Securing end users' pesky password problems

Security and compliance are the heads and tails of the same coin. In order to enforce security for the sake of compliance, it is sometimes helpful to see the problem from the users perspective and find creative solutions.

This is the first of a three-part series introducing simple fixes to security breaches that your end users might be committing.

If you are anything like me, you have worked with varying degrees of security requirements for some time now. Regardless of what you do in technology, there is a requirement, spoken or otherwise that you have at least an awareness of what policies are in place.

In most HIPPA/GLBA/SOX/PCI shops, the policy is likely to be something that you sign off on when you begin working and possibly before you are allowed to have access to the network. In many companies, you are required to listen to a lecture, take a training course, or participate in a Webinar. Generally, it will cover such things as password requirements, acceptable use, and possibly a component on social engineering and how to avoid it. It will, or should, also tell you how you will maintain paper documents and dispose of them. If that policy is really good, it will include information on the classification of documents.

(Incidentally, the alphabet soup above references the Healthcare Portability Act, Gramm, Leach, Bliley Act, Sarbanes-Oxley, and Payment Card Industry. There are others; these are used as an example because they tend to be the most familiar.)

If business has gone through all the trouble of making all that information available to you, they must have some intention of enforcing the policies, right? The answer is "sometimes."

Don’t get me wrong, business wants those policies adhered to. In many cases, there are audit standards that must be met and those audit standards require compliance. Business just may not have considered the step of how to communicate the policies in a way that the average user can be compliant and still get the job done. This is a place that IT can step in and help out.

Let’s look at password length and complexity. Generally, a password requires uppercase and/or lowercase, numerals, and special characters. The most common minimum length I have run across is eight. Today’s user is generally managing multiple passwords on multiple systems and in frustration may find it easier to just write them down. I even had a user who took to writing them on the monitor bezel! (Some things you just can’t make up!) Most will make some effort to keep them from becoming public knowledge but many will leave their written copies in an easily accessible location. That is where I can help.

One solution is to consider password vault software. A utility on my Mac is called Keychain. It stores and manages passwords in an encrypted state until I provide a master password on challenge. It is a simple and useful tool. Another good one is the open-source Password Safe. It works on a master PIN. There are also a variety of enterprise-level tools available.

If your environment is anything like where I have worked, getting a new piece of software to the end user is tough. It is at least a lengthy process. So try a couple of other ideas.

Most cubicles have an overhead bin or lockable drawer. I encourage end users to store their password file there. At least it is locked. For laptop users who don’t have a lockdown cable but DO have a lockable bin or drawer, I encourage them to put their laptops away nightly. I recall coming in to the office early one morning to find one of the cleaning staff struggling with a trash can with several laptops in it. I have been vigilant ever since.

If you don’t have a key for your desk or bin, ask your manager how to obtain one or ask Facilities for one. If your company has a Compliance Officer, that person will likely be able to help you out. While I am sure it can happen, I have never heard of a key request being turned down.

Because the solution is simple, most end users don’t have a problem with complying. And that is really what is at the heart of failure to comply with security requirements at the end user level. It needs to be simple.

Sometimes in IT we forget that the end user is there to do a very different kind of job than we are. What they care about most is their work product-- the ability to turn out work that meets or exceeds business needs. Anything that they perceive is in the way of that effort is likely to meet with resistance. When we take the time to work through roadblocks with them, that resistance will go away.

What kinds of advice do you give end users on being more secure with their multiple passwords?