How many years now have we been providing proper password handling and creation training? You know, make sure the passwords are complex, change them every 30 days, don’t write your passwords down on yellow sticky notes, etc. Such awareness training essentially forces employees to write down the newly created, complex passwords on yellow sticky notes. If organizations do not provide technology-based solutions to back up requirements levied on the workforce, then such awareness training will be ignored. This behavior does not necessarily occur out of malice, but because employees may not be aware of a better alternative to the yellow sticky note.
So what is a better solution? There are three broad categories of password-focused solutions: Single Sign-On (SSO), reduced sign-on and password management applications. The myth of an implementable SSO (one password-based credential that would be utilized as the sole identifier) never materialized and subsequently morphed to reduced sign-on functionality. Reduced sign-on allows users to remember 30 passwords instead of 50, for example. An improvement, yes, but the original issue remains.
Password management applications provide a simple answer to the problem of the yellow sticky note. An example of an enterprise-focused, centrally managed password application is Passlogix’s v-GO Sign-On Platform. For smaller firms and individual use, take a look at the open source PasswordSafe solution.
After you provide training and a technology-based solution, you still have to worry about who the user will relinquish their password to. A survey of 172 people in London, by Infosecurity Europe, found that 71 percent of users would give up their network access passwords for a bar of chocolate. I wish I were joking.
Ben Halpert works for a leading defense firm and writes monthly about security for Mobile Enterprise magazine. Comments, questions and requests can be sent to him at email@example.com; please include SECURITY in the subject line.