It is 2018 and “Yes!” we are still dealing with passwords!! In Part 3 of our Security Best Practice series, we are going to dive into Password Creation and Management.
You arrived in the office nice and early to start this week off, right? You are getting ready to enjoy your first cup of coffee when Bill from Sales calls, “My keyboard isn’t working and is making a funny noise, can you come take a look?”. Sounds like a normal day in IT land, right? As you arrive at Bill’s desk to fix his keyboard, you see it, hanging on his monitor. It is a bright green sticky note that says – UN: BillN Pass: Chester68$. You shake your head in disbelief and ask Bill what it is. He responds like you hope he won’t, “Oh, that is my password that I use for just about everything. Chester is my cat and 68 is the year I was born. I recently had to add the dollar sign because the pesky password security makes me use a symbol now!”. I feel your pain, I honestly do. I will outline some steps below to try and help you curb “Bill’s” behavior and make your life easier.
End-User Education –
2. During your training you should teach the end users how to create a strong password and why it is considered a strong password. Educate them on the practice of using phrases when possible. “The blue ball bouncing” is a considerably stronger password and much easier to remember than a keyboard smash of characters like 59$hTnskiw0@!.
Below are some items to point out to end-users about password creation:
This popular xkcd comic from cartoonist Randall Munroe illustrates the efficacy of a long phrase password vs the dreaded keyboard smash.
3. Educate end-users that rather than remembering passwords for every site and or account, to use a password management service like one of the following:
In short, thesee are all third-party services that allow an end-user to save all their passwords in one location and secure them with one master password.
4. If and when possible, run 2FA (Two-Factor Authentication). This will greatly increase the security of the end-user account. Instruct end-users to enable and run 2FA on any of the websites that they use on a normal basis. The website https://twofactorauth.org/ is a great resource for discovering which websites currently offer 2FA.
Password Management –
By taking the steps above and educating our end-users we are working to create a more aware user base. This user base will hopefully over time continue to improve their password creation and management, which will benefit everyone involved. Not everyone will adhere to these best practices, but some will. I can assure you though, if you don’t start educating your user base they will NOT improve their password creation and management skills.
And what was wrong with Bill’s keyboard you ask? A key was being held down by one of the dozens of binders on his desk.
Until next time!!