Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


How to Encourage Employees to Strengthen Password Security



 By: Bill Carey
2008-11-03
Article Rating:starstarstarstarstar / 17


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Companies need to protect their electronic assets. IT departments need to get employees on board with password security policies-not as another bothersome procedure imposed by management, but as a reasonable security precaution that they understand and willingly embrace. Knowledge Center contributor Bill Carey explains five steps a company can take to educate their employees on how to strengthen password security.

Alaska Governor Sarah Palin might not have realized how important her online e-mail account would be, but when she was chosen as the Republican vice presidential nominee, she became a target for hackers. David Kernell got into her account by using Yahoos password reset feature and guessing the answers to her security questions.

The unfortunate fact is that security questions arent all that secure. Its usually not hard to find out where someone was born, or even their mothers maiden name. Somebody might have told Governor Palin that theres no obligation to tell the truth when you answer those questions. Youre perfectly entitled to say that you were born in Bethlehem and that your mothers maiden name is Barbarossa. Yahoos database wont care.

Identity theft is a very serious issue, even for the rest of us who arent running for vice president. For the individual, the threat of a compromised online identity isnt so much about political tidbits or gossip. The individuals reputation might be at stake--it could be some friend or spouse spying--but the more serious threat involves access to money and a ruined credit rating.

Business consequences of weak passwords

For a business, the consequences can be even more severe. If employees share passwords, or use easy-to-guess passwords, the businesss financial data or trade secrets might be compromised. And, if the business allows unauthorized access to customer data, the liability and loss of business reputation can be crippling. Businesses have two reasons to help their employees with online security: First, to protect their own assets. And second, to provide a tangible but inexpensive benefit to employees by helping them to protect their own online identity.

For any given business, its likely that the employees are already worried about their online security, but they dont have the knowledge or the tools they need to limit their risk. They think hobbit is a pretty clever password, despite the fact that they frequent a Lord of the Rings discussion board and have a picture of Frodo in their cube.

The good news for business owners is that if they help their employees with their personal online security, its much easier to get them to follow good security practices for access to company data and systems. Furthermore, a business that helps employees with their online security will come across as a caring employer, rather than as a control freak that imposes yet another bothersome procedure.

Resource Library:

Five steps to take to increase password security

If helped in a caring way, the work force will better understand the need for company security and will be much more willing to help the company implement a responsible policy. So, in what practical ways can businesses increase awareness of electronic security? Here are five steps any business can implement:

Step #1: Assign someone in the IT department to keep an eye out for articles about security breaches and distribute these articles to employees, along with suggestions on how the security breach could have been prevented. This will keep security as a top of mind issue for the IT department and will force them to think about company procedures. It will also keep employees aware of the latest scams and threats. Be sure that the articles give about even representation to personal security and company security issues.

Step #2: Let the IT department answer employee questions about online security. Once again, this will ensure top of mind familiarity with the topic among the IT staff, and will help educate the employees.

Step #3: Purchase password-management software for the office, and allow employees to use it for their private accounts. There are lots of password management options available, but the most cost-effective is usually an enterprise password-management solution.

Step #4: Have a quarterly or semi-annual brown-bag lunch to discuss the latest security issues, emphasizing both the companys security and employees personal security. (Many employees still dont know about phishing.)

Step #5: Circulate a memo on good password policies, and include it in the package of information given to new employees. A sample memo on good password policies is provided below:

Dear Employee,

Computer security is an increasing problem for many companies and for many individuals. Youve probably heard of the rise in identity theft and similar crimes. [Company name] has a strong interest in protecting our own trade secrets and data, but we also want to help our employees be responsible with their personal use of the Internet and electronic services.

In the coming months, we will circulate stories about electronic security breaches, as well as tips and advice on how you can protect your own electronic identity. To kick off this effort, this memo provides a simple set of rules to help you create more secure passwords.

First, be sure to remember the following four rules:

1. Dont use easy-to-guess passwords.

2. Dont write down your password in an insecure location or store it in an insecure computer file.

3. Dont share passwords with co-workers.

4. Dont use the same password for different accounts.

Second, to create a strong password, use one of these four methods:

1. Pick a word or phrase that youll remember, but substitute letters with symbols or numbers (such as @ for a, 8 for B, $ for S, etc. Using this method, sambuca might become $@m8uC@.

2. Use the first letter of a long phrase, using upper and lower-case letters, and the substitutions mentioned above. So, One ring to rule them all, one ring to find them might become 0RTrt@OrtFt. This may seem difficult at first, but muscle memory will kick in and youll find yourself typing it with ease.

3. Use an upper left or lower right substitution. This is where you replace a keystroke with the key next to it. Thus, Finnegan might become E8hh3rqh by replacing each letter with the letter to the upper left of it on the keyboard.

4. Finally, its a good idea to change your password every month or so.

We encourage you to take these suggestions to heart, not only for the passwords you use at your company, but in your personal affairs as well.

Bill Carey is Vice President of Marketing at Siber Systems, a Fairfax, VA-based software company. For the last four years, Bill has advocated the importance of effective password management, best practices for preventing identity theft and other related topics. He can be reached at b2carey@siber.com.





  Reader Comments: How to Encourage Employees to Strengthen Password Security
>>> Post your comment now!
password security
Businesses should institute a delay before a second attempt after failure, tell the user the date/time of the last successful logon, and allow the...
Posted At: 11-03-08
By: visitor
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Bill Carey
 


xks8(9ќ'H]mGJɖkcYZK7JE1ErIʗ37nBKؖht7F{{o$rhiOI1%sTI}"IWL#sJ;Az#:,t}w5k99r q@^cF[Y|dPt[dI=ɲf g3nMަ[7ǪR.BX-U cx.gچs[7q*sܼ/BEQB;s$QPw7@ږ4Pt;WAlH.{oq@. X/ɷD߀"0QYTy|-DY3^:']o Vpw-âZPb٥v'Y̮gf V҄ gE)"t'Ölni_WΠMN l,aZUU 2Z*]鬙&ȏNu|qݹlwEZOYᳳa ɷV ~kupsO|mxw?-|kh2`;;RV>;dZ~xsJr,_Oe5lپBd}#7W=ReQ oȱn>@|Ӡd6 2Teh^ԩ#5ۯiV9<<䭱JG+Ҍj 9BA`¼N49Vϡ8蟙$Wm4@r1XSl؅ RMǯB@I XRU>I"E[fT}O ${3BDȭ`g/3A.r)i  `o8{ØWX*\eǚm'!