If you’re doing things right on the password front (and chances are, you are), you have a clear password policy for your organisation, and end users are required to regularly change their login credentials and meet certain length and complexity requirements. As such, you might think you are doing all you need to in order to ensure that end-user passwords are strong enough to protect organisational data and assets.
The reality is that you need to be doing more.
Why you need to think like an end user
It may sound a bit like pop psychology, but understanding how your end users feel about password management is key to cracking the code on password hygiene.
Passwords are everywhere — quite literally. And we are continuously asking our users to be more diligent, to incorporate more complexity, and to add more variety to the passwords they use. Oh, and by the way, also to remember all of these passwords (without writing them down) and to change them every few weeks or months (without complaint).
IT is not where they live. They are not resistant to these things because they want to make your life more difficult. They are simply trying to make their lives easier. And so they find workarounds.
One of these workarounds is reusing passwords. Whether simple or complex, a single password that unlocks multiple accounts is a breach waiting to happen. And we’ve likely all told our end users that they need to use different passwords on every account — but have we really told them why it’s important? Do they have any sense that cybercriminals are using armies of botnets to automate their attempts to reuse exposed credentials on sites across the internet?
If end users start to understand the why, it’s easier to get them to buy into the what that you’re asking for.
Explain the ramifications of password reuse to your end users
To get users to stop reusing passwords, start with a logical explanation. Advise them to think about a password the way they would the combination to a safe in their home:
- First, they would want that combination to be at least fairly complex. A 1 (L), 2 (R), 3 (L) just wouldn’t pass muster for protecting their valuables.
- Second, they wouldn’t want just anyone to have that combination; those valuables need to be secured.
- Third, they wouldn’t write down the combination and put it under the safe to refer to when they wanted to open it. They would memorise that combination (and refuse to make it easy for a stranger or burglar to figure it out).
Then, ask them to equate that to their online activities. Their electronic accounts — both personal and corporate — hold a lot of valuable data. Setting simple passwords, sharing them (or being lax with security), and writing them down and putting them in a desk drawer or under a mousepad or keyboard makes it far too easy for an outsider to gain access to all that data (like banking accounts, credit card numbers, medical information, confidential communications, etc.). Just as they would not want to make it easy for a thief to get into a safe, they should not want to make it easy for a cybercriminal to get into their electronic accounts.
Now, let’s take the analogy a step further. Ask your end users to imagine that they have five combination safes in their house, each with very valuable contents (personal papers in one, money in another, credit cards in another, etc.). For simplicity, all of the safes have the same combination — and it’s a pretty complex one. But here’s the catch: A burglar is actively attempting to crack one of the five safes. And if that invader cracks the first combination, it’s only a matter of time before he opens all of them.
End users should then think about how this applies to their online accounts. Even if they have taken the important step of banishing use of simple passwords (like password123 and 123456), this analogy shows them that a complex password reused on multiple sites can leave them even more vulnerable than a simple password used on a single site.
Making password hygiene easier to manage for end users
Yes, helping end users become more aware of the importance of password hygiene is an important step. But to really change behaviours, you’ve got to help them figure out how to simplify password management. Here are some actionable pieces of advice you can offer:
Use passphrases instead of passwords
The simple fact is that longer is better in terms of password strength, and random combinations are key. It’s a great idea for end users to tap into personal phrases (not commonly used sayings) that are easy for them to remember but difficult for anyone else to guess. Instead of something like “I<3NewYork,” for example, they should opt for something more random, like "I<3TravelingwithMyFamilyof5!" It’s long, but memorable — and hard for a cybercriminal to guess or break. Choosing phrases that make sense based on the site they are visiting can make things easier with regard to avoiding password reuse.
Use a Password Manager
Password managers encourage users to use more sophisticated passwords since these tools helps keep track of the credentials. There are several great options to choose from, but it’s a great idea to make specific suggestions to your users to take the guesswork out of it for them.
Add Multi-Factor Authentication When Possible
It’s heartening to see so many sites adding the option for multi-factor authentication, but it’s important that end users be encouraged to take advantage of it when they can. (It’s also a great idea for your organisation to add it on key assets like email clients, VPNs, and cloud storage if you have not yet done so.) Though some are likely to be resistant to 2FA because they regard it as a hassle, explaining the benefits can help change mindsets.
Making end-user password hygiene easier to manage for you
Here are ways to make it easier to improve end-user password hygiene within your organisation:
As noted above, IT is not where your end users live. Though you stay up-to-date on the latest cyberattacks and industry news and events, it’s highly unlikely that your end users are doing the same. Keep your users informed about password security issues on a regular basis and remind them that compromised passwords are regularly sold online to the highest bidders. Most importantly, explain the potential ripple effects of password reuse; let them know that hackers have access to software that can break number-only combinations and dictionary-word passcodes in a matter of seconds.
Take It Outside the Walls of the Workplace
Think beyond the confines of your organisation and give helpful hints for users to apply at home, too. Suggest places where users should add 2FA on personal accounts. The more comfortable and empowered your users become, the more secure personal and corporate data and systems will be.
Strengthen Your Password Policy
Back in 2012, Blackberry took steps to prevent weak passwords when they banned more than 100 simple passcodes on their devices. Feel encouraged to take similar steps in your organisation. Implement technical safeguards to help wipe out basic combinations.
Provide Continuous Training
While World Password Day is a good reminder to end users to take password safety seriously, all members of an organisation should be involved in ongoing security awareness and training activities that emphasise the need for good password hygiene (and other cybersecurity habits) year around. In order to successfully change end-user behaviour, you’ll need to use education tools to turn awareness into knowledge.
Kurt Wescoe is Chief Architect at Wombat Security Technologies