DIY

Teach your users how to create strong passwords with our tutorial

Protecting your organization's important data starts with password security best practices. Use our Microsoft PowerPoint presentation to teach your users how to create strong passwords that are easy to remember.

Trying to get your users to stop writing their passwords on post-its is hard enough; can you really get them to create decent, strong passwords that they can remember? It may seem like an uphill struggle, but at least we've taken the work out of the attempt!

Download our updated Microsoft PowerPoint presentation geared to teaching end users about security threats, explaining the difference between weak and strong passwords, and encouraging them to use passwords wisely. It includes examples and tips on how to create passwords and remember them with tricks like mnemonics.

Download "End-User Password Security" to use anytime you need to train new users or offer a refresher.

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

22 comments
david.valdez
david.valdez

I use a similar gimmick, but I face the problem that some of the "IT" resources are administered outside IT because of poor system design (our accounting program is mainframe based and users can't change passwords...since it's accounting, IT isn't allowed to administer as the passwords are stored in the clear!?). I have to fight a culture where passwords are relatively simple and not very private for the accounting side, yet balancing that against the rest of the network where we want greater security. Culture wars at their finest!

reisen55
reisen55

One of my BEST techniques for passwords are hobbies, which everyone has and knows and they all are unique. People can assemble easy to remember but unique combinations that are damn difficult to break. Example: if a user likes Trains and knows the wheel sequence of a Big Boy (look it up), you can make a password: Bigboy4884 that is factual and straight forward. One user at Aon spoke Gaelic. NOW THAT IS A BEAUTIFUL LANGUAGE FOR PASSWORDS. My boss at Aon had a unique idea: make your password eight asterisks. ******** Neat. And hard to crack by the way.

bluenix
bluenix

Great! Thanks for the time on creating this tutorial. Really appreciated it. :)

VTVagabond
VTVagabond

BS - How is a user to remember 1000 or 2000 or more passwords. Every thing wants a password. Even for a trivial purpose like this.

Neon Samurai
Neon Samurai

I commented on this over the weekend. It's a great set of slides with some recommendations (If I didnt' care, I wouldn't respond after all.). I'm not sure how the discussion become disconnected though: Original TR post: http://blogs.techrepublic.com.com/security/?p=1760 First of four responses: http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=311178&messageID=3094327 The TR post again with no attached discussion (beyond this comment): http://blogs.techrepublic.com.com/helpdesk/?p=728 Not sure if that's a bug, a reposting of the original TR entry or TR's choice to seporate the two.

Neon Samurai
Neon Samurai

I'll open it later on an XP with Office converter but is there a chance of saving it to a more universal format than .pptx rather than requiring all viewers to have Windows and Office 2007 or the "compatability pack" converters?

Neon Samurai
Neon Samurai

Since my arrival, I've had passwords come up twice in company general meetings and each time the failing point seems to be suggesting stronger passwords. Complexity needn't be threatening but I'm at the point of figuring out how to make it non-threatening before the point where user resistance overtakes any further discussion. Take your simple password, add some random characters then repeat twice or three times; that sort of thing. I'm going to be all over this .zip this weekend. I've still some powerpoint slides to draft up but these should knock a bunch of my list. Thank You. (alternate title was going to be "Get Out of My Head!")

Neon Samurai
Neon Samurai

Mr Schneier recommends Password Safe if I remember correctly. My preference is Keepass. Both run on Windows, osX, and the usual *nix suspects. I even have keepassX on my N810. It also has Palm and mobile phone versions. You remember your long passphrase to access it then the auto-type function fills in the website login form. Also, users won't need to access 1000 systems in a day. The five or so systems the access daily will become easier to remember. I sure don't remember each 20 char website password but the one's I access daily tend to stick. As darpok mentions though, debate over the validity of passwords rages on. Even biometrics become a moot point when you consider things that allow an attacker to skip the authentication process entirely.

shardeth-15902278
shardeth-15902278

and Imagine if every one of those systems required a 30-90 day change as well. Most of your life would be spent creating new passwords. I suspect most people just use the same password for everything, which I would argue is worse than having unique 300 day old passwords. Neon Mentioned KeePass, which is an excellent solution to that problem. You can also check out my "one more trick" post for a paper method if managing multiple passwords. Certainly the ideal would be some sort of universal authentication card and pin. (Imagine if the same one card could be all your credit cards, membership cards, drivers license, passport, visa, "computer authenticator", etc... How cool would that be? Who could you trust to implement something like that such that it was sufficiently secure, reliable/trust-able, and privacy conscious? *sigh*)

Neon Samurai
Neon Samurai

Thanks Nick. At that particular time, both my machines where booted into Mandriva as I'm at home. I downloaded the .zip in excitement then ran into an abrupt wall when the .pptx simply opened into a directory structure rather than viewable presentation slides. I'll more likely print them to a PDF removing any platform or single application requirement. I'll be booting over the notebook later today to check it out thanks to the Office 2007 compatibility pack and I'll likely save it to a more usable format at that time. My reasons for the second post where part disappointment in having to leave it until later and to see if a more generic format could be offered. It's a topic that is really platform agnostic so the deliver medium being platform and application specific cuts out a number of TR readers. It'd be like producing it as an Illustrator document with the expectation that everyone can simply pop open a .ai file. The notebook is not in the middle of a platform specific task though so I'll be rolling it back over to Windows.

