Passwords have a strange dual nature. The stronger and more secure the password, the more likely it is to be undermined by human weakness.
It is widely known that passwords are the most common means of access control. It is also common knowledge that passwords are the easiest way to compromise a system. Passwords have two basic functions. First, they allow initial entry into a system. Then, after access, they grant permission to various levels of information. This access can range from public data to restricted trade secrets to pending patents.
The best passwords are a long and complex combination of upper and lower case letters, numbers, and symbols. The tendency of people when using these formats is to write them down, store them on a portable device, etc. thus destroying the integrity of the password.
Password integrity can be circumvented through “Human Engineering”. People can unknowingly make serious errors in judgment in situations that they may consider harmless or even helpful. For example, a password is shared with a forgetful employee and a system may be compromised. In more sinister cases, a scammer or hacker can call a naive employee and introduce themselves as senior executives or help desk staff and obtain that person’s password. People have also been tricked by emergency callers, cajoling, or even threatening the job of employees if a password is not provided.
These human lapses can be addressed through employee training and written policies that provide sound guidance and procedures in these circumstances. Information security training, including password protocols, should be mandatory for all company employees. The administration’s support of this training and safety policy is critical to its success. To be effective, training must be iterative with quarterly reviews of company policy. There may also be frequent reminders, such as banners, about password strength that appear during logins.
Management must not only endorse security measures, but also provide a written and enforced policy statement. These written policies should be developed with the help of the IT department, as well as the human resources and legal departments. Written policies should be part of the employee’s introduction to the company and should be reviewed at least twice a year. It is also essential that the employee signs the document indicating that he received, read and understood its content. Companies that ignore these practices do so at their own risk.
The app is an important partner in training. A policy that is not enforced is much worse than no policy at all. In fact, accidental application or lack of application can increase a company’s liability in many legal actions. To work, a policy must have “teeth”. There should be a variety of consequences for lapses, whether it is a single event or multiple or flagrant incidents. This can range from a verbal warning to dismissal.
In short, passwords can be kept more secure by recognizing the human factor. Through proactive management, communication and training, as well as written and enforced policies and procedures, companies can gain more control over their information assets and keep their customers and partners much more secure.