Users, weve heard over and over, are the weakest link when it comes to security. You can have the strongest firewall in the world, but all it takes is one clueless person to get a phone call, This is Steve from I.T. We need to reset the network passwords. Whats yours? and the walls come tumbling down.

Many companies implement smart practices like requiring users to change network and e-mail passwords regularly. Some require certain password formats; it must include at least one number, for example. But the problem that raises is that users invent acceptable passwords, then write them down nearby so they can remember what they came up with.

When I was in high school, I used to visit a friend in upstate New York. Wed go to his school early in the morning and pick a deserted bank of lockers. Over and over, wed find locker combinations written in tiny markings on the walls above the lockers. I kid you notwere talking dozens of them. We would remove calculators and tape recorders and bring them to the lost and found, just to confuse the owners. We finally stopped when my friends mother got a job with the police.

The point is obvious: If teenagers cant remember three numbers, how can you expect your users to remember 4drily$Wander?

On the other hand, allowing users to choose their passwords will inevitably lead to people using their own names or their childrens, or simply password. Thats easy stuff for the black hats to figure out.

So how can you make sure your users have good passwords (e.g., 4drily$Wander) that they wont need to write down?

Heres the answer: Tell them their passwords.

Every 90 days (or however often), tell your users that they are to change their passwords to something like this: Your mothers maiden name, then the number of the first house you lived in, then the name of your first pet. No spaces. You can then post signs all over the office reminding people what their passwords are, while still maintaining security.

Wont You Guess My Name?

Most companies have specific formats for their employees e-mail addressfirst initial-last name is common. But its far from universal. I once needed to get in touch with someone at Marriott whose address I didnt have. I finally sent messages to various combinations of his name: [email protected], [email protected], and [email protected]. The last one turned out to be the right one.

I was lucky that Marriott uses a fairly common formula. Nationwide doesnt. Its user names consist of the users first initial, then up to six letters in his or her last name, then a number (usually 1). So John Smith would be [email protected]; Mike Johnston would be [email protected]. Oh, thats intuitive.

Heres a better idea:

Taking a cue from T.S. Eliot, every user should have three e-mail addresses. First there is the real user name, using whatever formula your company wants. Then every user should have aliases of first initial-last name (if that isnt your company standard), first name-dot-last name, and finally a user name of the employees choice, within reason. I would always choose ak, for example.

That way people who dont know someones address would have a good chance at guessing one that works, and youd do your users a kindness by letting them choose a name of their own to give out, either on their cards or as their return address. AK

Send your bright ideas tobrightideas@ tdmag.com.