It is critical that every user is using secure passwords to authenticate himself at systems like TYPO3. Below are rules that should be implemented in a password policy:
- Ensure that the passwords you use have a minimum length of 9 or more characters.
- Passwords should have a mix of upper and lower case letters, numbers and special characters.
- Passwords should not be made up of personal information such as names, nick names, pet’s names, birthdays, anniversaries, etc.
- Passwords should not be made out of common words that can be found in dictionaries.
- Do not store passwords on Post-it notes, under your desk cover, in your wallet, unencrypted on USB sticks or somewhere else.
- Always use a different password for different logins! Never use the same password for your e-mail account, the TYPO3 backend, an online forum and so on.
- Change your passwords in regular intervals but not too often (this would make remembering the correct password too difficult) and avoid to re-use the last 10 passwords.
- Do not use the “stay logged in” feature on websites and do not store passwords in applications like FTP clients. Enter the password manually every time you log in.
A good rule for a secure password would be that a search engine such as Google should deliver no results if you would search for it. Please note: do not determine your passwords by this idea – this is an example only how cryptic a password should be.
Another rule is that you should not choose a password that is too strong either. This sounds self-contradictory but most people will write down a password that is too difficult to remember – and this is against the rules listed above.
In a perfect world you should use “trusted” computers, only. Public computers in libraries, internet cafés, and sometimes even computers of work colleagues and friends can be manipulated (with or without the knowledge of the owner) and log your keyboard input.