As the spate of password breaches continues, the challenge is how quickly news of each new attack fades into the background as noise. It makes it even harder to connect with people and convince them to take action.
After the latest password breach, Nick Owen (@wikidsystems) (aside: did you read the interview with Nick), Kurt Wismer (@imaguid), and I engaged in a brief twitter conversation on the economics of password choice.
The argument was made that the people with the weakest passwords "win" because they needed to expend the least amount of energy prior to the breach.
It was a way to point out the failure of password authentication had less to do how people choose passwords than the reality that companies are failing to both implement password authentication properly and protect password databases.
Blaming people is a smokescreen.
The winning strategy is encouraging better company and individual action.
Pivot: place focus on value (for yourself and others)
Contending with password breaches in a way that inspires broad action on an individual basis is a full time job. Teaching people to build, maintain, and use better passwords requires the ability to follow the progression of (real) awareness, training, and development [link].
Maybe there is a shortcut: seek and embrace solutions from others that already solved the problem.
Shift to providing value to others by guiding them on when and how to act -- by sharing information and tools from experts who already invested the time to make it understandable and actionable.
When a password breach rises to the level of needing action, start with "3 ways to respond to a password breach," but take it a step further by providing a solution: introduce professionally designed -- and supported -- password vaults into the mix.
While this is offering people a solution before explaining the fundamentals, it allows for immediate action.
The value of password vaults
Password vaults give people the ability to automate the process of building, managing, and using unique, strong passwords for each site.
Professional solutions come with the added benefit of education, support, and even a community of people. It's provides the opportunity for individuals to take ownership and engage without increasing your workload.
Over time, people either learn because of the education efforts of the vendor, or they gain enough experience to reach the awareness necessary to seek out training.
Either way, it's valuable to them and saves times for you to focus on solving other challenges.
1password introduces the "security audit" feature - for passwords
There are a number of decent password vaults/managers available. I use 1Password. It's been my top recommendation for a few years, based on my experience. Last week, I (finally) upgraded to the latest version of 1Password.
Instantly drawn to it, I started to change up the weak and duplicate passwords I didn't even realize I had.
This is a remarkable tool and a real advance in making it easier for people to manage passwords intelligently -- even if they don't have the complete fundamental understanding of how passwords work (let's face it, most security pros don't have the understanding, either).
Three thoughts on supporting people with this recommendation:
- Tell people they don't need to change every password right away; instead, just change 5-10 a day and made it a habit
- Rely on the program to make unique, long (15+ characters) passwords for each site
- Remind people they still need a good password for main vault; this is a solid hook to engage them in training (not awareness)
Price versus value
Professional vaults come with a price tag. Unless your company negotiated a site-license or bulk deal, this suggestion likely means suggesting people invest their own money to purchase a solution to protect themselves.
Is it worth it?
In the discussion of Black Friday for the Black Market [link], I suggest a progression of questions to connect people to the costs - and consequences - of identity theft.
Use that to create the condition for people to evaluate the impact and consider whether they want to make the investment or not.
It's worth it for me.
Providing people with access to the tools, insights, and experience of other experts increases our value and works to increase the friction of attackers.
It's time to act smart, provide value, and make it easier for people to do their jobs while protecting information.