My name is Sara, and I suffer from password overload. And I have a feeling your staff does too. It’s a security nightmare in the making.
So, what can we do? How about a counter-intuitive approach – use fewer passwords.
Less is more
A report from the Centre for the Protection of National Infrastructure and CESG (National Technical Authority for Information Assurance) suggests they’re only used where they’re needed.
Other options to replace passwords include single sign-on, password synchronisation, biometrics, or hardware tokens. These might cost more, but they mean your system is more secure as you’re less at risk of a password being compromised.
And when you do use them, then the report says: “The important thing is that your organisation provides a sanctioned mechanism to help users manage passwords, as this will deter users from adopting insecure ‘hidden’ methods to manage password overload.”
The report suggests using password managers or something physical like a secure cabinet. If that sounds a bit daft, let me tell you a quick story.
Old school style security for modern problems
A small company I worked with stored their admin passwords in a wall safe. In a pre-password era, someone had attempted to get into this safe using an acetylene torch. The thieves went away empty-handed because the safe’s door was so thick that even the acetylene torch couldn’t get through it.
This worked. The two staff members who had access to the safe would get the password they needed, enter it, then put it back in the safe. So yes, it relied on them being conscientious about returning the passwords to the safe. But most importantly, this system worked for this company.
And that’s one key to password success, a system that works for your staff. Password overload is a human problem, and it needs a human solution that is easy to use.
The safe story also raises two more points about passwords. First, the more difficult it is to get to your passwords, the better. Only the most ultra-determined hacker is going to spend hours of their time trying to get hold of them. They like to phish in more accessible pools.
The second point is that they can’t hack passwords if they’re stored in, say, a safe or off your connected network. Unless they physically go to the location and rob the safe or get into the remote machine.
But how do you help your staff deal with password overload? I’ll have a look at a few ideas next post.
If you need marketing or learning content on passwords or cybersecurity issues, I can help.