I recently received a call from a friend who had set up an online payment reception service with a well-known provider so he could receive payments through his Web site. "I’ve got a question – there is a charge for $300 for some computer equipment that I did not order, what’s happening?" After going through the more obvious questions, I asked him: "What is your password?" It turns out his password was, literally, “password.” Someone just entered his account name, guessed the password, and now could use his account for online shopping. This is a rather extreme example, but it illustrates very well the need for strong passwords.
Adherence to stated password policies is something I get asked about quite a bit by clients looking to implement a Security Awareness Program. A weak password can disable a reasonable security infrastructure, effectively bypassing other security measures that have been implemented. Although other methods for user authentication exist, such as biometrics, usernames and passwords continue to be one of the most widely used authentication methods. Because of this, it is critical to inform users about the importance of adhering to stated password policies, and assist them in selecting strong passwords.
Several methods exist for selecting strong passwords, but in my experience, one of the most effective is the use of a passphrase. Users select a passphrase that is easy for them to remember, such as "I like strong passwords." They then determine a "formula" for converting this passphrase into a password, such as substitute every vowel for a special character, drop certain letters, capitalize every other word, etc. Using the above example, a password that could be generated might be "iL1k3stngP@sswrds," which is a relatively strong password, yet still easy to remember.
Providing users with awareness training regarding passwords is key to ensuring that a critical component of your security infrastructure is not undermined. Users need to know why it is important for them to select strong passwords. It is also important to provide them with training on how to select proper passwords, and tips on how to generate passwords they can also easily remember. A small investment in training in this area will pay large dividends in overall security improvements.
Further reading: