I consistently find passwords one of the most challenging part of any awareness program as we have to teach people a patchwork of confusing rules. These rules can include always use long, complex passwords, never share your passwords, unique passwords for every account, never write your password down, be cautious of personal questions, and more. To make matters worse, not only are different people teaching different rules, but those rules change over time. *sigh*
One of the key guidelines of changing behavior is focus on the fewest behaviors that address the greatest risk. When you take this approach, you will soon find the hardest part about effective awareness is deciding what NOT to teach people. For example, a frustration of mine is the old adage always change your passwords every 90 days. Why? This rule may have had value eons ago, but let's take a look and see what the value (and costs) truly are.
First, what is the risk we are reducing? The idea is if your password is compromised, by changing your password every 90 days you prevent the bad guy from getting in. This may have been valid ten years ago when most attacks were slow and manual, but in today's highly automated environment, once your password is compromised bad guys are most likely going to leverage it long before your 90 day change is up. The question is, is the change of behavior worth it? No. As so often in our field, people forget the COST of implementing a control. Let's do that.
Let's say you are an organization of 1,000 people, with the policy of changing passwords every 90 days. Let's say it takes a person on average 5 minutes of thinking of a new password and trying out different versions until the update is accepted. Now let's say that 10% of the organization has problems with the change process and has to call help desk, which requires another 5 minutes of discussion over the phone. In addition, lets say that since people are constantly changing passwords, they at times forget them, and during every quarter 20% have to call the help desk to reset their passwords. Now let's run some numbers.
1,000 x 5 minutes x 4 = 20,000 minutes
1,000 x .1 x 10 minutes x 4 = 4,000 minutes
1,000 x .2 x10 minutes x 4 = 8,000 minutes
32,000 minutes = 533 employee hours.
533 x $30 an hour x 2 passwords = $31,800*
*Note: This analysis assumes every employee has two passwords at work. For organizations with more you would have increase this number based on number of passwords.
We are paying almost $32,000 in lost company time just from changing passwords (assuming employees only have two passwords). Two passwords are not alot. I just checked my password manager, I have 98 passwords. If I were to change those passwords every 90 days the costs would be far greater. Also, this calculation does not include lost productivity because people could not access a system or employee frustration with security. I feel we would benefit far better if we spent that same amount of time and resources teaching people to use strong, unique passwords for every account. Better yet, provide them tools and training on password managers and two-step verification. This investment will go much farther in protecting people. Does changing your password every 90 days reduce risk? Yes, but only minimally and at great cost.
Ultimately, you may disagree with my approach, or disagree with my numbers. That is fine. My end goal is to get people thinking about what they teach in their security awareness program. Whenever you tell someone they have to change a behavior, there better be a good reason why.