Password Protocol Made Easy | Quality Digest

But timesaving techniques can weaken cybersecurity. Omernik says, “You have people who think they have more knowledge than they do taking steps that they think are making them more efficient or more effective.

So please consider turning off your ad blocker for our site.

“A breach at one storefront where you use the same password that you did to log into your VPN makes it so now your (company’s) VPN is accessible,” Omernik says.

Share a password, share the blame

What you do need is to make the protocol and process a relatively mindless part of the daily routine. “That’s the single best way for people,” Omernik says, “because you remove the human stupidity and human laziness from the equation. Or, to put it another way, instead of stupid and lazy, let’s say it’s the best and the easiest, most efficient way.”

If you have a long or complex password, the potential for keying it in wrong and then pulling your hair out trying to correct your mistake is its own reward. The way forward is to achieve the higher purpose of authentication—secure ways to prove to your computer system that you are who you say you are.

Some may be reluctant to make their face or fingerprint part of the cybersecurity solution. The potential of AI and data mining can inspire paranoia.

“Those password safes have a master password. And that’s ideally the situation for you to put in a longer password, maybe a password that you can remember, but it’s much harder to crack—something like ‘To be or not to be, that is the question.’ You have spaces, uppercase, lowercase, you have a period at the end. That’s a decent password because it’s pretty long and pretty easy to remember. Not saying everyone should have that one. But I think you can go far with phrases that are easy to type in and remember.”

Still, humans will be humans

“You should never have shared passwords. And it shouldn’t have the site name in it. Let’s say your dog is named Snickerdoodle, and you use Snickerdoodle in your password on every site. You say, ‘I’m going to make this unique, so I’m going to use snickerdoodle_nike.com, I’m going to use Amazon_snickerdoodle, or uber_snickerdoodle….’ No, no, no. That’s not right. It has to be random and unique.”

“Yeah, I can use phishing tests, see if they click on a link and put their password in. But that’s not a systematic way to handle it. Maybe you increase awareness for a small time frame until the next test.

Don’t make a personal password personal. Omernik advises against using words that are part of your identity, like your kids’ names or the name of a pet—things easily found elsewhere, like on Instagram or a Facebook post. Along the same lines, don’t answer those nostalgic questions you see in social media, such as where you were on 9/11, your first car, etc.—they’re information-gathering tools.

It’s a better bet to give employees a policy and procedures they can easily execute. Omernik says, “If your environment is giving them the best way to do their job, the day-to-day stuff that they do to take their paycheck home, and it includes the most secure ways because you’ve built it into what they’re doing, then the idea of incentives or disincentives is off the table. You don’t even need that.”

Keep it simple, stupid, and you can be more confident that everyone is following the rules—not looking for shortcuts.

منبع: https://www.qualitydigest.com/inside/management-article/password-protocol-made-easy-010924.html

LastPass notes that the average employee starts with 20 credentials in their password vault and doubles that total after only three months. Instituting effective password policies and procedures can make workers’ lives easier and your company’s operation more secure.

Omernik says, “In general, people think, ‘I’ll just make it a policy that people have to do X.’ No, if you want people to do X, you have to make it so people want to do it, feel like they need to do it.”


If you have a long or complex password, the potential for keying it in wrong and then pulling your hair out trying to correct your mistake is its own reward. Image: FLY:D on Unsplash

“So, how do you find the right balance? Or do you try to hop off the continuum and say maybe passwords aren’t the right approach, maybe we need biometrics or a different approach for things that we want to have a quality representation of authentication.”

Moving beyond passwords

“You can enforce it, even punish the people who make mistakes, but if they don’t have a good password, practice good password hygiene—and they’re compromising your whole network—do you think that policy is going to protect you? Maybe from some legal stuff, but the cost is going to be great to your organization.”

Published: Tuesday, January 9, 2024 – 12:03

But wait: Mom’s maiden name was part of my security setup at my bank. Omernik’s not a fan. “If you forget your password, you can answer two out of three of these questions correctly, and then you can reset your password. That’s a risk in itself, so that’s a problem.

Those avoidance techniques can actually worsen security, and they have downstream effects as well. When people write passwords down and keep them handy at their work station, they can wind up being on display for anyone walking through the office. And if people use the same password elsewhere for personal business, the risks increase exponentially. What an employee thought was a personal use can possibly become a company matter.

Omernik says, “Within the authentication steps, it’s things you know, like the password, or your mother’s maiden name. Those are things that you have, like your device. Then there are the things that you are, like your face or your fingerprint.” That’s the trend he sees taking hold.

Is Big Brother—or anyone else—watching?

In its article, “139 password statistics to help you stay safe in 2023,” digital security firm Norton cites a report by password manager LastPass that more than 80% of confirmed breaches can be attributed to stolen, weak, or reused passwords. And while 91% of the people asked understood that it’s a security risk, more than 60% admitted to reusing passwords.

There are additional layers that make it hard for cybervillains to sneak up on you. People might have tokens they can put on a lanyard, or a USB token they can plug in to log onto the company’s system.

Biometrics sounds fancier than it actually is. Really, it’s no more trouble than taking a selfie. Omernik says, “If you have an iPhone, it does face ID, and there’s an Android version of that. Those can be compromised, too, but it’s much harder, physically.” Many computers and phones also include fingerprint searches (“touch ID”), another reliable and easily applied biometric.

If your company’s password protocol is effective, it should be easy. In fact, it’s more effective if it’s easy. There’s a lot to be said for the KISS method (“keep it simple, stupid”).

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

Management

Password Protocol Made Easy

Cybersecurity sealed with KISS

Omernik says, “We need to get ways that people can authenticate using devices, using biometrics, using ways that they can be authenticated without having to remember a string of characters.”

He says, “If you think that just increasing password complexity makes a better password, well, no, because there’s a human interaction. When you have complex passwords, people start taking steps to get around it.”

In office situations where people might share a desk and the same computer, they should not share a password. It’s not just the information that’s less secure. It could be the employee, too.

“That’s where we as professionals have to make the easiest steps the ones that are the most secure, the ones that humans want to take. And this comes back to quality. If you want quality, you have to make it a thing that people want to do. Otherwise, the human equation will always come through.”

Managerial tips

But don’t take my word for it. I spoke to John Omernik, senior manager in cyberdefense for a Top 5 bank, who offered his observations from 15 years in cybersecurity roles.

You don’t have to be a people person or a gifted leader to understand that citing stupidity and laziness is not a good way to explain a new policy or motivate workers. In the art of management, simply insisting that everyone do as they’re told is fairly ineffective.

“And we’re lazy. That’s not necessarily a bad thing. Laziness breeds effectiveness. We do things every day that save us a few steps and make us a little bit more effective at getting our job done.”