How do you deal with users & passwords?

(Edwin Eekelaers) #1

I’m wondering how others deal with repeat offending users that either share their accounts & passwords with colleagues or are too ignorant to remember the passwords and then revert to post-it notes everywhere? When it happens to me at work i seriously blow a fuse & have a less then friendly talk with them… It’s part of our policy that accounts & passwords are personal and should never be shared. Considering the fact that i work in a secure area ( on an airport ) i feel that our users should be extra protective about their passwords. Periodically we are on the receiving end of unannounced premises penetration tests. For us this is part of a check to see if the freight we move is moved in a secure way… If anyone succeeds in getting on-premise then we are liable to loose our transportation certificate and then have to close the building till the issue can be sorted out in a correct way.
Imagine those testers being able to lay their hands on a postit with a user’s credentials. That would definitely mean close the business for us.

(Andrew Nickless) #2

Sounds like you have a really hard time with some user education, I work in a school environment for student marks and info so I feel it is similar to your situation.

I am wondering if you do in fact have a written policy, if so then user education the first time then a HR complaint would be the next step after the user education would be needed. That is sort of what we do, educate first then formal complaint second.

(Edwin Eekelaers) #3

If i had to include HR each time i feel the urge to nag they’d have to fire half of our warehouse staff… It’s already so bad that during summer holidays or the Islamic period of the Ramadan that i have to join in and help OPS to process the freight… Pushing 12-14k lbs containers into a plane or truck can be exhausting for an IT geek

(Matt Parkes) #4

User awareness can be problematic, I work in an office environment with responsibility over information security - creating policies, providing awareness material, auditing etc… The best way I find to deal with culture is to talk with people face to face regularly and encourage them to use the practices you set out in policy and procedures, discover why they do the things they do and this will help you combat this behaviour as you may be able to change things from your end that causes the bad behaviour. When engaging with them talk to them about security practices that would effect them personally at home with their friends and family, get them thinking about security in this way and they will become more security conscious at home which should then help them to be more security aware at work and hopefully appreciate the policies that are in place. Can you get them pro actively involved, can you reward for good behaviour or dangle some kind of incentive carrot?

(Tom) #5

User education is the first step and it should include ways to create easy-to-remember password/passphrase which meets your PW criteria. Having the user take some meaningful passphrase (like “Don’t begrudge getting older, it’s a privilege denied to many” translates to Dbg0,iapd2m and becomes a complex secure password). Helping users think about creating passwords in this way may be helpful to them.

Providing published password requirements and policies as a handout in training may be helpful. I like formal training (even 1/2 hour) as I feel it shows there is some real importance to the material.

Start an “audit” process where you reward good behavior rather than just responding to negative behavior. As an example, have snack size candy bars (or even bouncy balls) that you hand out to people to are following the policy, people talk about that and the next thing you know, other people are becoming aware of the policy and being more careful. We hand out small packages of Goldfish to people submitting Phishing emails to the helpdesk email, rather than opening them.

Good luck!
Lastly, make it as easy as possible. If they have multiple passwords, you may be able to implement LastPass or some other password generator/database.

(Michel Martin) #6

I have been working on this for almost a year now and have them change their passwords every 4 months. I like many was dealing with them writing them down and putting them on their monitors, under keyboards, under their desk calendars, etc.
So I took a different approach. Instead of fussing, I rewarded them. I would randomly walk in and offer them breakfast if I couldn’t find their cheat sheet. They got really cleaver real quick. The other thing is it gave me a 1 on 1 opportunity to teach then how easy it was to formulate complex passwords that were easy to remember.

(Dan LaRocca) #7

It may not work for everyone, and I can not say how well it works at my workplace as we have not rolled it out yet, but we are working on rolling out a password manager to everyone. We are planning on deploying “KeePass” (A free open source password manager) to all employees. KeePass has a built in password generator and with the passwords in a password manager the employee can copy and paste the passwords instead of remembering them. This way they should less likely store/write the passwords in an insecure way. We should have it roll out in the next month or so, I’ll post an update once we have been using it for some time.

(Lou Bolanis) #8

I agree with some of the previous postings…namely, PW managers and corporate-level, team-based credential portals that allow you to logon once, then authenticate to multiple other “managed” UIs from a single pane.

Some free options I’ve found useful are:

  • Using pass-phrases as opposed to passwords (e.g. change “Blue3210!” into “MyP@ssw0rdISBlue3210!” or “Th1zW33kzpw1ZBlue3210”) much easier to remember and exponentially longer
  • Use an alternating string of relative characters before, after or both to tweak a common base password - encourages users to not use the same password everywhere by offering a trade off (e.g. Email = Blue3210!3Ml, Web = W3bBlue3210!, App1 - APBlue3210!P1, etc…)
  • Use common items in an area (truncated/obfuscated of course) to trigger pw memory recall (e.g. if user is logging in to a work portal: W0rkBlue3210!Stapl3r, home email: H0m3Blue3210!C0uch, etc.)
  • Another tactic is to ask users what key combos feel good/easy/right as they type on the keyboard - some people like auditory, special, geometric or repetitive patterns more then actual passwords they have to remember (memory by feel) use this with caution though, different form factors of keyboards cause problems with this one

I offer lots of different alternatives/recommendations because there’s lots of different kinds of people (everyone’s brain works differently). Typically…It’s relatively easy to sell users on the fact that longer passwords are better using math & cracking proofs of concept. The complexity is a tougher sell because it’s a hassle to remember (unless you offer tricks that work).

(Bob Monroe) #9

Like the Irish say, “if it don’t work, don’t use it”. There are several methods to authenticate a user as well as their level of trust within a system. If you want to have some fun read the real Bell-LaPadula model for secure systems, not the watered down CISSP version. Basically we need to look at trust instead of risk. Users are only allowed to view/edit or move material that they are cleared for. No user should ever be able to view/edit or move data that is above their clearance level or whatever you want to call it (trust level or area of work). For example nobody from accounting should be able to view data from R&D, nobody!

As for authentication, CAC cards, RFID cards, mag strips and other physical cards should be used for multi-factor authentication. A system that just requires a username and a password is easy pickens thanks to new and improved L0phtCrack, Caine and other GPU hardware. Passwords are for low level public information systems, not secure networks. Okay SP 800-63B does have some good ideas for better passwords but they are still the weakest form of authentication.

You want the user to have something they know, something they are and something they have at least. Something they know is usually thought to be the password but we see how easily that is bypassed. Instead look at using personal pictures that only the user would recognize or questions that only the user would know the answer to. Something they are is usually related to biometrics but can include personality, behavioral or moral qualities each person has. This part adds a burden onto your PII system but it is better than daily breeches.

The last (but not least) part of authentication is something they have such as an access card, a RFID tag, a company issued ID card with a crypto chip installed. Those cards must be highly protected and be accounted for on a regular basis. Cards are cheap but are getting pretty sophisticated, just take a look at your new credit card with the chip installed.

There are other ways to authenticate users and some organizations use five or more ways to prove that person is trusted on that segment of the network. Each level of trust requires one or more other ways to prove that person is who they say they are. Passwords should have been removed decades ago because they are so easy to be abused and cracked. The users who are sharing their credentials are doing so out of poor habits and ease of effort.

Lost access cards are much more difficult to explain away than a over used password.

(Bob Monroe) #10

Oh, I also forgot to mention behavioral analysis of users. Each user has established habits such as logging into the system when they arrive at work, checking email, using port 80 to check the web, then returning to the company intranet. If that user happens to open up AIM chat or call up a service on a higher level port, then you know that user is doing something unusual. If that user starts uploading gigs of data, you know something isn’t right here either.

Also the user account should be tied to their work schedule. If they are vacation or out sick, they should not be logging in to their workstation at the office. Remote access is a huge privilege that should be reserved specific people within the organization. All others could be allowed remote access but only to the lowest level of system trust they need. This is difficult to implement on cloud -based systems but can be tracked with free products like Netflow inside the organizations network.