|Аd6ml-ƹh$ ,70}HgHz¤ 7X$<cOv/| \aPn=j$ >6(Zt 0I c9м`yn`25怡#]5Kcˋ&0P 2/?C[h9N@tmS(}9\PlmV3-mlZ`1 5:%ޥ6tV\KQ -xbA2 4.gP)AH =k 99y 0#!b\JZ2'9\v{B#™:#\/΍gr)eb -d[b~Il eV&vϺ[LboD6], S m3-mu{V+E6 Z`&syJ\P !0G@.(L˦o0后=4B @7O8g Â[zdb&,OS6m"/d)Ln4W,}}Т‡L,zo"[Sh+pPs >`|= 0XU p8Yw$з^sdp;Z@V?\y v|9p‡9E#rUϚX 5<.&B#5cښLr 뼓ܳP9P U< k1!Y/ލ4zS\fΜ99IAg Uw誟F9TOfSZlzQnD/:A| ~ެ R[k(Y&ފy ˾0p WZD"b j7{p.e6Gh?4W0&Ϳ;nFSsbR6`bQTȅi3)Kˌ7V+zZTJ6Y`aPe)fHiri:z As,0;\ϴ-|f: ?&نdpܙDhQ+mneDI*5E]33R%\T2.Q &V,'`#z.#NWɅc=]SËEଽIMix!}1'l2]ۄ!0(|pT30`NLji=l"{Osg=)Zs@ٰR.%CSlq-Z3q,˹˦ qq,MER&]^@0/6MT83[/O#BUDd s??4X)029 ?\Fw z>]P?؉ WܕVR5󀻬sglZlrCx8SJrEm x. Sܥ&;alâKS_ )2`pI,_ta@C^hcSL@ΧrERŸ ~(hbAZps(|X7,@0Cz]W9*#__$hho?]HjZX'ZQrTUh_ Gq)4KușL;s]s}d1GspD) gn!}큹ߙ#[W`ea3Ƙ=H`oS +R?ͱ<]I0K1SlcSxt, b*ZAU[M΍.#Џ]!.־3X@P A6+8SU-JT\rO-8-_oE`9]RӲkTVQqi?p;d.W` >v=0GaY[ R֊ ޷VWcW{%h"QkFfFdLtΈ#6RP[j*};`[Eh+,s Jb+ʹV(EcݚUz?]5AP,2/ L|%`?N=͠1p FM<1{H҇!JS-b tqQRTRXUʅzϢ v\ZE5 veN6qab;w?mͥg`kX?"B55aJ&2¸_v^IўA!b0halJwѼ@8fSilYVc6fź}`g YV|ejMRԞE'L50`|~GCG?TT7FogA"WS[=i^%uscRRhwĶZVrٓFtMÀ>zARvQ=YorrZR`7'ɠK= J\h?" Uxh=a?sp-<93(j܈ 8fX&1W++Ƽ d@48&Z+9N ПBQ`nо(&w,I@ ~5} +f[I)7+uʶzC\|>A̫~xڿto&cr?FFZٽ}q ,8|:?H˖6߷pC-tΪ2e'A)x昤㮍>{%boZ6|v>2CHv4|7Nys)>]!crѹlKIcx^_`'1=yyyңu4*$Ey|hq0nmǛ&EL9\?I];&!uC@I}]WY0z)B3p%qUYr!sdQh~տּgiəO/QIN~P):|Ur:_aעo)MJ!}J_cN߯Ͳ?hfax!wL,(8DB=Jf(l'iiQE%eќ9rtJ)SBtF(2H PU7,O$e=lI2 KBh%bbVHGRodo^nOpVHp._xvI~%dcgKU s KqkP i"+ `-;|C?ORJ[L>XɫI-jwaW!9 ?# <@tcf ~Mު箄MZ%צ1Ax H-Э>u?~slN^o&<)ǣAl֜j59obJoz;4eL0-'i7{iNii[nUzyB J}~l/t>D(yWe[{cWȊ̅S.r!FpZx>2M#}%3 Տk^x̠tu遧7{}!.u45_s1Tx:`o~<Ϥ ]ek*)7o}VZtC.qD)n&d/.%.e ju OK =B}{k!bi4V3ZTdO>^j[Cx82/> Ac^ؖrbLd<J;lmVpN Ϧv_ O%FJM-c-ێ!e_Ц õcV: wIH$|+؊wO_Oo+N֊ v™)[ꈧ g5VS M[ko!/1 %*%w4y˭0LT/soǞK[^}lQߏo%~!ӹi*2o-]̭ܢUS+Cy_ށiJgs@PXHzFtvBs1 *xhD:yG, i),iTT~a~z_n:yYS G*T4}^I:υqO1q~9o*>VHOh]3,S^MoT[SGaRKMLԐK-4eem"P4Qgö h snɋ1D ^J?)wBl[d5>D2Pq <: ) +M]H^G 8{2Q)~nԳ؅,*3 NN2]X1[ZJbT/Kee4m)Yz%.