Welcome to Megganet

FTTC (up to 80Mb), FTTP (up to 1GB), Leased lines, VoIP from £6/ month, Security software, Office 365, Email etc.
When you need value for money and quality of service without the drama phone 028 8283 1111

Select a quick link > Control panel - Rise a ticket - Remote assistance

Home page
Print

Password policy

Password complexity


Different systems have different ways of formatting passwords used to access them. Really a password should be 8 or more characters, have a combination of uppercase and lower case alphanumeric characters, numbers and if permitted one or more non alphanumeric (!, %, ^, _ etc) characters.

Sending a password to a client


We have a very strict set of password rules which help protect both our and your interests and privacy.

We do not give passwords to anyone using the same medium as what the password is for. An example is where a customer may ask us for a password for a new email address.

If we email the new email address and put the password for it in the same message, it may be intercepted and used by a 3rd party. Also, we can’t stop the recipient printing out the details and being careless with the printout.

If a password and what a password is for is requested, we will send them separately – one by email and the other by TXT or WhatsApp or some alternate method.

We can tell the client the password over the phone but in practice this is very unreliable as by the time they get to 16 random characters there is a very good chance they will get it wrong.

Default passwords


Most devices which need usernames and passwords will have defaults already in place. The password must be changed before using it. Some devices will ask you to change the username as well so you should do that to.



Company password record


The Company password policy is a separate, document clearly stating all issues around the storage, lifespan, exposure and so on of passwords. Use guidelines in this page to help you create your own. The person in control of the document is the manager.

Whatever method the manager chooses to record passwords, only the password manager should be able to make changes. This is to stop anyone from making changes and not recording them properly making the current version of the document out of date.

The manager should make only the relevant passwords visible to the relevant staff.

When the manager makes changes to this document, the date of editing should be noted. This is to ensure that users have the most current version of this document.

The manager must be aware of anyone with copies of the document so that they may be informed of any relevant updates by the manager.


Using a password program to store passwords



This is a good idea as you only need a single password to unlock your database of passwords. One we like is ‘Password Safe’ available to download free Password Safe. Use at your own risk though. It’s better than a spreadsheet.

Obviously, it is recommended that your password datafile is frequently backed up.

Storing passwords within your browser


Your browser may offer autofill options and password storage facility. This is a week point for several reasons, two of which I will go through now.

  • Someone with access to your computer will be able to access password protected sites without needing to type in your password.
  • It is possible to open the password file within some browsers and simply read the passwords of your screen.
  • There are password extraction programs which can be used to easily extract the passwords stored by your browser.
  • If your computer becomes compromised (never allow yourself to become overconfident) your passwords can be extracted over the internet.


Really not a good idea to store important passwords in your browser.

Banks


Most financial establishments now use 2 factor authentication whereby they will send you a message requesting approval to proceed. They may use TXT, or email before you can fully sign on to their web site. Some banks use a special FOB or card reader to help prove you are legitimate.

If your financials get attacked, it is not likely to be someone who has your log on details and your mobile phone or other authentication method.

Creating a new password

  • New passwords must meet and exceed the minimum requirements.
  • The manager must be made aware of it immediately.
  • The manager should record when the password was created.
  • The manager should record why the password was created.
  • The manager should be aware of any specific password update policy required by whatever the password is for. The manager will need to record the update frequency and the person responsible for the updates. This would be in the form of “The password needs to be changed annually in August by Brian”.
  • The manager should be made aware of the lifespan of the password and the trigger point for its removal.

Changing an existing password

  • The manager must be made aware of it immediately.
  • Ideally, the person changing the password should also let the manager why and when the password was changed.


Departure of a member of staff or indeed, any password holder

  • All passwords a departing member of staff have access to should be changed by the manager immediately.


Using the same password again and again


Some low security systems use an unencrypted password for access. In the days gone by, Hotmail didn’t encrypt passwords. This meant that if an internet snooper picked up an unencrypted password, they would store it. Then when the victim would go to a web site which had encrypted passwords, the snooper would guess that the two passwords would be the same and attempt to hack it.

Passwords with patterns


Yes, some people will use the same password repeatedly but with changing a single digit each time. A pattern like this can be easily identified and unknown passwords may be easily identified. For example qpj8srrt1 then qpj8srrt2 then qpj8srrt3 etc.

Other avoidable patterns include having the date as part of the password. Handy if you are bound to change your password on a regular basis but the sequence gives it away.

Some people use their bank pin as their phone pin – I kid you not!

Another pattern is to take a paragraph from something – a nursery rhyme, a poem or the beginning of a speech for example and use the first letters of each of the first few words as the password.

Manually encrypted passwords


Let’s say my email address is thomasfromdrumquin@megganet.com and my email address password was yjp,sdgtp,fti,wiom – looks complex – well look again. This is an old form of encryption. Basically, the characters in the password are the same as the email address but the digits in the password are the characters on the keyboard to the right of the digits in the email address.

See how long it takes you to work this one out – it uses a slightly different technique than the example above.

uipnbtgspnesvnrvjo

Cheeky and actually looks complex but very easy to crack.

Foul passwords


Please avoid using bad language, sectarian, racist language or other unacceptable terms in your passwords – remember they can be extracted by people who may not just use them to hack your services but use them against you in other ways.

Two Factor Authentication

  • Two Factor Authentication (2FA) should be used when offered.
  • Keep a record of any service which requires 2FA and a reference to the person who receives the 2FA and the email address or mobile number these are sent to.
  • It might be worth noting that some clients have a specific office mobile phone to be used for 2FA, telephone diverts and other duties. If you get one, make sure the SIM does not expire – if it does, you may not find out until it is too late.


Door codes


The same rules apply to door codes and any other form of confidential information.


Recommendation’s

  • Make sure the password has 8 or more characters.
  • Use a combination of uppercase and lower case alphanumeric characters, numbers and if permitted one or more non alphanumeric (!, %, ^, _ etc) characters.
  • Avoid including parts of what the password is for, in the password.
  • Use a different unguessable password for everything.
  • Use 2 factor authentication when possible.
  • Never write down or print passwords.
  • When you are finished with what the password is for – remove all records of it.
  • Avoid storing crucial passwords in your browser.
  • Use a password protection program that suits you.
  • Use fingerprint scanners or other bio forms of security if possible.
  • Characters to avoid as they may cause confusion i, I, l, L o, O, 0, 5, s, S, 9 and q.


Passwords do not make things easy for us but are a necessary evil.

Look after yourself.

None of this is copyright or watermarked and I would encourage you to copy and paste the contents of this page into your word processor and edit it to suit yourself.

Last edited 26/3/25




Table of Contents