All too often people don’t see those red flags (event files) of a user logging into a high port number or using a service on a different port. Nobody should be moving gigs of data anywhere without upper management approval. No user should be logged into multiple systems at the same time. The ones you also have to watch out for are the older C-level staff.

Yeah, I’ve gotta way off topic, sorry. I hope I am able to help at least a little bit.

(Dave Hausmann) #11

I also think passwords are not something we should say is acceptable for security however your industry and company will dictate if you can do anything else. In regards to passwords being shared or other security issues, I notify the offending staff member of the issue, what policy it is in violation of and ways to help them remember passwords or try to simplify their process. This only happens once after that repeat offenders are reported to HR with the proper documentation. HR will then start the formal documentation which still gives the user chances to correct the issue. If they continue to refuse to follow policy then they will get terminated. Again I hate passwords and have worked on other processes but until those processes are put in place all staff must abide by our policies. We are in Healthcare and are audited frequently and by different companies.

(Matt Parkes) #12

Do you not find having to change passwords every 4 months breeds bad habits? I know NIST are now recommending that passwords are only changed if they are suspected to be compromised.

(Michel Martin) #13

I don’t believe it does breed bad habits. Instead of making it a negative feeling I encourage them to be creative and reward them for it. Making a password you can easily remember and meeting our guidelines can be a fun process. I have some users that change their passwords monthly on their own. My employees just generally have a good outlook on security and truly want to be proactive & I reward them for it. The other thing I have noticed is they are also more conscious on their cell phones and personal stuff. We have monthly training meetings and discuss things. Biscuits are real cheap, a breach isn’t.

(Edwin Eekelaers) #14

If they would give me 5$ For every time i see a user share hes pasword i’d be richer the Bill Gates. For the diehard ignorant i somethimes ressort to disabling their accounts till they complain

(Michel Martin) #15

When I worked for on larger accounts I totally had the same issue. I’m now at a small business with less than 60 employees and its ALOT easier to manage.

(Dan) #16

User password will always be a huge PITA.
I have taken the approach of being the bad guy. (someone has to :wink: ). I will try a few times for education on passwords being left out or shared, then I move to a verbal warning that I if I see passwords out I’ll take them and then I take them.

I tell them about locked Excel sheets and password managers as well.

(Matt Parkes) #17

Hats off to you, I would be a happy man if this type of culture was instilled at my company. I would have to buy the biscuits out of my own pocket which is not an issue in itself but i would have to get the board approval to pull relevant colleagues out of their day to day routines, pound to a penny they would not allow it. This is based on previous experience of trying to organise regular meetings for a security steering group, let alone training sessions for a larger if not all employees.

(Michel Martin) #18

mparkes - I fully understand. I normally offer the classes at 4 different times on 2 diff days. I don’t always get everyone but I will send out materials and follow up with them to make sure they have at least skimmed over it.

(Jack ) #19

I have a few repeat offenders in a small office. The first time, I will talk to them, and take the sticky note. If I see it again, I will change the password that is on the sticky note, send a note to their supervisor and copy HR. They will have to call in for a password unlock, and give me a chance to talk to them at least.

We have a new hire security awareness training and an annual security awareness training. During this, I show them and show them the difference between an 8 character password and a passphrase. This has helped out quite a bit as well, and I have seen less sticky notes around since I started doing this.

Also, I have a policy of if I can get into someone’s account, I change their desktop background. This applies to a post-it or unlocked computer. Richard Simmons has been seen on quite a few computers around around the office.

(Edwin Eekelaers) #20

Changing desktop walpapers is impossible over here as it’s already locked by a policy but we do send out a mail to his/her colleagues stating that the offender is hosting an all you can eat/drink party somewhere. That usually convinces them not to do it anymore. One repeat offender kept sticking a label with is account details in a cabinet which was accessible to anyone in our warehouse. Last time i ripped off the label i replaced it by one that mentioned “This is not the place to store your password. Next time it’ll get disabled”.