Ten Ways to Help Your Customers Get Serious About Passwords

passwords

Practice what you preach. This is one mantra many computer repair technicians live by. Yet one area that we’re still pretty hypocritical about is passwords. Be honest with yourself: are all of your credentials following the generally accepted rules of password complexity? It’s admittedly a hard principle to live by, seeing as we are inundated with passwords for what seems to be every service we deal with. Our customers are in the same position, and the onus is on us as computer repair technicians to ensure that they have a sound passsword policy and are sticking to it.

Computer security expert Steve Gibson covers password strength and complexity at length during his usual appearance on many Security Now podcasts. But he recently penned an excellent article for Consumer Reports magazine on some common password creation tips that he believes work well. He recommends that users employ password techniques such as complex passphrases or sentences. At the very least, Steve says, passwords must “grow the haystack” which refers to reducing the possibility that a hacker could easily perform a common-knowledge or dictionary attack on a given password. His article is a must-read for any informed computer technician.

Google’s own Small Business Blog highlighted this growing problem recently with an excellent post providing some basic guidelines on good password policy as well. However, I want to go one step further and outline ten specific ways you can help your customers set strong passwords, manage credentials, and juggle the security/convenience complex. I employ a mixture of these techniques for clients of my company FireLogic and they indeed stand the test of time.

10) Use a password strength checker to educate your customers
You can preach about password complexity rules all day to your customers, but showing them something visual always works best. For this reason, I employ the use of password strength checkers when customers doubt what I have to say about the credentials they choose. One very simply tool is provided by Microsoft which offers an easy to understand visual strength indication for how good a password is. If you really want to hit the point home, Steve Gibson’s company GRC offers a brutally honest password checker which is technically very accurate but perhaps a bit harsh on anything but the most carefully crafted passwords.

9) Use a high-security password generator
Asking customers to remember completely random 256 bit passwords may be a bit impractical. But for some applications, like high-stakes wireless networks employed in multi-tenant office buildings, this could be your saving grace for creating super secure wifi networks. Once again, Gibson’s GRC website offers a High Security Password Generator which creates unique various bit length passwords on each reload of the page. These passwords are very useful for WPA or WEP wireless deployments or other needs where strong, random credentials are a priority.

8) Offer SSO (Single Sign On) integration when possible
It’s a known fact: the more passwords we stack on users, and the more complex they are, the likelihood that they will get sloppy with password management increases exponentially. Help your business customers avoid “post it note password” solutions and offer to integrate core technology services with SSO when it’s available. Many common services like email, Active Directory, and other systems can be tied together with one set of credentials. For example, businesses on Google Apps can leverage Google Apps Directory Sync to tie into Active Directory, and likewise, other cloud services can also piggyback off Google Apps (most of the excellent Zoho suite offers this.) Asking business users to adhere to one set of strict credentials is an easy sell and great way to enforce common password standards.

7) Phones need passwords now, too!
Most users carry around mini PCs right in their pockets and they overlook it. Those smartphones we all know and love contain massive amounts of information about a given person’s digital life, and many times, offer easy access to things like bank accounts and emails. At the very least, educate your customers about using simple password locks on their smartphones (backed by phone-tracing location services to take it one step further.) I’d even recommend that you push users to ensure they have the ability to remote wipe their phones in the case of theft. BlackBerry has been offering this for years, and iPhones and Android devices have similar functionality now too. An unlocked lost phone is as damaging as a lost laptop – perhaps worse.

6) Educate customers on avoiding passwords with personal information
As techs, we’ve known for years that using any part of our phone number, social security #, address, etc are very insecure methods for choosing passwords. Cyber thiefs know that people choose paths of least resistance when making passwords and in turn exploit this very easily. Don’t merely implement enforcements on core systems that your customers use which prevent this – let them know WHY these passwords need to be avoided!

5) No legitimate company EVER asks for passwords over email
Most modern email systems worth their salt should notify users about phishing attacks in email (Google Apps has been superb at this for years.) However, things will fall through the cracks and users should know that they should NEVER respond to any kind of email that asks for credentials to a service they use. Why would a bank ever ask you for your password – don’t they already control the system to begin with? Common sense is great, but sometimes users need reminders, especially when they are less technically savvy. A good computer technician will always offer solid education to his/her customers in this regard.

4) The “forever” password is just plain old bad policy
What’s a forever password, you ask? One that never changes. For ease of use, many companies allow employees to set it and forget it when it comes to passwords. Discourage your customers from following this methodology. The likelihood that a password may get written down and found at some point increases proportionately when there are no password age requirements on systems. Almost every major technology offers this these days, and Microsoft has a great guide on the various restrictions a company should place on passwords.

3) Push your larger customers to get an IT audit
Seeing is believing, and an IT audit can help your customers see exactly what is wrong with their IT policies when it comes to security. There are many firms that offer such audits in the form of ethical hacking, social engineering penetration, and other similar services. These are real eye openers and can be the difference between complacency and pre-emptive action.

