Password Awareness – Creation & Management
Password Creation & Management
It is 2020 and “Yes!” we are still talking about passwords!! In this post we are going to talk about Security Best Practices, specifically, we are going to dive into Password Awareness Creation and Management.
You get into the office nice and early Monday morning to start the week off right. You are brewing your first cup of coffee when Zach from sales calls in, “My mouse is not working and its making a strange noise, can you come check it out?”. Starts out like a normal Monday, right? As you arrive at Zachary’s desk to fix his mouse, you see it….., hanging there on his monitor…. plain as day. It is a bright yellow sticky note that says – UserName: Zach Password: DoNotEnter!@. You shake your head in disappointment and ask Zach “what is that?”. He responds, with a slight chuckle, like you hoped he wouldn’t, “That is my password for my computer and email. Clever right? I just had to add the !@ signs because the darned password policy makes me use a symbol now!”.
This is painful to see, It makes me sad. 🙁 Below I will go over some simple steps to try and help you stem “Zach’s” behavior and make your tech life safer.
Staff Training and Education:
Educate and Train your employees on what is and what is NOT a good password (Password Awareness). We often take for granted what we know. We go on about our busy days thinking others should already know, when the reality is that most people don’t understand how to make passwords that are secure and the importance why this is so important. They only see it as a hardship or inconvenience, never thinking about how its the digital equivalent of having a janky lock on the front door of your home. You need schedule 30 minutes once a quarter to send out an email, or better yet, hold a mandatory meeting that covers the importance of good password creation and management.
During your staff meeting you should educate the employees on how to create a strong password and why it is considered a strong password (Password Awareness). Teach them the practice of using short sentences or phrases when applicable. “Why is the Sky blue” is a much stronger password and easier to remember than a keyboard mash of characters like 26^!HGniue!
Below are some things to point out to staff on password creation:
- Absolutely Do NOT use their Social Security Number, Birth Date, Address, Phone Number, etc.
- Do NOT use your name, pet’s names or family members
- Do NOT use any information that would be easily associated to them
- Try NOT use any password on more than one site
- Use a space when allowed
- Use at least 12 characters for a password
- When possible, try and create long phrases
Educate Staff by letting them know there are easier ways of remembering passwords for every account and or site, try to use a password manager service when possible, the below are all good options:
It is important to note these are all third-party services that allow an users to save all their passwords in one place and then secure them with one master password. (so you only have to remember one password)
When possible, run Two-Factor Authentication. This will greatly increase the security of any user account. Instruct staff to enable and run Two-Factor Authentication on all of the websites that they use on a normal basis.
- If you haven’t addressed any of this in the past, Password Awareness, now would be an great time to move forward with implementing some password polices and force users to do the following:
- Password Length at least 12 Characters long
- Uppercase, lowercase, numerical and character requirements
- Force Maximum Password Age
- Set this to 60 or 90 days. This can be shorter if you like but, the shorter the requirement typically the weaker the passwords users create. They don’t want to constantly be remembering and changing passwords.
- Force Minimum Password Age
- Set this to 30 days. This will keep users from just resetting their password right back to what it was prior.
- Enforce Password Re-use History
- Set this to a value of 4 or higher. This will force the user to keep cycling their passwords for the entire year.
By implementing the processes above and educating staff, we are making strides to develop a more password aware employee base. This base will hopefully continue to step up their password creation and management, which will benefit not just employers, but the employees in there own home lives. Sadly we wont get everyone to adopt these best password practices, but some will. I am sure of one thing, if we don’t start training and educating our users they absolutely will NOT improve their password creation and management and we will not become any more secure.
OH! What was wrong with Zach’s mouse? He just needed a new battery. 🙂