Password Protocol Made Easy | Quality Digest

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

“Those password safes have a master password. And that’s ideally the situation for you to put in a longer password, maybe a password that you can remember, but it’s much harder to crack—something like ‘To be or not to be, that is the question.’ You have spaces, uppercase, lowercase, you have a period at the end. That’s a decent password because it’s pretty long and pretty easy to remember. Not saying everyone should have that one. But I think you can go far with phrases that are easy to type in and remember.”

Still, humans will be humans

LastPass notes that the average employee starts with 20 credentials in their password vault and doubles that total after only three months. Instituting effective password policies and procedures can make workers’ lives easier and your company’s operation more secure.

Omernik says, “In general, people think, ‘I’ll just make it a policy that people have to do X.’ No, if you want people to do X, you have to make it so people want to do it, feel like they need to do it.”

There are additional layers that make it hard for cybervillains to sneak up on you. People might have tokens they can put on a lanyard, or a USB token they can plug in to log onto the company’s system.

If you have a long or complex password, the potential for keying it in wrong and then pulling your hair out trying to correct your mistake is its own reward. The way forward is to achieve the higher purpose of authentication—secure ways to prove to your computer system that you are who you say you are.

He says, “If you think that just increasing password complexity makes a better password, well, no, because there’s a human interaction. When you have complex passwords, people start taking steps to get around it.”

Some may be reluctant to make their face or fingerprint part of the cybersecurity solution. The potential of AI and data mining can inspire paranoia.

In its article, “139 password statistics to help you stay safe in 2023,” digital security firm Norton cites a report by password manager LastPass that more than 80% of confirmed breaches can be attributed to stolen, weak, or reused passwords. And while 91% of the people asked understood that it’s a security risk, more than 60% admitted to reusing passwords.


If you have a long or complex password, the potential for keying it in wrong and then pulling your hair out trying to correct your mistake is its own reward. Image: FLY:D on Unsplash

“One of the biggest issues people have is a perception lag. They see their face being used right now, but they don’t see where all of their different passwords at every single website could be compromised by a single person and then used without their knowledge. The risk we can see seems more dangerous than the risk we can’t see. But in a digital space, a lot of the risks are risks we can’t see.”

“You should never have shared passwords. And it shouldn’t have the site name in it. Let’s say your dog is named Snickerdoodle, and you use Snickerdoodle in your password on every site. You say, ‘I’m going to make this unique, so I’m going to use snickerdoodle_nike.com, I’m going to use Amazon_snickerdoodle, or uber_snickerdoodle….’ No, no, no. That’s not right. It has to be random and unique.”

Some companies take a fire-drill approach by sending the entire enterprise an email with a spurious link to see how many employees will ignore corporate policy and click on the link. But Omernik sees that as ineffective and short-sighted.

However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.

That’s where people like Omernik go to work. “The onus is on us to develop systems that achieve authentication in an accurate way,” he says. “That’s the quality component here. We need to do this well. Otherwise, we’re putting everybody at risk.”

“Yeah, I can use phishing tests, see if they click on a link and put their password in. But that’s not a systematic way to handle it. Maybe you increase awareness for a small time frame until the next test.


“We now have all your passwords.”—“Oh! Thank goodness! What are they?” Image: Shepherd’s Bush by Bob May on Flickr.

Use a password manager

What you do need is to make the protocol and process a relatively mindless part of the daily routine. “That’s the single best way for people,” Omernik says, “because you remove the human stupidity and human laziness from the equation. Or, to put it another way, instead of stupid and lazy, let’s say it’s the best and the easiest, most efficient way.”

Omernik says, “Within the authentication steps, it’s things you know, like the password, or your mother’s maiden name. Those are things that you have, like your device. Then there are the things that you are, like your face or your fingerprint.” That’s the trend he sees taking hold.

Is Big Brother—or anyone else—watching?

“So, how do you find the right balance? Or do you try to hop off the continuum and say maybe passwords aren’t the right approach, maybe we need biometrics or a different approach for things that we want to have a quality representation of authentication.”

Moving beyond passwords

“It’s not so much about the risk of the password being cracked, but that that password could be compromised,” Omernik says. Your company might be fine, but if you used the same password elsewhere, and that site was compromised, it could mean big trouble for all your accounts.

Dictating difficult procedures to employees will produce predictable results, Omernik says.

You don’t have to be a people person or a gifted leader to understand that citing stupidity and laziness is not a good way to explain a new policy or motivate workers. In the art of management, simply insisting that everyone do as they’re told is fairly ineffective.

