How do you get people to start using complex password?

[Joemonkey]

I work at a law firm and currently we don't have any requirements for passwords. Also, people get up from their PC and leave for hours at a time without locking their desktop. I voiced my opinion about how much of a security risk that is and gave them examples of what people could do if they felt like being malicious.

Now, after a mangement meeting, they want me to turn on complexity rules. This is fine, but the people in this office are barely computer literate, and I don't think they will be able to remember a 8 character string with upper, lower, numbers, and symbols in it.

We're thinking about getting RSA ID devices for a few of the people who can't be bothered to remember such a password, but if they are using a PDA to sync their emails, they will have to type it in every time.

How do you guys do it?

 

[Mr N8]

Why not just implement fingerprint scanners? That way, you have a secure login, but they don't have to remember anything. You could let them keep their current password type in combination with them, also.

 

[CraigRT]

not too much security here, but it works...
the areas of most security risk are usually locked when someone isn't around, and the computers are locked (desktops) with passwords of their choice.
havent a problem yet just practicing like this.

also, the building is very secure, each employee now carries an electronic keycard, as well as photo ID, so the likelihood of something happening is slim.

 

[jjoyner]

get a paraphraser...type in your pet's name, out comes hugeass password...

 

[Zysoclaplem]

You don't have to be computer literate to remember an 8 character password. Besides, they don't have a choice in the matter. May'be some printed signs around the office reminding people to lock their PCs when away from their desks. Perhaps give some examples of things that might happen if they don't.

 

[HardcoreRobot]

assign them a random password and dont let them change it

 

[CRXican]

Originally posted by: Zysoclaplem
You don't have to be computer literate to remember an 8 character password. Besides, they don't have a choice in the matter. May'be some printed signs around the office reminding people to lock their PCs when away from their desks. Perhaps give some examples of things that might happen if they don't.

I beg do differ, we have people in our office that can't remember standard passwords. Then they made us use the complex ones, what a pain in the ass. They finally gave up and gave eveyone fingerprint scanners, much easier.

 

[thirdlegstump]

Just print it on a piece of paper and tape it to their monitor. Simple as that. Or get Macs in the office as they're far more superior when it comes to security.

 

[isasir]

We did it here at my office and the computer literacy of my co-workers is probably on par with yours. They hated it, but we implemented it one day and they just had to live with it.

 

[spidey07]

well the only problem is the complex password will be written on a sticky and placed on the monitor.

But if you really want them to start using them just make sure you document/train well. And keep following it up with more memos and the importance of strong passwords.

 

[Czar]

We turned on complex password last summer where I work, had only minor problems.

Best way to get people to get used to the new rules is to give them examples like "Atlantic99" and "artic.1995" and "Pacific." are valid.

 

[Mr N8]

Originally posted by: CRXican

Originally posted by: Zysoclaplem
You don't have to be computer literate to remember an 8 character password. Besides, they don't have a choice in the matter. May'be some printed signs around the office reminding people to lock their PCs when away from their desks. Perhaps give some examples of things that might happen if they don't.

I beg do differ, we have people in our office that can't remember standard passwords. Then they made us use the complex ones, what a pain in the ass. They finally gave up and gave eveyone fingerprint scanners, much easier.

That's the exact reason we have fingerprint scanners. We hire incompetent people, and expect them to just adapt to office life.

 

[mobobuff]

Teach them techniques for inventing rememberable passwords.

I have about 25 different passwords/PINs for things, but I can remember them all because I can assosciate them with something.

 

[DrPizza]

why not simulate bad things happening to a few of the computers? Teach them a lesson as part of a demonstration of what can go wrong.

 

[Leper Messiah]

as for the locking the computer thing, I always set the screen saver to come on after maybe 10 minutes, and have it password protected. that'll lock 'em down.

Implement the security rules. They'll just have to live with it.

 

[Drakkon]

you make people use a comlex password and what they will do is keep a piece of paper next to their desk with it right there or on a sticky note right under their keyboard making even LESS secure. When i worked at a court house the FBI NCIC computer was in a resrrticted area, but anyone who got up to the terminal had the password right there because it was such a random combination of characters/caps/numbers that no one could remember it

I just tell people keep it complex that you can remeber, if i come to your desk and i can figure out your password, it must change.

 

[Ilmater]

This is a major problem where I work (but I do not work in IT). The problem is, many of the passwords we require are 8+ characters, and have to have upper- and lower-case letters, numerals, and special characters. This is a ridiculous requirement, as nothing you can come up with is anything near memorable. Plus, we have so many systems and passwords that there's no way a human being could remember them all, especially when 60% of them demand that you reset them all the time.

Just tell your management this: it's better to have some memorable passwords that stay the same than to have complex passwords that they can't tie to anything mentally, so they have to write them down.

 

[Czar]

so people know, complex passwords does not mean its automaticly generated gibberish

in windows you have 4 groups like he says
letters
capital letters
numbers
symbols

when using complex password any password used must use 3 of the 4 groups above

 

[Kelemvor]

Just turn it on and tell them that's the way it is. That's what we did.

In our new image they just turned on that exact thing. Use 3 of the 4 groups...

 

[Monkey muppet]

Simple password = not very secure (for the uneducated normally equalls password1 or something similar)

Complex password = written down on a bit of paper

Biometrics = nothing to remember

128bit RSA keyfobs = Stupid amount of money to buy the algarithm license.

I enforce the 6 digit alpha numeric password for workstations with a lock down after 15 minutes. If I find someone with spyware, weather monitors, or similar installed, I disable their internet access then blame it on their stupidity if anyone questions me.

If they want internet access back they have to convince me that they've read the IT security policy. Normally by asking them if they think they've broken it by quoting me the paragraph which applies to them (I can be a complete bastard about this). I've also got a couple of people fired over misuse of their WORK pc

The easiest way to remeber a complex password would be to write down a phrase:

"Pants, what would one do if they forgot their password" - take the first letter of each word = Pww1ditftP

Simple!!!

 

[DaWhim]

when I used to work in citigroup, this was how they did it.

8 letter password combination of at least one digit, letter, and special letter like #!%#!$#
computer will log out after 15 or 30 minutes inactive
password will change after 3 months

guess what people do? passwords can be found around their desks.

 

[91TTZ]

We did this on a view different projects that I worked on. From my experience I can tell you that the security plans backfire when you force end users to remember complex passwords.

In theory it should be more secure, but here's how it plays out in reality:

Before the change, users remembered their passwords since the rules weren't so strict. After the change, most users ended up writing them down on a piece of paper and putting them in a convenient place, usually under their keyboard or in their desk.

 

[Phoenix86]

Answer is simple, turn of the policy and they have to do it...

The answer to your problem isn't so simple. Complex passwords=password on sticky on monitor.

First piece of advice is to turn on password protected screen savers after ~10 minutes.

 

[Leper Messiah]

really, the best way to go, if you have to be secure is somekinda fingerprint reader that is attached to a really complex password.

 

[notfred]

I have a blue sticky note sitting here on my desk with 4 different "complex" passwords written down on it. Actually, it's got about 15, but all the old ones are scribbled out. If you require me to have passwords that change every 60 days, can't repeat old passwords, and have to have a million different requirements, I run out of stuff I can remember pretty quickly.