End-user password behavior: the bane of IT
(Last updated on February 7, 2020)
We recently ran a meme contest on Spiceworks asking IT administrators and support staff to create a password related meme that captured their password management challenges. I’ve taken the liberty of including some of these throughout this article. With over a 100 memes submitted it is quite evident that end users continue to make poor password decisions whether these be:
- Easily revealing their passwords,
- Choosing weak passwords,
- Writing passwords down,
- Never changing their passwords,
- Forgetting their passwords and calling IT to reset,
- Sharing passwords,
- Or as one entry intimated, ultimately being brain dead.
Although the contest is a light hearted way of capturing IT password related frustrations, the reality is that these behaviors can lead to security breaches, and have a negative impact on productivity both for end users who cannot work because they are locked out of their accounts and for IT who is wasting time – on average four minutes per password reset calls. Any IT admin will agree that this is time that could be better spent doing something else.
To turn things around IT departments need to take back control. There are two ways to do this: password security education and enforcing password best practices.
Never, ever, ever, ever share your password!
Sharing passwords is never a good idea. Do not write them down on a post it, do not share them with a co-worker and do not share them with anyone suspicious trying to obtain your password or other personal data via a phone call or email.
IT departments need to educate users on the potential threats out there such as phishing attacks. Warn users to not reply or not to click on links in emails if in these they are being asked to supply their password, social security number, or any confidential personal or company information even if it looks official. The same applies to phone calls. End users should be suspicious of any email message or phone call that asks them to verify personal information.
Stop choosing Password as your Password!
End users are wired to pick weak passwords – this goes back to cognitive psychology. As humans we are not equipped to retain meaningless information which means we make poor password choices. Either our passwords are just outright silly or they relate to our ego, our interests or something familiar. This is evident in the many common password lists out there, where password, 123456, football, master and monkey continue to make the top 20 most common passwords selected.
Instead of relying on end users to create secure passwords, which is unlikely, IT departments need to embrace better password policy practices that enforce more secure passwords by blocking the use of common dictionary words and enable more complex passwords by mixing different complexity rules (e.g. minimum of 10 characters with all four character sets or use passphrases that are longer than 20 characters).
Introducing password complexity can have negative consequences as end users may forget their passwords which will drive calls to the service desk. So to ensure success, you can’t stop here. A good password policy strategy will also need to include self-service password reset.
Passwords cannot be immortal
Password expiry rules that force end users to change their passwords too often can have a negative impact on the end-user experience but not having any password expiry rules in place can have serious security consequences. Passwords have to expire. Having the same password no matter how secure the password seems is not good practice. Passwords should be changed every three months as a good rule of thumb.
Of course if your organization does not have password expiry policy in place or has one where passwords expire only after six months or more a phased approach where password expiry time is gradually reduced (e.g. from six months to five months then five months to four months and so on) and/or by targeting specific groups at a time. Phasing into this will be the best way forward if not you’ll probably be inundated with a bunch of calls to the service desk by unhappy users.
Reset your own password!
Adding password complexity and enforcing password expiry will most certainly drive up calls to the service desk. Password rest calls are not only time consuming, but they are also costly.
Quite frankly, IT departments have better things to do with their time and so do end users, who are also wasting time sitting idle. A secure password policy strategy needs to be rounded out with self-service password reset. This will allow end users to reset or unlock their own accounts, offloading this task from IT. It’s really a win-win, isn’t it?
But also remember that a good communication plan will optimize adoption. If end users do not know about it, if they are not sold on why it’s better than calling your department, they will not use it and continue to call.
IT departments – say it with me. I’m taking back control!
Lax password security is a no-no. Re-evaluate yours’ today, educate end users, enforce stronger password policies that go beyond Windows policy settings and have a communication and education plan. Communicate, communicate, communicate! Don’t just spring it on your end users. And for the sake of your sanity implement a self-service password reset solution.