word list.*
*There are many ways to generate strong passwords. There is an online guide to creating passwords as part of the the excellent [Security In a Box website]("https://securityinabox.org/en/guide/passwords"). Most password managers will also make a random password for you, as will other available software for that specific purpose. [Diceware]("http://world.std.com/~reinhold/diceware.html") is a fun and effective scheme for creating random yet memorable passwords using everyday objects and a word list. One other great way to make a strong password is to come up with a silly sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters.*
*If you never store a password, it can never get stolen from you. Most service providers allow you to reset a password by sending you an email. For any software or system where you register with an email address you are sure you will control in the future and to which you won't need immediate access, you can make and immediately forget a long random password and just use the reset process when you need to login again.*
*GSuite allows you to set minimum (and maximum) password lengths. Setting a minimum length of at least 8 but ideally more than 12 characters helps guard against easily guessable passwords. Instructions on getting this up are at https://support.google.com/a/answer/139399?hl=en. Note that helping people to produce long passphrases that are a combination of words that have never appeared together (perhaps with some character substitutions) and that don't include any information about that person will allow you to push this minimum length even higher so that guessing a password becomes virtually impossible.*
*GSuite allows you to set minimum (and maximum) password lengths. Setting a minimum length of at least 12 characters helps guard against easily guessable passwords. Instructions on getting this up are at https://support.google.com/a/answer/139399?hl=en. Note that helping people to produce long passphrases that are a combination of words that have never appeared together (perhaps with some character substitutions) and that don't include any information about that person will allow you to push this minimum length even higher so that guessing a password becomes virtually impossible.*
:heavy_check_mark: **Use the organizational units functionality in GSuite to make groupings of user accounts or devices, and give them the minimum level of access required to do their work.**