<튣>xqc?o Rn%8%MTri"i6fcDHnLm1/[LNdɄN-Ъ`_d^$]3IyI*Re)3Be)fW+PDwه%:y~6>)o'ŧ ʀa0HΩf3TaA(T3\-aT|g: _<,̉NT ?p PJTP7sRbNH] 񅝘&Jm[f+Rzl*uv7eDa_K'-kB 1 .TS^6e5_|w0}K.kYR:Y j+aZ2?7BBBkڡawjc;LEBQe3,hA;c}̂s~c>"N;=&'pώ+UE1k4_H&6AX$lS`K_m:_di<N[F-lmWoxgb2AHEwa[j7h[X` %Xܹw| B< q-T%XJy]yUM????Z|K`ӆ7nߣEᰡ fdk2MjsEu40˛t7A`M/B~$ aA:.JӢƔfJ۞Aߒ^)1_θJD^EPns{ID Aluc[rB8M2Bd ѶbllBKMx40a}(w&R巃%:U]G~ x@nG![eů\SqSbyģߗߡ8?ҿ#3覄:ޜE4l6x#\Ͼ?9޲aecj+Y)Hx *wa|i ȪVƞ=:wnJ7Y,ff{bp,I˼T؂_̛ Ɨy$I1Ʊ2"*Ιh֖\4PajD+o]$yhfƓ@ aL,9l;c Unc 8;7~vPln+: ZWqi0s/| ZLMG3* I31~bþŝԧ滾2{0lAX PAgt<ɛc"&)K4kIS\0 ?Fy u6M~\axIք oqa$\-u5b7-G}~ 1!C&)`#MǯJ@QoE8F' PmH깟iN&$R=}%("&' _&⊍Ď3b ^Z>|0XV$F[0\k~Ç,VaYHSv5B."+;_9Ѿn? ?4;}=h^4*'bY`?]5qtS{ 죋BT ~H``(3n"g8O bкbz:S-l \Zl1Ɯ#F?\] "ԝ },gN׹Dā"c*41GJ[#}& `ۭp шP&<"L1.,aN&`DdzM Kt]?q:Z/&:SgbWoP$P +X8O}I.`:>QK7Qaef^[150@dnjb(~6tpW b8+XX:<&,auQg{!RC´vTB<䱤Plܫ<'<,n Mn覧o, |fN`p3WjJP&uOG"3HcE)' 7)7eYQH,ct/a+i+*K2o#yfK-#$͈u86wE&'ӫN/(/p+4>NZO{gvs95LEQ慶DQ)HB rv춙8sޢksYx9K x5" /f8lxCDagxD(/pYQJ_M]_x)oZW@ͦV\k! ??BVm}]1 uä6asV 3r Xmn8~("!]sФo%uCF(Q~WO͌2ʑӇ[@V;O7}2Pqsy'8l.rN+deF9 0( 7_ 05Ӆw3,@n}@n}nF v3e2SF9gQޅnF9e^\f%e^=? /}~~W?W32?2?fP>f'(UѿO@Or 3ڿ\'I73Dž)IFy98rEUrXB]eBy><_`ek :W?2_ 2VV&NJ+ťW 7YKxUy%k{F1nvdtb#at5KHe^M,)ǹW4 |dل@CX{#u wOʻϝ)i҇Kd^ Ws]}Ӊ0՞bMdyhΉcY]"(}liͦX0x"#{"fa(c6 cHO8ѭ<ʂAVXf6? VtLt{r]%Fn F29uGBx.Sn0_uq{ZT\ڎvh#62vf;w S췡^2fgw)&byuDt8cokx;R(q X59Xj-/#RgQŘD@Go񲴑 $mc5:tp) ߄dD҃Ehp䣿 89v ǝaV4nA}0O7Y`_CFbЗ+&: |ac i)ۉs?tlPF#f, {+2‡_i ueԢ̱"tdX ^0D00v1,'Xt,,:^/5*U  B| YV8[T"bzm% 1od&fs*Jm{{@ă?X!c8mB?}[=W+]J8 |'Y3T~{N=*P=eZR7H#Dq+Vvޒ{־( ;Cai oݲSu .Ыv.|x@NlM #e DׁݞV Xo} 8lO.dp.!XscQFj.PLyRrzQڣˬ`>yMw - Q-0pk[p!@xE*QTD KQ)Ybd㜙FKMΡ&MpQ*Ԯ^x[9a^|˼kAс~heL _[0~OX+ʕbA,\A 7tl-NgsZ%.Yvv*nf X^c 0У,:0AA#q, v7"aaL6vY7PVl@xSa Yv9E=bꛆtE]khT[)**3o79/ߙnވ﹨]e PLΰ1igNb :`lX lp/>G1' 0tcz7^?Rɤ{m epCikZ+ 0DqS XǢVWqTR:!; /k`4bOP1,,oԛÌ'TS*4.v>ϭ?8LgѸ:3E~rxX0U9w, j7WxH>Y[D,5Rhb:(-zO3(=:`-hsHlc{pfi#sv&LX+0D7cڅGSy6:|,ݘbVS"Nd׊DnrmmSk )60M؏Ä@ýdSt1R;q΋|E>WNENE<<)IDy)///P>i*g\@qea=V' ͷv2NS}@ysP.Y۹|$2D=C qƠ}~ Bl4*15(nwޟ.zWGUǖғW-)h,=P$DU $Rzfչ|b~`7v r̳'`bhP3]Ө+jE&I#;oE1um*arX(Պ[v[W쭽or6%c(|NKIkYͦG(>4qJs6BKFsl\l-c6C-{