2) Limit exposure to administrative passwords
Passwords are only as secure as the people who are trusted with safeguarding them. Password books that float around an office which contain admin passwords to core network and server hardware along with email systems is not only a security hole, but an attack waiting to happen. Any kind of master password list should at the very least be encrypted in some kind of password management tool like the excellent free KeePass. Access to those files should then be restricted to key company personnel and the computer technician (like yourself) responsible for their maintenance. A smaller footprint greatly reduces chances of password theft.

1) All internet-connected computers ALWAYS need quality anti-malware software
This should almost go without saying but many people still (sadly) overlook this. Good security software goes a long way, and all laptops and desktops that touch the internet need to be protected these days. Even Macs are getting pummeled with malware on a daily basis. Free products are decent, but nothing beats a paid security program this day in age. My favorite continues to be ESET’s award-winning NOD32, with Kaspersky also offering a solid product. Most of the damaging malware these days is coded with the full intent of stealing critical passwords and information from computers to allow hackers entry into their victim’s so-called “gold mines” of digital treasure. Even the strongest passwords can be sniffed out by malware prowling on an unprotected system.

Whether you are a computer repair technician that supports only residential customers, or have a growing small business following, the above facets of solid password policy can be applied. Remember that YOU are considered the expert when it comes to security, and customers rely on YOU to be their source of education on such matters.

If you have any solid tips to supplement the above suggestions, feel free to post them in the comments section below.



Derrick Wlodarz

About the Author

Derrick Wlodarz
More articles by me...
Derrick Wlodarz is an IT Specialist that owns Park Ridge, IL (USA) based technology consulting & service company FireLogic, with over 8+ years of IT experience in the private and public sectors. He holds numerous technical credentials from Microsoft, Google, and CompTIA and specializes in consulting customers on growing hot technologies such as Office 365, Google Apps, cloud hosted VoIP, among others. Derrick is an active member of CompTIA's Subject Matter Expert Technical Advisory Council that shapes the future of CompTIA exams across the world. You can reach him directly at derrick@wlodarz.net.

Comments (6)

  • @ Your Service - Cromwell CT says:

    Another great tool to use is Password Security Scanner from Nirsoft that scans the passwords stored by popular Windows applications (Microsoft Outlook, Internet Explorer, Mozilla Firefox, and more…) You can show the customer how easy it is to retrieve passwords but without actually exposing the passwords in plaintext. http://www.nirsoft.net/utils/password_security_scanner.html

  • Mark says:

    Tip 11: Never use the same password on different websites. I have educated my clients on how to create a secure, memorable password system where a unique password is used for each web site they log into http://computertechsreno.com/secure-memorable-password-system.html

  • Justin Goldberg says:

    I find that using two passwords is a good system:

    One password made up of a memorable nonsense password + a pin number for facebook, email, etc… This is for the stuff you login to often pretty often. For example: jed1nunchucks3348

    Another one that’s much stronger and is complete nonsense and used on root accounts (ssh of course), web control panel logins, encrypted hard drive password, vpn passwords, anything else that needs the highest level of security.

    There’s two effects from this: I have strong passwords, and I never forget them.

    I’ve never been hacked using this system.

    Any other system I’ve tried using (like a password safe like KeePass) I just don’t have the time for.

  • SarahTonin says:

    Try to dissuade users from using the remember password / autocomplete feature in browsers. There’s a whole lot of personal info name, SSN, dob, parents names, phone numbers, car reg, tax codes, bank details that can be retrieved using simple tools. An identitt theft bonus for any laptop thief or major headache if laptop just plain lost.

  • Charles Lindsay says:

    Password managers can really help! These are an encrypted software wallet full of the usernames and passwords you use to access all the online services you use throughout your day. You log into at the beginning of each session with your one master password, and the password manager will log you into all the websites you visit thereafter.

    I recommend two good options: LastPass (https://www.lastpass.com/) which Steve Gibson also recommends, good for Windows, Android, Mac and iOS users. The free version works great, but the paid-for option allows you to connect and share your passwords with your mobile devices.

    Dan Benjamin and his crew of podcasts (http://5by5.tv) recommend 1Password (http://www.agilebits.com/) which supports Mac, iOS, Windows and Android users with a paid-for version.

    Both keep the encrypted data secure and local, both allow you to easily sync your data with any other computer you choose to authenticate with. Both allow you to generate secure passwords, and both allow you to store non-login information too, such as your credit card numbers, your SIN or SSN, your healthcare info. If you put your master password into your safety deposit box, you can enable your spouse to more easily tie up the loose ends of your life, should you pass on before they do.

    I’ve encouraged all my clients to move to one of these products. I often get an additional billable hour of training and set up with these, per client, and then I never have to hear them complain about lost passwords again!

  • danb says:

    Nice post. It is hard to get customers to have decent passwords. Unfortunately some expect me to remember theirs. To make it easier I think a read of Steve Gibson’s latest thoughts on passwords would be very helpful in this disccusion.
    On the link you will find that passwords can be much simpler and still be just as effective.

    the example from his page
    D0g………………… or PrXyc.N(n4k77#L!eVdAfp9
    Both of these passwords are just as hard to break. They both contain a Capital letter a number and a special character.
    http://www.grc.com/haystack.htm

    I listen to his podcast when I am driving between jobs.