Difference between revisions of "Talk:Talking Passwords"

From MicroFocusInternationalWiki
Jump to: navigation, search
 
(User understanding cant be over looked.)
Line 1: Line 1:
 
Why not just use biometrics?  A good fingerprint reader doesn't really cost all that much.  No passwords to forget - ever.
 
Why not just use biometrics?  A good fingerprint reader doesn't really cost all that much.  No passwords to forget - ever.
 +
 +
== User understanding cant be over looked. ==
 +
 +
I have found with my experience in passwords is users attitudes are the key to the effectiveness of a password policy.  The actual rules of the password arent as important (they still form a part as we dont want everyone using cola1 or the common january1, feburary2 etc to bypass the "must have a number in the password and it changes every 30 days".
 +
 +
When implementing your policy it is important that the importance of passwords be put across to your users.  Some of the key messages we use is:
 +
Treat your password like your pin number on your bank card (this links the concept of a password with something they do in their personal lives "hey your right thats my money I dont want people looking at that I need to keep my pin a secret"
 +
 +
Passwords are your electronic identity, anything happening under your password is you, just in the same way a bank doesnt care if you have given your pin number to someone or wrote it on your card and then somebody takes the card and withdraws your money, the bank will say well thats not our issue, that must have been you.  The company should treat this as a if someone sends an innapropriatte email or performs innapropriatte activity activity under your password then the company will treat that as you (this can be seen as a bit of fear tactics but it is putting ownership back onto the users.
 +
Make managers responsible for there staff, dont have the local book where everyone lists their password,or post it notes all over the place with passwords.  By making management responsible this helps enforse behaviours.
 +
 +
Encourage the concept of passwords being not just a single word but a simple phrase.  The average user thinks I have to think of one word and add a number, but if you get them to do simple phrases, it adds to the complexity of the password and can make it easy to remember e.g. a password of "my2children" is harder to guess then "Tommy" assuming that someone knows that the user has a child called tommy.  The concept of password phrases is foreign to most and some passwords have limits to the number of characters, this is where you can get people to use the first letter of a phrase e.g. "My two kids eat dinner" could be a password of M2KED which is hard to remember if people thought I have to have a odd password, but as a user if they think oh its a phrase then it is easy to make sense.  Most companies dont invest time in educating users on passwords and how to come up with an effective password or why it is important, we simply expect users to follow the rules and that should be enough, yet this is the base security 101 that should be invested by a company, change the culture and they will follow it without relying on the rules to manadate it (not that I would never have rules, but it is more important to get the culture right then the rules.
 +
 +
Well thats my opinion
 +
Scott Henderson
 +
Australia

Revision as of 00:39, 25 May 2005

Why not just use biometrics? A good fingerprint reader doesn't really cost all that much. No passwords to forget - ever.

User understanding cant be over looked.

I have found with my experience in passwords is users attitudes are the key to the effectiveness of a password policy. The actual rules of the password arent as important (they still form a part as we dont want everyone using cola1 or the common january1, feburary2 etc to bypass the "must have a number in the password and it changes every 30 days".

When implementing your policy it is important that the importance of passwords be put across to your users. Some of the key messages we use is: Treat your password like your pin number on your bank card (this links the concept of a password with something they do in their personal lives "hey your right thats my money I dont want people looking at that I need to keep my pin a secret"

Passwords are your electronic identity, anything happening under your password is you, just in the same way a bank doesnt care if you have given your pin number to someone or wrote it on your card and then somebody takes the card and withdraws your money, the bank will say well thats not our issue, that must have been you. The company should treat this as a if someone sends an innapropriatte email or performs innapropriatte activity activity under your password then the company will treat that as you (this can be seen as a bit of fear tactics but it is putting ownership back onto the users. Make managers responsible for there staff, dont have the local book where everyone lists their password,or post it notes all over the place with passwords. By making management responsible this helps enforse behaviours.

Encourage the concept of passwords being not just a single word but a simple phrase. The average user thinks I have to think of one word and add a number, but if you get them to do simple phrases, it adds to the complexity of the password and can make it easy to remember e.g. a password of "my2children" is harder to guess then "Tommy" assuming that someone knows that the user has a child called tommy. The concept of password phrases is foreign to most and some passwords have limits to the number of characters, this is where you can get people to use the first letter of a phrase e.g. "My two kids eat dinner" could be a password of M2KED which is hard to remember if people thought I have to have a odd password, but as a user if they think oh its a phrase then it is easy to make sense. Most companies dont invest time in educating users on passwords and how to come up with an effective password or why it is important, we simply expect users to follow the rules and that should be enough, yet this is the base security 101 that should be invested by a company, change the culture and they will follow it without relying on the rules to manadate it (not that I would never have rules, but it is more important to get the culture right then the rules.

Well thats my opinion Scott Henderson Australia