If you haven’t seen it, you’ve probably heard about it: the sticky note on the computer screen with the account login and password for all to see. While this archetypally bad behaviour has security officers recoiling in horror, there are also other less obvious forms of password vulnerability that affect many organisations. Fundamental problems that cause security problems include laziness and unwillingness to tackle things that appear difficult, both parts of human nature. Hackers know about these and exploit them. What then can an organisation do to protect itself against disaster without stirring up a revolution among its employees?
In a general sense, it is essential to communicate the importance of maintaining secure passwords and (as important) secure use of those passwords. The problem of password vulnerability is just one part of the overall information security policy that any organisation should have in place. This covers awareness campaigns and best security practices for access and security for all files, manuals, records and documents whether in paper or digital format. In particular, employees need to be briefed about hackers using social engineering to persuade them to communicate confidential information, such as passwords, by fooling them into a false sense of confidence.
It’s also important to explain how to make good passwords. Ideally, passwords should be easy for their owners to remember, but hard for anyone else to either guess or discover. That means that a whole host of words and information are immediately banned: for example, any word in the dictionary and also any representation of the user’s birthdate. But a password doesn’t have to be /?6&*90Ge%Z either. The SANS (SysAdmin, Audit, Networking, and Security) Institute suggests using passwords based on a short phrase. An example (not to be re-used!) might be “Here is a Short Version for Me only” to give a password of ‘HiaSV4Mo!’.