• Technology Toolkit
• LINC Support
  • > Expectation of Partners
  • > Tech Point Person
  • > Worksheets
  • > Knowledge Base
• Tech Tips
• Case Studies
• Training Materials
  • > Databases for Community Organizers
• Operating System Choosing Guide

Support our work with a tax deductable donation:

LINC is a project of
the National Center for Law and Economic Justice.

Download in PDF format

In a perfect world, you would use a unique password for every password protected function that you hope to keep private. That unique password would not be or resemble a any word in the dictionary (password is out, and so is passw0rd). Your passwords would never be written down anywhere, ever.

Got it? Great. Now let's get real. If you are ready to be responsible about password use but can't quite get your head around the instructions above, here are some tips to make you less insecure:

1. Pick one really easy password and use it only for nuisance logins -- those sites where you know you won't really care if someone gets a hold of your account. Yes, someone could steal your password - but what are they going to do with it? If you're worried about protecting your privacy, use a better password, but if you aren't, use the same plain word over and over again and don't think twice about it. Good examples of nuisance logins are:
   • Newspapers and other online content
   • travel sites like Expedia, or airline sites
   • email lists, anywhere that warns you that your password will be sent to you in cleartext¹
   • online communities and photo sharing sites
   Some of these sites offer to store your credit card information. If you are going to leave a card on file, the site falls into category 4 below.
2. Pick one password for private things that aren't life or death. Find a random password or invent a semi-random password. For a while I used "14ONHbro" because my kid brother, Oliver N Hickman, was about to turn 14 and I was thinking about getting him a birthday present when I set up my first email account. For an added bonus, when I was still using that password on his 18th birthday, that was a good sign that it was time to switch to a new password. Passwords you should be able to keep to yourself:
   • your email account(s)
   • the FTP login for your website
3. You might need a few passwords you can share - this one you should at least change when staff changes. These should be random passwords, but they shouldn't be the same as any password you use for personal logins. Server passwords and shared websites often fall into the shared category.
4. Your last password category is for really sensitive stuff. Ideally, you wouldn't reuse these passwords, but more importantly, this should be a truly random password, and you should change it from time to time. For example:
   • a web based membership database
   • remote access to your desktop computer

Random password generators aren't hard to find, but here is one that I like: http://www.winguides.com/security/password.php

The University of Chicago has a great tip sheet on passwords: http://safecomputing.uchicago.edu/practices/passwords.html

One good tip: use the first letter of each word in a saying or lyric that you'll remember: "Poverty anywhere is Poverty everywhere!" becomes "PaiPe!" or "Four score and seven years ago our fathers ..." becomes "4sa7yaof"

Writing Password Policies for your Organization

1. Be Realistic: if you impose a rule that no one has time to follow, you are no better off than you were without any policies.
2. Wherever Possible, let users set their own passwords. When the whole organization shares a single password, it is much more difficult to change the password.
3. Be Reasonable: be clear about why passwords matter in your organization. Is data sensitive? confidential? vulnerable to vandalism? There is a difference. If you are asking computer users to respect the confidentiality of the organization, say so. It seems less arbitrary.
4. Set an Example: never ask users to share their passwords with you. Make sure you know how to reset email passwords, database user passwords, etc. and let users keep their passwords private. If you are footing the bill, your ISP should have no problem resetting a users email password if something happens and you need access to their account.

Published April 2006