On Wednesday, the CLUSIF, Club for the Security of Information in France presented its study "Policies of Computer Security & Losses in 2005=E2=80=B3. The study concludes that French companies are increasingly setting up policies and procedures to protect their information system, however, they fall short on approving the budgets necessary to support them.

In a 58 pages document (in French), the association synthesizes testimonies of representative of 400 companies with more than 200 employees from all business sectors. Results show that in 2005 56% of French companies have a defined policy for information system security compared against only 41% two years ago when the previous study was conducted.

CLUSIF notes that only 38% of the companies envisage increasing budgetary resources to the security of information system, 46% announce that they will keep it constant, 4% will reduce it and that 12% have not made a decision.  The study notes that upper management seems difficult to convince. They are not yet completely reassured by the correct use of the budgets that they have already accepted and approved for their company's security.

In addition, the study demonstrates a "strong will of control" on behalf of the people in charge of the information system security (RSSI). Most prefer to block the use of new technologies rather than to seek a solution for its secure deployment. Thus 76% of them prohibit webmail access, 73% refuse VoIP use, 56% prohibit Wi-Fi and 43% prohibit PDA and smartphones.

Regarding recorded losses, only 36% spoke about viruses and 2% about intrusions on the system. The major part, 56%, comes from design errors or software deployment, 47% are loss of essential services like electricity and telecommunications, 46% are errors of use.

Losses due to fortuitous causes remain most numerous. However malevolence and negligence are nevertheless present. At first, they appear weak numerically, but when we look at them cumulatively and then extrapolate on French companies as a whole, the number of announced incidents seems significant:

• Design errors in software deployment : 58%
• Loss of essential services : 47%
• Errors of use : 46%
• Theft : 44%
• Internal breakdowns : 37%
• Virus infections : 36%
• Natural disasters : 8%
• Physical accident : 6%
• Data disclosure : 4%
• Targeted attacks : 4%
• Malicious acts : 3%
• Sabotage : 3%
• Intrusion : 2%
• Fraud : 2%

Every XX days (I'm sure if I actually told you the exact number, I'd be breaking some kind of rule), the system tells me that my password has expired and I have to change it.  I will manage to change it without problems.  But, as I log into the various corporate assets from each of my many machines, or one of my machines stayed online while I changed the password from a different machine, it's a given that within the next few days, our HelpDesk would have to enable my account, because the system has locked me out due to too many accesses with the old password.

There are many components to password policies.  Most people probably do not have this same problem.  But just the same, most people hate their own password policy just as much as I do!

As I understand it, most objections revolve around the myriad standards to create a password that passes the "strong password" test.  They include a length requirement, a mix to include lower and upper-case letters, numbers, and/or punctuation, and the need to change it every so often, without being allowed to write it down.  So, new passwords need to be invented that must be complex yet easy to remember.

Well, I can help you with that.  It's called pattern passwords.

How to Create Easy-to-Remember Strong Passwords Using Patterns

What would you say about a password such as

7ujmnbg%TGB

Easy to remember, isn't it?  Well, to remind me, I'm going to scribble a "75" on a Post-It and put it on my monitor.

It has 11 characters, has upper and lower-case, even a punctuation mark.  Certainly, it would pass any corporate policy on strong passwords.  (And if not, just adjust it after I finish teaching you the concept.)  And I could never forget this password, because, frankly, you can't forget what you never knew!  ;-)  But "75" reminds me.

Here's the password:

That's the letter "J" starting at the position of "7" (7ujmnbg).  Followed by the letter "I" but using [Shift], starting at the position of "5" (%TGB).  And so "75" reminds me that this month, "my password" uses the character positions of "7" and "5" to instantiate the password.

What is my password?  No, not "7ujmnbg%TGB"!  I told you I don't even know my password.  ;-)  My password is the keyboard pattern for the letters "J" and "I"!

Keyboard pattern passwords.  You can decide to use the pattern for letters, numerics, geometric figures (circle, triangle, dash), symbols (plus, equals, star [yhnuhbghj]), and for the cultured linguists, symbols and characters from other languages, like parts of Chinese characters, Russian, Greek, Arab, Hebrew alphabets…  Pick anything that you can identify with (not something that can identify you!), or is easy to type, or easy to remember, or all of the above.  And pick two patterns or a long pattern, to give you enough characters to satisfy your corporate password policy.  And remember to include use of the Shift-key at appropriate points or the pattern will be too easy for others to notice and crack.  This is very important.  The use of the Shift at strategic locations within your pattern is what distinguishes your password from others, and makes it difficult for a new version of password crackers that could be programmed to look for pattern passwords.

Now that you know what pattern passwords are, let's discuss how to use them to satisfy the different aspects of your corporate password policy.

Length.  Design your pattern so it has enough characters to fulfill the password length requirement.  If the first pattern you like is short, add a second pattern, or even a third.  Or append a numeric sequence.  It simply becomes an additional pattern that you add.  Only perhaps the additional characters are chosen to not change.

Upper and lower case, numbers, punctuation.  Judiciously choose where and when to apply the [Shift] key to create the special characters.

Changing the password from month to month.  Move your pattern around the keyboard.  This month, my password location is "75".  Next month, it will be "64".  The following month, it is "53".  And so on.  After I finish with "31", the following month, it can be "08".  Or by then, I could decide to employ a different pattern.  And if I should forget what it is this month, there will only be a select few to try, with a very high likelihood that the first couple I try will be successful.

Multiple passwords for multiple accounts.  Let's say I need to create a new Yahoo email address.  I choose the account name of "Jimmy46".  The password I would use with this account would be my "46" pattern password.  (Notice it's not exactly the same as I was using before.  But all the same, "J" will be at "4" and the "shifted-I" will be at "6".)

I urge you to play around with this.  Have some fun.  Get comfortable with it.  Also, when you decide on a pattern you like, try out your new password at:

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

This page will give you a scoring on your password and tell you if it is "strong" enough.

Oh, and the next time they try to enforce the password policy, respond "can I use dollar sign, hash, seventeen?"  "Too short," they'll say.  So you walk away… with a smirk… You know you can easily fulfill the policy now, but you still hate password policies.

PS.  No, 7ujmnbg%TGB is not really my password.  Besides, I have to change it every month.  (Oops)