Jan 03 2012

Teach Users to Treat Passwords Like Money — Quick Take

The sanctity of user passwords needs to be ingrained in users’ minds by IT workers.

As any IT security professional will tell you, one of the biggest challenges to threat prevention in the enterprise is an easily compromised password. We’ve covered the worst passwords of 2011, but the reality is that it’s not easy to get users to pick complex, secure passwords and change them regularly.

Jay Heiser, a Gartner analyst and VP, points out that another security hole in password policy is the common practice of using personal and corporate passwords interchangeably. While convenient for the user, who has fewer passwords to memorize, it puts the business at risk without the IT security team’s knowledge. After all, there’s no automated way to cross-reference personal account passwords with enterprise passwords.

Heiser’s advice: Teach users to treat their passwords like they treat their money. They should hold on to each one and protect it at all costs.

I recognize the impracticality of preventing the shared use of passwords on both personal and employer systems (I won’t suggest that corporate surveillance tools could easily identify the majority of personal passwords, given the number of people who access Facebook and Gmail from work). Even though it cannot be reliably enforced, I see nothing but advantage in encouraging employees to avoid reusing passwords.

PIN and password proliferation is one of the unfortunate and virtually insoluble challenges for the digitally active individual. I try to maintain unique passwords for several hundred systems, and my dependence upon several synchronized copies of an encrypted password store is only one of the several inconveniences, and I am not recommending it. I do recommend that until we have widespread availability of a stronger mechanism that scales to dozens of corporate sites, and hundreds of personal sites, individuals should try to perform a degree of password proliferation.

Enterprise policy writers must recognize that only a small number of humans have photographic memory, and the proliferation of accounts and passwords, and the frequency of changes, dramatically increases the number of random strings that need to be protected. Memorization is impossible. Instead of telling users not to write down their passwords, ask them to treat passwords as carefully as they treat their own money.

Read more about smart and secure password policies in Heiser’s post on the Gartner blog.

For more great stories from around the web, visit our list of 50 Must-Read IT blogs.