Alinity logo

Best Practices for Password Management

Hello there! Today we’ll be discussing password management and password best practices. Alinity requires each user, whether it’s the College staff or its members, to have a password-protected account. Members usually only log into their account once a year (to renew) and forget their password after. This is a common reason members contact the college. Passwords are a pain to keep track of, especially when we all have so many to remember for different accounts! In this post we will also discuss ways that an organization can email or reset a forgotten password for a member.

Tips for a Strong Password:

  • You should always have different passwords for each account because if you use the same one for all, it’s much easier to get hacked on multiple accounts. This is especially important for accounts that save sensitive information.
  • Use a password with various characters (letters, numbers, punctuation) and if applicable, capitalize some letters if the password is case-sensitive.
  • Do not use passwords that are easily guessable, for example, if you are using Alinity, do not make your password “Alinity” or don’t make your password your name. You also do not want to use anything that someone could find out about you easily, such as your birthday, favorite pet, phone number, etc.
  • Make your password lengthy! The longer the password is the harder it is for a hacker to figure it out due to the amount of combinations that a password could be. The longer the password, the bigger the data set, which means the less likely a computer will be able to crack the combination (it could eventually, but this would take a very long time). This is another reason you need to add numbers and punctuation…more combinations that will take longer to find.
  • Wired has written an interesting article about the safety of passwords which you can find here!

Don’t keep passwords saved on your computer in plain text. A hacker can not only hack into online accounts, but also into your computer and open your documents. Scary, yes, but that’s why we need to protect ourselves as much as possible! Instead, store your password on a password management app, such as LastPass. LastPass is a free password management system that stores your passwords securely on a cloud. All you need to remember is one extremely secure master password to access them all. This password should be made very complex.

For Organizations: How to let a member with a forgotten password back in

In the case that a password has been forgotten, what are secure ways that an organization can help out a user? We’ll start off from the least highly secure method to the most secure method. I’m mentioning the less secure methods just in case your organization may be using one of them and you can compare it to the stronger methods, or maybe you haven’t heard of the more secure methods yet! Here goes:

Sending Username AND Password

One way an organization can let users back into their account is to email him or her the username and password. This method is not highly secure because somebody could get into the person’s email, or device where the email is logged in, and find out the username and password.

Sending Either Username OR Password

An email that only mentions either username or your password, not both, is a little more secure than the email stating both. With only one of these being revealed, if someone gets into the person’s email, they have to figure out the other half of the puzzle. This still isn’t highly secure, since many times the email address IS the username, but it’s more secure than handing over all information in one email.

Sending Password with Expiry

Some organizations will send the person that forgot his or her password a temporary password that expires after a few hours or after it has been used for login. The person can use this password to immediately log into their account and change their password to something they will remember. This is more secure than the first two methods because unless someone knows your email and is the person that requested for a password, it’s unlikely your email will be hacked in between the time you use that temporary password or it’s expiry time, so if someone did see that email, they can’t use the temporary password again.

Sending Link with Expiry

Similar to the password with expiry, the organization could send the person an email with a link that they have to click within 24 hours that they can use to reset their password.

Sending Link with Expiry AND Verification

The organization could go an extra mile and be a little more secure with the addition of requiring the person to enter in information to verify who they are before the password can be reset. This way, if they cannot be verified, the link becomes expired, and it also expires with time.

The 2-Step Verification

This method is now being used by GMail. When you have forgotten your password and have successfully changed it, in whatever method above, your cellphone or email that has previously been connected will receive a message letting you know that the password has been changed or that you have logged in on a new device. This is beneficial because if you didn’t change your password, you would know that someone else has and to fix it right away.

Alinity and Passwords

Since Alinity doesn’t store any passwords as previously mentioned, we only give our users who have requested a password the ability to reset their password. This means that none of us know your password, no one that could break into Alinity can know your password, so it’s extremely secure.

If you have any questions or suggestions regarding passwords and password management, feel free to leave them in the comment section below! Have a lovely day!

Looking for a new license management or association management software for you regulatory body? Use our Software Procurement Checklist to help you narrow your choice down to the perfect software for you organization.