When covering passwords in your security awareness program, the real motivation behind teaching password hygiene and good habits is proper identity management and access control. A username and password is not only THE key to the users’ computer, it also controls access to YOUR organization’s network and systems. A unique username identifies an individual on the technology stack and his/her access to information AND the network. Therefore, tied up in a user account is accountability and authorization to access data.

When teaching password good habits (or hygiene), put yourself in your users’ shoes. How are passwords used in your environment for various departments and job roles? Is there a “one password to rule them all” concept in place or do employees have third-party application passwords for systems that don’t live on premise? Do any of those third-party applications involve sensitive information like employee PII or health insurance information? Consider these answers as you craft awareness around passwords.

1. Password Strength Requirements

When users see password complexity rules like length of at least 10, uppercase, lowercase, numbers and symbols, they balk. Password complexity requirements are put in place to drive strong password creation. Strong passwords help keep people from guessing or breaking passwords to gain access to accounts. Show them the most common/worst passwords at https://howsecureismypassword.net/ if they don’t believe you

2. Password Reuse

Rules against reusing work passwords for personal accounts are especially important if other controls, like the additional login step, do not exist. Your organization’s entire network is exposed when a data breach occurs on an unrelated online application and passwords are shared across accounts. Show them Have I Been Pwned Passwords.

3. Password Managers For Third-Party Apps

Password managers can be used to manage third-party app passwords. If your security team doesn’t want to take on this risk, teach users to create unique, strong, and memorable passwords for each site using a different phrase in our Four Steps to a Stronger Password approach.

4. Password Sharing

Two reasons to avoid password sharing: accountability and social engineering. When a user shares their password or logs on to allow another person to use their account, actions taken cannot be tied back definitively to the originating user. If password sharing guidelines do not exist in your Acceptable Use Policy, consider adding it! In terms of social engineering, if employees regularly share certain passwords, it’s more likely that they may be scammed out of their password through a phishing attempt or by an insider.

5. Changing Passwords Regularly

Frustration grows when employees are forced to update their passwords on a regular interval (e.g. every 60 or 90 days). Let users know that this policy is in place to combat the threat of stolen passwords. If a scammer possess stolen credentials, once those credentials are changed, he/she loses access.

We hope you will consider these points as they may enhance your security awareness programs.