Security Awareness Training: Passwords

By: (CISSP, CISA, Security+)

Publication: Nebraska Banker , July/August 2012

Nebraska Banker Magazine July/Aug 2012 One topic you might have overlooked for training this year is password security. Operating systems, web portals, and software applications have evolved in the realm of technical security measures, so that now it’s rare to not see some form of easy-to-use password policy attached. You can easily enforce password length, complexity, and age restrictions for your bank’s network; however, these restrictions are insufficient without password security training.

Unfortunately, technical controls can only do so much—your employees are either the strongest or weakest link in information security. Windows password complexity policies, for example, will not prevent anyone from setting their network password to "Password1." It’s at least eight characters long and includes both a capital letter and a number, but it is one of the most common and simple password choices. Training can teach your users to try passphrases. These can be song lyrics or quotes that are longer than a password, but are typically easier to remember. Capitalizing the fi rst letter, using spaces between the words (if allowed on the system), and punctuating the end will create an extremely strong password. Length, rather than using symbols and numbers, is actually a greater indicator of password strength.

I think by this point in time, most banks have trained their users not to write down passwords, but as an auditor, I still fi nd password lists from time to time. I’ve also found sticky notes with old network passwords crossed out and replaced by current passwords. Unfortunately, in some cases the pattern is simple (Summer2010, Winter2010, etc.), so it won’t be too hard to guess what the next password will be—even if the Post-It is taken down. As users rely more and more on technology, their list of account names and passwords continues to grow. If your users need help remembering all those passwords, they should be instructed that, if written down, passwords should be kept in locked drawers. Another option is to utilize a password-storing application.

One final area of password security where you must rely on training, rather than technical controls, is in the practice of reusing passwords. If your employee uses the same password for your network as he or she does for personal email, Facebook accounts, or other websites, you are now relying on the security of all these unknown companies. While you cannot control how securely these other websites handle authentication information, you can use security awareness training to remind your users that their bank passwords should never be shared among other types of accounts.

These are pretty basic concepts, but as with most training, they must be continually revisited for them to stick. When your training focuses on creating a culture of security among users, rather than the need to cross off an annual checklist item, you will hopefully see more users understand the importance of creating strong passwords and securing them.