Passwords, Policies, People

Last week cyberprofessionals and cyberenthusiasts celebrated National Password Day.

Let’s be honest. The word for National Password Day for most people is “pass.” Most people will look at all the posts and articles (including this one) about the necessity of strong passwords and how to create them and think “I’ve heard it all before” and “I’m not the one who needs reminding.” It’s always “that guy” that’s the problem.

Problematic Practices

The reality is if you’re in IT or cyber, you know it’s all to common for weak passwords and weak password practices to lead to easy exploit. Sure, there are policies that can help guard against this. Known password policies a company might have that employees are supposed to adhere to (let’s be honest, we all know people skirt those).

Strong password policies in place through Active Directory (or whatever other policy setting and enforcement platform). But let’s be honest here, too. How many accounts might have legacy passwords that were never updated? Accounts with passwords set to never expire? We see these all the time in Active Directory audits.

Or even if everyone is adhering to the password policies both automatically enforced and company directed, it’s possible to have a password that meets requirements but is easily exploitable. Living in Oklahoma, something like B00m3rS00n3r123! Would meet all the password requirements you might enable, but any competent hacker or well designed automated system would gain access in a matter of seconds.

Or here’s a complicating factor: Where else is an employee using their work credentials? A part of every Pen Test is looking on the Dark Web for credential leaks. It’s rare not to find at least a smattering of leaked credentials, where employees have used their work credentials for what should be personal accounts.

Most that we find are online vendors. A few are more obviously personal sites like Adult Friend Finder. Given the commonality of password reuse, the chance that the password associated with the username for the leak is the same as the one used for company access is high. So even a robust password can be discovered and utilized to gain company access.

What’s an organization to do?

Problematic Policies

Good policies are a starting point, but as demonstrated, they aren’t the magic bullet. The question becomes what you do when an employee violates policy, whether through creating an easily guessable password or by using their work credentials for personal use? It’s akin to the question of what to do when an employee clicks on a phishing link, simulated or real.

One option is zero-tolerance. Click the link, clean out your desk. Create a weak credential or misuse your work account, clear out of the office. These solutions have the ease of simplicity. Action and immediate consequence. They have the ease of clarity and the appearance of fairness. No matter who and no matter the situation, the response can be applied without discussion or argument.

What such one-size-fits-all policies do is incentivize delay and denial. If an employee knows they are going to get fired for either revealing or concealing their actions, why not hope something goes unnoticed? Or even if it will come out, why not delay to give time to search for another job or shore up other opportunities?

Or even if an action won’t automatically result in dismissal, what if the consequence is something that could feel demeaning or shameful? An automatic “here’s a mandatory training video” can seem to provide some mitigation, but it’s also impersonal and applied indiscriminately. Or just the tone of a boss or coworkers response or rebuke can exacerbate what is already a known sense of guilt, failure, and likely stupidity.

None of these produce the results that are organizationally healthy.

Promoting Growth

Where we’ve seen success for organizations is adopting a zero (or no) fault approach to security awareness engagements and training. Instead of a policy that can and will be applied without consideration of context or a response that is merely remedial, a more successful approach is to approach missteps and mistakes as an opportunity for individual professional development in awareness and best practice habits.

Of course, there are situations where the offense is so egregious or the consequence so dire that a more direct and severe response is necessary. These, though, are the rare one-offs. In most situations, the weak password, reused work credentials, or other violation are done without nefarious intent and without significant consequence.

Instead of an automatic response, the more human and humane response can be to engage, ask questions, educate, and empower. No one wants to be the weak link in security. Everyone knows they can do better. Most people want to bring value to the organization. So leverage the good of your people. Teach them how to be stronger links in the chain. Train them to look not only at their own actions and habits but at those of the people around them.

What you might find is that those “weakest links” could become your human firewall. You might find that not only do they become the most resilient to future missteps, mistakes, and poor practices but also they become your best advocates for a strong, resilient cyberculture.