Passwords suck.\u00a0 They always have; they always will.\u00a0 But we’re stuck with them.\u00a0 They are the cheapest and easiest means of user authentication.<\/p>\n
With passwords, come the ubiquitous password policies.\u00a0 This post addresses two of them seen at most organizations*:
\n1. Thou shalt not share they password.
\n2. Thou shalt not write down thy password.<\/p>\n
* “Thou shalt” isn’t usually used in policies.\u00a0 I’m using it for effect.<\/p>\n
There are many problems with these rules.\u00a0 First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force.\u00a0 Second, they are often violated by the top echelon in the company.\u00a0 How many CEO’s share their account with their admin?\u00a0 Are you going to tell the CEO that he’s violating the company policy?\u00a0 That’s a CLM (Career Limiting Move) if you ask me.<\/p>\n
Rules like the ones above are to protect the organization, not the employee.\u00a0 They cannot be enforced, except when something bad happens.\u00a0 Then, the enforcer can point to the policy and report the violation.\u00a0 I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.<\/p>\n
Here’s the key to making those policies work: make the user responsible for his\/her account<\/i><\/b>.\u00a0 The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.”\u00a0 This puts the onus on the user.\u00a0 If someone gains unauthorized access to the user’s account because he\/she didn’t follow the rules, then the user is accountable.\u00a0 They are guilty until they can prove themselves innocent.\u00a0 If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.<\/p>\n
With so many passwords to remember, people need to write them down.\u00a0 Telling people not to just isn’t realistic.\u00a0 Some use a password vault application.\u00a0 Others use a piece of paper.\u00a0 Both are fine as long as it’s rigorously protected.\u00a0 It’s fine for people to write down their passwords as long as they store it in a very safe location.\u00a0 My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment.\u00a0 I’m fine with it, since I may need it one day as her power of attorney.\u00a0 Her apartment is in a secure facility, so the risk is minimal.\u00a0 There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.<\/p>\n
That’s what it comes down to: understanding RISK and establishing Accountability.\u00a0 What are the risks associated with the actions?\u00a0 Who’s responsible?\u00a0 Answer those and you make a cognitive decision that’s both realistic and enforceable.<\/p>\n","protected":false},"excerpt":{"rendered":"
Passwords suck.\u00a0 They always have; they always will.\u00a0 But we’re stuck with them.\u00a0 They are the cheapest and easiest means of user authentication. With passwords, come the ubiquitous password policies.\u00a0 This post addresses two of them seen at most organizations*: 1. Thou shalt not share they password. 2. Thou shalt not write down thy password. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,18,8,3],"tags":[],"class_list":["post-146","post","type-post","status-publish","format-standard","hentry","category-human-aspects","category-online-safety-tips","category-security-education","category-security-management"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts\/146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/comments?post=146"}],"version-history":[{"count":2,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts\/146\/revisions"}],"predecessor-version":[{"id":148,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/posts\/146\/revisions\/148"}],"wp:attachment":[{"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/media?parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/categories?post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurity.bellevue.edu\/index.php\/wp-json\/wp\/v2\/tags?post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}