I can attest to that. Though laziness may be a root inspiration, figuring out how to do work more easily is something I prefer to call efficiency.

Without raising false alarms, it’s fair to say that password insecurity is a problem that lives near you and is worthy of your attention.

Don’t make a personal password personal. Omernik advises against using words that are part of your identity, like your kids’ names or the name of a pet—things easily found elsewhere, like on Instagram or a Facebook post. Along the same lines, don’t answer those nostalgic questions you see in social media, such as where you were on 9/11, your first car, etc.—they’re information-gathering tools.

But timesaving techniques can weaken cybersecurity. Omernik says, “You have people who think they have more knowledge than they do taking steps that they think are making them more efficient or more effective.

How bad can it get? The most commonly used password is “123456.” What could go wrong? It takes less than a second for a hacking tool to crack the most common passwords—that’s what. And it’s not getting better: 65% more passwords were compromised in 2022 than in 2020.

In office situations where people might share a desk and the same computer, they should not share a password. It’s not just the information that’s less secure. It could be the employee, too.

Published: Tuesday, January 9, 2024 – 12:03

So please consider turning off your ad blocker for our site.

Management

Password Protocol Made Easy

Cybersecurity sealed with KISS

If your company’s password protocol is effective, it should be easy. In fact, it’s more effective if it’s easy. There’s a lot to be said for the KISS method (“keep it simple, stupid”).

Keep it simple, stupid, and you can be more confident that everyone is following the rules—not looking for shortcuts.

منبع: https://www.qualitydigest.com/inside/management-article/password-protocol-made-easy-010924.html

It’s a better bet to give employees a policy and procedures they can easily execute. Omernik says, “If your environment is giving them the best way to do their job, the day-to-day stuff that they do to take their paycheck home, and it includes the most secure ways because you’ve built it into what they’re doing, then the idea of incentives or disincentives is off the table. You don’t even need that.”

Omernik says, “If I’m on a corporate network, and you’re on a corporate network, and we both share an account to log into a network—maybe you work sometime in the morning, and I work in the afternoon—we’re doing stuff but there’s no accountability of who took the action on the computer. Maybe I delete a file, and then someone asks, ‘John, why did you delete this file?’ and I say, ‘I didn’t do it; maybe it was Mark. We both share a password.’ There’s no accountability in that situation.

Those avoidance techniques can actually worsen security, and they have downstream effects as well. When people write passwords down and keep them handy at their work station, they can wind up being on display for anyone walking through the office. And if people use the same password elsewhere for personal business, the risks increase exponentially. What an employee thought was a personal use can possibly become a company matter.

But don’t take my word for it. I spoke to John Omernik, senior manager in cyberdefense for a Top 5 bank, who offered his observations from 15 years in cybersecurity roles.

Omernik says, “We need to get ways that people can authenticate using devices, using biometrics, using ways that they can be authenticated without having to remember a string of characters.”

“You know, I love humans, we’re awesome, but as I like to tell my kids, human beings can be incredibly dumb and incredibly lazy. Yet we assume we are smarter than we are. People think, ‘I can never be compromised. I’m smart. This will never happen to me.’ But the amount we can know as individuals is very limited.

“And we’re lazy. That’s not necessarily a bad thing. Laziness breeds effectiveness. We do things every day that save us a few steps and make us a little bit more effective at getting our job done.”

Again, password commonality increases the risk that one could provide the key to several others. The solution is simple: Don’t share passwords.

Let’s just leave Fluffy and Fido out of this

But wait: Mom’s maiden name was part of my security setup at my bank. Omernik’s not a fan. “If you forget your password, you can answer two out of three of these questions correctly, and then you can reset your password. That’s a risk in itself, so that’s a problem.

“You can enforce it, even punish the people who make mistakes, but if they don’t have a good password, practice good password hygiene—and they’re compromising your whole network—do you think that policy is going to protect you? Maybe from some legal stuff, but the cost is going to be great to your organization.”

“A breach at one storefront where you use the same password that you did to log into your VPN makes it so now your (company’s) VPN is accessible,” Omernik says.

Share a password, share the blame

Biometrics sounds fancier than it actually is. Really, it’s no more trouble than taking a selfie. Omernik says, “If you have an iPhone, it does face ID, and there’s an Android version of that. Those can be compromised, too, but it’s much harder, physically.” Many computers and phones also include fingerprint searches (“touch ID”), another reliable and easily applied biometric.