Embracing strong passwords

I was invited to speak at a meeting of the New England Information Security Group in May and was delighted to meet Charisse Sebastian. We had such a great time exchanging stories and ideas about technical support and security that I invited her to write about her insights into the importance of good communications between the IT group and the user community. Here is her contribution to the column with my thanks.

* * *

By Charisse M. Sebastian

In previous articles about passwords, Mich Kabay has expressed his distaste for this method of identification and authentication (I&A). But whether he likes them or not, most of us are stuck with passwords and the management problems they cause.

In an age of hackers, viruses, terrorism and malevolent employees, talking about security can make people either try to glamorize it, à la James Bond, or minimize it, as in, “It won’t happen to me.” Both attitudes are distractions that decrease security.

Security is too often an afterthought, especially in the U.S., where the American culture of openness can interfere with effective security. Openness is a valid and altruistic attitude for social interactions, but protecting networks from intrusion and accidents is crucial to long-term success in business. Unfortunately, efforts to make users more aware of security are often met either with the attitude that IT must be paranoid or with silent resistance.

The most common sources of conflict where IT and users interact over security are password-protected logons and Internet communications. Until we see affordable improvements in I&A, strong passwords and good management remain essential.

In today’s environment, everybody connected to the Internet is a potential target.

Some salient statistics, for what they’re worth (see Related Links below for sources):

* Calls dealing with password resets are the No. 1 demand for help desk support.

* Total annual cost of U.S. corporate online security breaches in 2000: $15 billion

* Percentage of U.S. companies not implementing “adequate” security: 30%

* Percentage of U.S. companies that spend 5% or less of their IT budget on security for their networks: 50%

Strong passwords require eight to 14 characters, minimum, and a mix of case, numbers and symbols. But to a user, strong means more complicated. Users either simplify the password itself or help themselves remember it – often with a Post-It note on the monitor bezel or under the mouse pad.

This issue requires human interaction to resolve.

First, I cannot emphasize enough the importance for IT staff from the CIO on down to the lowliest help desk assistant to avoid condescending to users. Learn what the users are thinking. How do they view security? Why and how have they opposed security? Instead of dictating to users from IT, look at the issues from the users’ point of view. Get them to buy into the policy willingly and enthusiastically as stakeholders, not as put-upon victims of an administrative dictatorship. As a suggestion, as part of new employee orientation (and an employee refresher, too), have the IT instructor go to a criminal-hacker Web site to show users the kinds of threats that IT has to deal with every day and how such threats can harm the users directly and personally.

Second, help users to incorporate strong passwords in a way they can remember them without writing them down. Suggestion: Run together words in common phrases up to about 16 characters, mixing case and substituting/adding symbols and numbers for some letters.

Third, with user input, create a well-defined, solid foundation of companywide policies and procedures. That means for everyone from the CEO down – no exceptions. For end users to become stakeholders it’s critical that they understand that everyone is involved and why. Why does IT need their help? Why do they need to be concerned? Why are IT in effect an extension of their own departments?

In summary, computer security is an endless process. With continuing user investment and input in a real team effort with IT, security becomes manageable, effective and non-intrusive. Often, instead of purchasing some new piece of security technology, getting users actively involved in security could save further strain on already tight IT budgets. The process of finding or creating the mix of technology, procedure and policy involves analyzing the system and including input from users to understand what is needed. Once new procedures are in place and policies established, they have to be maintained, monitored and tested on a regular basis. That includes feedback from the users, taken seriously, on a regular basis.

Computer security is a journey, not a destination.

Charisse Michelle Sebastian (mailto:char-sebastian@att.net) is an IT Support Evangelist and passionately loves IT, specializing in desktop/user support, troubleshooting, training, server support, security, writing and mentoring. Right now, while working in a consulting practice and in transition, she is on an active job search and invites correspondence.