Neon Samurai
Neon Samurai

I reply to my own comment as I don't want this to just be a string of my own root level posts and since it is a response after now having a chance to review the slides. Overall, it's a great list of points that builds well from general overview of security to password selection specifics. I'd just suggest a few changes to update and clarify it: Slide 2; Security and Convenience do not have to be opposing goals. Security does not have to limit usability and valid functions. It's more about changing user habits as good security habits become just as convenient as the existing bad ones. By suggesting that security must be at the expense of convenience, your causing your users to raise there barriers to change right off the start. Also, in the unfortunate case of a security breach; your going to be far more inconvenienced than having to make nine char passwords a habit. Slide 4; "Hackers, Crackers, etc" This is the wrong use of the term Hacker. General media will corrupt any word that can be loaded with emotion but this is a technological website; the correct usage of technologically related terms should be the norm. Also, the slide already specifies Crackers so why does it need to paint the hacker community with the same brush. If anything, it should use the correct term; Criminals. I'll be changing it to "Crackers, Criminals, etc" for correct use in my copy. I do like the general breakdown of threat categories outside of the incorrect use of the one term though. Slide 11; "With fewer than eight characters." I'd suggest with fewer than nine characters, ten preferably or ideally; passphrases. (Makes one include spaces along with your symbols, numbers and upper/lower letters.) With four characters, it doesn't matter how complex you make it; breaks in under two minutes. Included inverted exclamation marks from non-english alphabets; doesn't matter. With eight characters, your looking at from a few hours up to a few days; still well within the usual XX days password changes and also well within "can be broken in a reasonable amount of time". Nine characters expands the bruteforce time exponentially and even more so for ten characters. Beyond bruteforce, LM hashes from a local Windows machine are going to fall over easily enough. NTLM hashes present more of a challenge but rainbow tables prove them weak as well. If it's sniffed off the network (thanks to CIFS), you likely have a Kerb5 PreAuth hash which is not so rainbow table breakable so that vector leads to dictionary or bruteforce; both being mitigated by the complexity and length beyond eight characters. Sidenote; "that you have used before" - I add obtained passwords (trophies) to my dictionary file along with my own previously used passwords. It really is worth training your users to consider passwords disposable items like empty ink pens and used paper. Slide 12; "change your password every 90 days" 30 or 40 days may be a better frequency. In the case that someone does get the password hash or a login prompt they can hammer, your eight character password is probably going to fall over in under 90 days leaving a window of opertunity during which that password is of value. Slide 14; I liked them all except for the small points above but I use a random generator at 10 characters for passwords I'll have to remember and 20 characters for ones that will be entered using Keepass. It takes about two days of protecting a little post-it in a paranoid manner but after that the password is stuck and the paper goes in the shredding box. If I forget it after that, I open Keepass on a different machine and check. My thinking is that I have to approach another staff and say "can I borrow your machine a sec to confirm something?" so them recognizing me and that I'm still a co-worker is a layer of authentication. Slide 15 made me think of a random idea; those who have some short-hand training can also make use of that where "rainbow" becomes "ranbo" but used to modify the spelling of a full passphrase. Anyhow, none of this should be taken disparagingly. I think the slides are very valuable and welcome them being provided by TR; especially as such a timely coincidence. After slight modification, my users will be seeing them in the near future. (TR footer will remain in place of course, as does the authors names of any articles I PDF)

Neon Samurai
Neon Samurai

The card is just a token authentication (something you have vs something you are or something you know). The person in possession of the card is assumed to be authentication if that is the only mechanism in use. The card itself then has to have it's own authentication process to confirm that it's in the possession of who it represents. In the case of RFID, the chips that use enryption are more expensive than the one's that don't and by extension, less popular. Cloning RFID has proven to be scary simple including in the case of say.. passports. One now needs to have a backup to authenticate the authentication of the RFID; Mr Bobson just entered the library.. here's his picture on the security station monitory so the guard on duty can confirm that picture and person match.

darpoke
darpoke

both in the US and here in the UK: ID cards. The biggest barrier to these, and one with which I agree, is: what could you lose by losing this one card? Eggs and baskets spring to mind...

