What are the best practices for password security?

Anonymous Blackbaud User

Passwords to Convio Administration should be considered more sensitive than the password to your personal bank account. The risks to your organization are very great.

A substantial amount of malfeasance on the Internet occurs because of easily guessed or poorly protected passwords. The data stored in Convio by your organization is likely to be of a highly sensitive or valuable nature. Here are some examples of attractive targets by hackers:

Email addresses, for example, are valuable to spammers.

Your homepage. A hacker may desire to replace your content with something offensive.

Transaction information may be interesting, especially if your organization is active in lobbying.

In fact, "The CERT/CC (Computer Emergency Response Team / Coordination Center), a federally funded organization based at Carnegie Mellon University, estimates that 80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security."

It is highly recommended you follow these guidelines:

DO:

DO use a password with mixed-case letters. Use uppercase letters throughout the password.

DO use a password that contains at least eight characters.

DO use a seemingly random selection of letters, punctuation and numbers.

DO change passwords occasionally.

DO use something mnemonic, reducing your need for written aides memories - e.g. the song name Hard Day's Night can be turned into a hard-to-guess password like this: H8rdD8y5N1ght - of course, you'd only use this if you weren't a Beatles fan!

DO NOT

DO NOT use common words, names, dates, Social Security numbers, street addresses or anything else that someone can guess by knowing you.

DO NOT reuse passwords, or create new passwords that look similar to another you used previously or currently use in other systems, including the Convio Support Desk or Convio Customer Center.

DO NOT use keyboard sequences, like qwerty.

DO NOT write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others. If you write your password down, keep it in your wallet or similar article that you keep in your possession at all times. Also, DO NOT write it down in any context about Convio, like "Convio Password: 7J8-0Bba4F".

DO NOT use shared accounts. Accountability for group access is extremely difficult.

DO NOT store your Convio password on your computer or office server. Desktop computers are subject to hackers, viruses and trojans, so even if your computer's physical location were very secure, access can be gained by the Internet.

DO NOT use the "Remember Password" utility in Internet Explorer. It is not secure and malicious hackers know exactly where the passwords are stored.

DO NOT share your password with anyone. This includes Convio employees. If someone contacts you asking for your Convio administrator password, notify us immediately.

DO NOT send Convio administrator passwords in email or send them through the Convio Support Desk or any other mechanism.