It is 2018 and “Yes!” we are still dealing with passwords!! In Part 3 of our Security Best Practice series, we are going to dive into Password Creation and Management.
You arrived in the office nice and early to start this week off, right? You are getting ready to enjoy your first cup of coffee when Bill from Sales calls, “My keyboard isn’t working and is making a funny noise, can you come take a look?”. Sounds like a normal day in IT land, right? As you arrive at Bill’s desk to fix his keyboard, you see it, hanging on his monitor. It is a bright green sticky note that says – UN: BillN Pass: Chester68$. You shake your head in disbelief and ask Bill what it is. He responds like you hope he won’t, “Oh, that is my password that I use for just about everything. Chester is my cat and 68 is the year I was born. I recently had to add the dollar sign because the pesky password security makes me use a symbol now!”. I feel your pain, I honestly do. I will outline some steps below to try and help you curb “Bill’s” behavior and make your life easier.
End-User Education –
- Educate your staff on what is and isn’t a good password. As IT professionals, most of the time we take for granted what we know. We go on with our busy days believing others already know it and the reality is that most people really don’t understand how to properly create passwords and the importance of following specific standards. They only see the end result and that is gaining access to their accounts. You should schedule 30 minutes every quarter to send out an email, or better yet, hold a small class that covers the importance of good password creation and management.
2. During your training you should teach the end users how to create a strong password and why it is considered a strong password. Educate them on the practice of using phrases when possible. “The blue ball bouncing” is a considerably stronger password and much easier to remember than a keyboard smash of characters like 59$hTnskiw0@!.
Below are some items to point out to end-users about password creation:
- Do NOT use their name, family members or pet’s names
- Do NOT use their Social Security Number, Birth Date, Address, Phone Number, etc.
- Do NOT use any information that would be easily associated to them
- Do NOT use any password on more than one site
- Use at least 12 characters for a password
- Use a space if allowed
- If possible, try and create long phrases
This popular xkcd comic from cartoonist Randall Munroe illustrates the efficacy of a long phrase password vs the dreaded keyboard smash.
3. Educate end-users that rather than remembering passwords for every site and or account, to use a password management service like one of the following:
- LastPass – online
- 1Password – online
- DashLane – online
- KeyPass – Local application
- PasswordSafe – Local application
In short, these are all third-party services that allow an end-user to save all their passwords in one location and secure them with one master password.
4. If and when possible, run 2FA (Two-Factor Authentication). This will greatly increase the security of the end-user account. Instruct end-users to enable and run 2FA on any of the websites that they use on a normal basis. The website https://twofactorauth.org/ is a great resource for discovering which websites currently offer 2FA.
Password Management –
- If you haven’t already, now would be an appropriate time to move forward with putting in some password enforcement rules on your User Management platform (EX. Active Directory). Force users to do the following:
- Password Length at least 12 Characters long
- Uppercase, lowercase, numerical and character requirements
- Force Maximum Password Age
- Set this to 60 or 90 days. This can be shorter if you like but, the shorter the requirement typically the weaker the passwords users create. They don’t want to constantly be remembering and changing passwords.
- Force Minimum Password Age
- Set this to 30 days. This will keep users from just resetting their password right back to what it was prior.
- Enforce Password Re-use History
- Set this to a value of 4 or higher. This will force the user to keep cycling their passwords for the entire year.
By taking the steps above and educating our end-users we are working to create a more aware user base. This user base will hopefully over time continue to improve their password creation and management, which will benefit everyone involved. Not everyone will adhere to these best practices, but some will. I can assure you though, if you don’t start educating your user base they will NOT improve their password creation and management skills.
And what was wrong with Bill’s keyboard you ask? A key was being held down by one of the dozens of binders on his desk.
Until next time!!