shardeth-15902278
shardeth-15902278

For "remembering" good passwords. Think of a few phrases that will be easy to commit to memory, along with a key word or letter. Those are your base-s. When it is time to create a new password: a) Select a base from your list b) Write down a unique "word"/phrase on the sheet of paper you keep in your wallet. (if you can, use an acronym or mnemonic for label) c) Concatenate a and b to form the password. Thus you have a fairly long password which is unique for each system. example, lets say I have an account with Chase Bank on my strip of paper I might have an entry like: catch - 2 - Whuz3rdaddy catch would remind me of chase 2 would mean use my memorized phrase #2 (of the say, 5 I have committed to memory) Let's say that is "To Bee or not 2 Bee!" The password for Chase then is "To Bee or not 2 Bee!Whuz3rdaddy" The strip of paper by itself is largely useless to anyone who grabs it. It is in your wallet, with your credits cards and other things you will be keen to protect anyway. And the end result is a long, cryptic password.

shardeth-15902278
shardeth-15902278

Copied your whole post to my desktop for future review. had a couple thoughts on a couple points. "With eight characters...a few hours..." That is assuming they have the hash, yes? Assuming the authenticating servers have been configured with reasonable intrusion detection/lockout, you have more time than that. Of course that means trusting that a) There hash table is secured b) It hasn't been compromised, and c) The bad guys can't get a sniffer between you an the authenticating server... So I do agree with you 8 is probably too short. Just wanted to clarify for my own understanding. "Security and Convenience" - I am probably waxing overly philosophical here, and off your point (If so sorry), but to some degree isn't most any security effort going to sacrifice some convenience? Take deadbolts for instance. Adds a measure of security to your home, but certainly less convenient than say, an unlocked door, which is in turn less convenient than an automatic door, or no door(though given cold in winter and mosquitoes in summer, that one might really be trading one inconvenience for another :) ).

Neon Samurai
Neon Samurai

The US passport system has a database of information and photos. It was found out that staff where spending lunch hours browsing through celebrity data. These are the staff who are supposed to be maintaining and securing the data not fingering through the files.

shardeth-15902278
shardeth-15902278

Though I really think bigger than 4 digits, and variable length would be a good idea. I didn't think about the visual recognition. As an additional check. That is a great idea. But even assuming one could resolve all the security issues at the card/user level. I don't see how you would deal with the potential for higher levels of abuse (govt. and corporate profiling, mass data theft or identity sabotage,...). Ultimately what you are left with is one uber-trusted database of individual authentication, and secure as you might manage to make it, you are still placing trust in the people that manage it. You always come back to "Who's watching the watchers?".

Neon Samurai
Neon Samurai

Another is to take the simple password and repeat it multiple times. It gives you length and a little more complexity without drastically increasing the difficulty in remembering it. I was also thinking of written short hand if I didn't already mention it. One form spells words phonetically and shortens common character patterns (eg. "patrns"). I've also seen quotes used. The length is effective because it's a long passphrase. Grammar adds complexity through spaces and symbols. If you need to confirm the spelling or exact wording then you just look it up through your favorite search engine. This does have it's own risks but still far better than a short and simple password.

Neon Samurai
Neon Samurai

but it sure would reduce repeat offenders. ;)

shardeth-15902278
shardeth-15902278

Good point about SMB/CIFS. Thanks for your followup thoughts on security vs convenience. It is a rather interesting discussion (one which is often emotionally charged). I appreciate your thoughts on the subject. (I still think the best way to marry security and convenience is to just execute all the badguys though. :) )

Neon Samurai
Neon Samurai

Having the hash just makes it easier in that cryptanalysis or bruteforce can be done outside the detection of the target and at the leisure of one's own machine and patience. The real danger there is things like SMB/CIFS that spray that information all over the network for anyone to capture and take home. If you shutdown CIFS your cutting out most of the network functionality of your Windows environment and John P Badguy will still get the hash from your AD authentication traffic at login anyhow. Outlook can actually be a paint to get it out of but the security options to implement that are not on by default. If the attacker is running brute force against the login prompt directly then your five tries or lockout will make a difference. (Hold, gotta remote into a Windows machine that fails to provide a login prompt after returning from sleep status. The best that money can buy; my a.. remote in, disconnect.. there's my local login prompt again.) In the case of security vs convenience, I'm of the opinion that security properly implemented should not be as detrimental to convenience as most believe. I'm probably not the best judge of that though as I see it more as reducing security for the perception of convenience. As a counter-point, the developer's loved that slide due to explaining the balance being such an unnecessarily complicated topic: "I need this to be secure" 'yes sir, we'll tighten it down' "I can't do anything now" 'yes sir, we'll open it up' "It's not secure anymore" 'yes sir, we'll tighten it down' .. and around it goes .. As such, the slide stays in for my impending talk with the users. I just need to figure out how to present it without the user's throwing up the usual barriers to change right at the start of the discussion.

Editor's Picks