There are some people that have, over time, integrated security into their daily routine. It’s just the way it is for these people. And I would encourage everyone to begin working towards that goal. There are other people who see security as nothing but a hindrance, an obstacle to them getting done what they want to get done. Even after getting hacked multiple times, security is still a burden to these people. And this burden is most often felt in the workplace.
It is sad, really, when people don’t take security seriously and their lack of concern becomes a liability for their employer. And when the employer tries to enforce their required security practices, the users simply try to get by with the least amount of effort possible.
The two main constraints on passwords in the workplace are complexity and expiration. The password must contain certain characters and be a certain length and you have to change it on a regular basis. A recent article came out where NIST (The National Institute of Standards and Technology) made the following recommendations:
- Remove scheduled password change requirements (must change password every 90 days)
- Remove complexity requirements (one upper-case/lower-case/number, no two successive characters)
- Require screening of new passwords against lists of commonly used or compromised passwords
On one hand, I think this is good, but I also don’t think the average user could be trusted to not create a secure password, even if it was checked against a blacklist. So I have what I think is a better solution. And the solution has the benefit of discouraging bad behavior.
Keep the first two items. Eliminate complexity and expiration. But, in place of (or addition to) the third item, there should be a server on the network that tries to crack account passwords 24/7, via both dictionary and brute force. When it succeeds, the compromised account gets locked and the user has to change their password. The cracking server would also send an email explaining that their password was cracked in X number of hours/days and they need to choose a more difficult password. The email would provide tips for creating a better password.
The result of this process is that the people who choose weak, shitty passwords will have to change their passwords more frequently. Those that choose more difficult passwords will be rewarded in that they don’t have to change their passwords often at all. If you’re sick of getting your account locked out, the fix is simple. Make a better password.
This is the best system: reward those following totally just rules and, not punish, but annoy those that are lazy af. You’re doing the lord’s work here.