Security Awareness Topic #6 - Passwords

This post is the six in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the sixth topic I like to focus on passwords. Passwords are one of the most common in any information awareness program, however passwords are also a topic that I feel is far too often abused, we sometimes do more harm then good with this topic. Secure use of passwords are critical, they are the keys to the kingdom. If an individual's or organization's password is compromised, then an attacker can access everything they are trying to protect. In addition, an attacker can then impersonate the victim and gain access to other resources. As such, password best practices are something many organizations focus on. Here are what I consider some of the key learning objectives for awareness, but in addition some learning objectives that I feel are overblown.

• Complexity: One of the first things every organization focus on is password complexity. I see organizations moving to 12 character passwords with one CAPITAL, one number, one symbol, and changed every ninety days. In a previous blog post I argue this may be overkill, we are potentially doing more harm and good. I feel we need just as much focus, if not more on these additional topics.
• Sharing: Often employees feel comfortable sharing passwords with other employees or supervisors. This is a dangerous practice. First, you lose accountability, you cannot track who did what because people have shared accounts. In addition, once a password is shared it may become more shared then expected, including with unethical employees.
• Dual Use: Many users will use the same password for all their accounts. While some sharing of passwords I feel is acceptable, it should be only for non-critical accounts. If your Facebook, Flickr and Blog commentary passwords are the same, that is perhaps acceptable risk. What is not acceptable is your Flickr login and password being the same as your work or online banking login and password.
• Public Computers: Another one is logging into confidential networks but from public computers, such as at an Internet Cafes, hotel lobbies or airport terminals. These computers may be infected or at the very least residing on compromised networks. End users should authenticate only on trusted systems they control.
• Phishing: No one should ever ask an end user for their password. Reinforce this lesson. If someone asks for a password assume they are an attacker. This is a simple lesson that should be continually reinforced.
• Owned: Finally, if you think about it most compromised passwords happen from keystroke logging malware, not brute forcing. If you truly want to protect your passwords, then protect end user computers from getting infected!