Security Awareness Blog

Teaching the Wrong Thing About Password Security Awareness

Okay, another debate just popped up about password complexity. I'm starting to get frustrated with all this discussion on exactly what is the perfect, complex password. At some point it does not matter, good enough is good enough. The reason I'm concerned is organizations may loose focus on the big picture on passwords. There are other risks besides complexity, risks we need to be addressing, risks such as ...

  1. Never Share Your Password: You do not know how many times I find this to be a problem at organizations, including having supervisors asking employees for their password.
  2. Public Computers: Do you have employees logging into work (or banking online) from that computer in the hotel lobby or from a cyber cafe? Teach them the issues of using non-secured computers to login to secured accounts.
  3. Re-use: Use different passwords for different types of accounts. Your work password should be different then your personal passwords. Your personal banking passwords should be different then your personal fun accounts.
  4. Questions: Explain to people that password resets are really nothing more then another password. If they are answering personal questions with information that can be found on Facebook, LinkedIn or Google they do not have secure passwords (Sarah Palin anyone).
  5. Two Factor: Make sure people are aware of what that some sites offer two factor authentication (like Google). Explain to people what this is and encourage them to use this option whenever possible.
  6. Writing Passwords Down: How am I supposed to remember my 100+ passwords if I do not write them down? The key is explaining to people how to do it securely. Yes sticky notes are bad, but give people secure alternatives. Explain there are security programs that can securely store their passwords, or if they are written down have them in a secured safe.
  7. Getting Owned: Want to protect your password, then don't get infected! Zeus anyone?

Notice how in almost every case I just described it does not matter how complex your password is, you are still owned? Yes complex passwords are important, however my concern is we forgeting the bigger picture and confusing alot of people in the process.

9 Comments

Posted March 14, 2012 at 5:23 PM | Permalink | Reply

Horacio Serna

Use a Password Manager, like "LastPass".
Then you just have to remember one robust password.
And those accounts related to Finances (banks, etc) have to include Two Factor.

Posted March 14, 2012 at 5:40 PM | Permalink | Reply

lspitzner

This is great stuff! When we teach people how to protect themselves (such as their passwords) we have to also enable them how to do it. Suggestions such as "LastPass" and other password storage utilities are a great idea. Thanks!

Posted March 15, 2012 at 4:32 PM | Permalink | Reply

Luis Martinez

I recently gave a presentation about creating secure passwords at work as part of our expanding Security Awareness and Training program. These are all great points you make, and I think I hit all them in my presentation.
LastPass and Keepass are the two tools I mentioned for safely storing your passwords. Of course creating a long and difficult to guess password should be used when protecting these databases. Otherwise, you have just made it easier for the hacker to gain access to all your accounts.
I think I stunned the audience when I said to LIE on their "Security Quesetions" for online accounts. Like you mentioned''how secure is "mother's maiden name" when it's splattered all over Facebook or if the hacker is someone you know? Most of the real answers are likely public information anyway, so just make something up and store your answers in the same password databases.
I agree with you about complexity being overhyped. I personally teach to use random password generators, programs to protect them in a password protected db, and then use really long, but easy to remember phrases. I'll take a lengthy (non-dictionary) password over a short complex one anyday.

Posted March 15, 2012 at 4:45 PM | Permalink | Reply

lspitzner

Luis, thanks for the feedback! As always if you have any other suggestions please feel free to share. Awareness is still very immature field compared to other areas in security, so we can use all the help we can get.

Posted April 27, 2012 at 8:02 PM | Permalink

Jon

1 on that! I also encourange people to provide answeres to security questions that they will remember but will confound others trying to guess. Things like using a formula for a favorite food is a fav!

Posted March 16, 2012 at 2:39 PM | Permalink | Reply

Alan

If you aren't reusing passwords across multiple services, use of a password manager is almost unavoidable. Aside from LastPass and KeePass, two of the better known ones already mentioned, some versions of Ironkey secuire USB drives also come with a password manager on board. An Ironkey is also a great place to put your KeePass database for an extra level of security.
I think a question that needs to be addressed more widely, is which password manager? There are lots of password manager applications. Some of them are probably to be avoided like the plague. There needs to be more discussion about which ones work best and how to use them securely. A lot of reviews focus on easy-of-use which is important if the goal is to get lots of people to use them but there's no point if the security is badly implemented. ElcomSoft just did a review of the security provided by mobile password manger apps for iOS and Blackberry and appear not to have been impressed. See http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf
Two factor is definitely a plus although the crooks seem to be constantly coming up with innovative ways to get round that as well, even two factor where one factor is an OTP. I'm playing around with a Yubikey at the moment. This can be used for two factor on a number of services, including some password managers like LastPass. It generates OTPs but can also be used to store very long static passwords that could be combined with a memorized password. Yubico has a number of different types of keys that can be integrated into different enterprise systems and they are in the process of releasing a NFC version that will work with some of the latest smartphones. Some services aside from Google's own services, can also use Google Authenicator e.g.LastPass.

Posted March 16, 2012 at 2:51 PM | Permalink | Reply

lspitzner

Great feedback Alan, thanks so much!

Posted May 25, 2012 at 1:44 PM | Permalink | Reply

Fraud_fighter

What is mildly amusing to me is when someone thinks a strong password is as strong as one may need, the truth is usernames and passwords are not secure anymore. It has been proven true time and time again. To be best protected with online accounts, people need to look for websites and organizations whom offer two-Factor Authentication technology and activate it where they can telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice. For me, this gives me the confidence that my account won't get hacked and my personal information isn't up for grabs.

Posted May 25, 2012 at 1:46 PM | Permalink | Reply

lspitzner

Fraud Fighter, I could not agree with you more.