Practice what you preach. This is one mantra many computer repair technicians live by. Yet one area that we’re still pretty hypocritical about is passwords. Be honest with yourself: are all of your credentials following the generally accepted rules of password complexity? It’s admittedly a hard principle to live by, seeing as we are inundated with passwords for what seems to be every service we deal with. Our customers are in the same position, and the onus is on us as computer repair technicians to ensure that they have a sound passsword policy and are sticking to it.
Computer security expert Steve Gibson covers password strength and complexity at length during his usual appearance on many Security Now podcasts. But he recently penned an excellent article for Consumer Reports magazine on some common password creation tips that he believes work well. He recommends that users employ password techniques such as complex passphrases or sentences. At the very least, Steve says, passwords must “grow the haystack” which refers to reducing the possibility that a hacker could easily perform a common-knowledge or dictionary attack on a given password. His article is a must-read for any informed computer technician.
Google’s own Small Business Blog highlighted this growing problem recently with an excellent post providing some basic guidelines on good password policy as well. However, I want to go one step further and outline ten specific ways you can help your customers set strong passwords, manage credentials, and juggle the security/convenience complex. I employ a mixture of these techniques for clients of my company FireLogic and they indeed stand the test of time.
10) Use a password strength checker to educate your customers
You can preach about password complexity rules all day to your customers, but showing them something visual always works best. For this reason, I employ the use of password strength checkers when customers doubt what I have to say about the credentials they choose. One very simply tool is provided by Microsoft which offers an easy to understand visual strength indication for how good a password is. If you really want to hit the point home, Steve Gibson’s company GRC offers a brutally honest password checker which is technically very accurate but perhaps a bit harsh on anything but the most carefully crafted passwords.
9) Use a high-security password generator
Asking customers to remember completely random 256 bit passwords may be a bit impractical. But for some applications, like high-stakes wireless networks employed in multi-tenant office buildings, this could be your saving grace for creating super secure wifi networks. Once again, Gibson’s GRC website offers a High Security Password Generator which creates unique various bit length passwords on each reload of the page. These passwords are very useful for WPA or WEP wireless deployments or other needs where strong, random credentials are a priority.
8) Offer SSO (Single Sign On) integration when possible
It’s a known fact: the more passwords we stack on users, and the more complex they are, the likelihood that they will get sloppy with password management increases exponentially. Help your business customers avoid “post it note password” solutions and offer to integrate core technology services with SSO when it’s available. Many common services like email, Active Directory, and other systems can be tied together with one set of credentials. For example, businesses on Google Apps can leverage Google Apps Directory Sync to tie into Active Directory, and likewise, other cloud services can also piggyback off Google Apps (most of the excellent Zoho suite offers this.) Asking business users to adhere to one set of strict credentials is an easy sell and great way to enforce common password standards.
7) Phones need passwords now, too!
Most users carry around mini PCs right in their pockets and they overlook it. Those smartphones we all know and love contain massive amounts of information about a given person’s digital life, and many times, offer easy access to things like bank accounts and emails. At the very least, educate your customers about using simple password locks on their smartphones (backed by phone-tracing location services to take it one step further.) I’d even recommend that you push users to ensure they have the ability to remote wipe their phones in the case of theft. BlackBerry has been offering this for years, and iPhones and Android devices have similar functionality now too. An unlocked lost phone is as damaging as a lost laptop – perhaps worse.
6) Educate customers on avoiding passwords with personal information
As techs, we’ve known for years that using any part of our phone number, social security #, address, etc are very insecure methods for choosing passwords. Cyber thiefs know that people choose paths of least resistance when making passwords and in turn exploit this very easily. Don’t merely implement enforcements on core systems that your customers use which prevent this – let them know WHY these passwords need to be avoided!
5) No legitimate company EVER asks for passwords over email
Most modern email systems worth their salt should notify users about phishing attacks in email (Google Apps has been superb at this for years.) However, things will fall through the cracks and users should know that they should NEVER respond to any kind of email that asks for credentials to a service they use. Why would a bank ever ask you for your password – don’t they already control the system to begin with? Common sense is great, but sometimes users need reminders, especially when they are less technically savvy. A good computer technician will always offer solid education to his/her customers in this regard.
4) The “forever” password is just plain old bad policy
What’s a forever password, you ask? One that never changes. For ease of use, many companies allow employees to set it and forget it when it comes to passwords. Discourage your customers from following this methodology. The likelihood that a password may get written down and found at some point increases proportionately when there are no password age requirements on systems. Almost every major technology offers this these days, and Microsoft has a great guide on the various restrictions a company should place on passwords.
3) Push your larger customers to get an IT audit
Seeing is believing, and an IT audit can help your customers see exactly what is wrong with their IT policies when it comes to security. There are many firms that offer such audits in the form of ethical hacking, social engineering penetration, and other similar services. These are real eye openers and can be the difference between complacency and pre-emptive action.
2) Limit exposure to administrative passwords
Passwords are only as secure as the people who are trusted with safeguarding them. Password books that float around an office which contain admin passwords to core network and server hardware along with email systems is not only a security hole, but an attack waiting to happen. Any kind of master password list should at the very least be encrypted in some kind of password management tool like the excellent free KeePass. Access to those files should then be restricted to key company personnel and the computer technician (like yourself) responsible for their maintenance. A smaller footprint greatly reduces chances of password theft.
1) All internet-connected computers ALWAYS need quality anti-malware software
This should almost go without saying but many people still (sadly) overlook this. Good security software goes a long way, and all laptops and desktops that touch the internet need to be protected these days. Even Macs are getting pummeled with malware on a daily basis. Free products are decent, but nothing beats a paid security program this day in age. My favorite continues to be ESET’s award-winning NOD32, with Kaspersky also offering a solid product. Most of the damaging malware these days is coded with the full intent of stealing critical passwords and information from computers to allow hackers entry into their victim’s so-called “gold mines” of digital treasure. Even the strongest passwords can be sniffed out by malware prowling on an unprotected system.
Whether you are a computer repair technician that supports only residential customers, or have a growing small business following, the above facets of solid password policy can be applied. Remember that YOU are considered the expert when it comes to security, and customers rely on YOU to be their source of education on such matters.
If you have any solid tips to supplement the above suggestions, feel free to post them in the comments section below.