Password Security for the End User

February 2011

Although passwords are a central security mechanism, they can be fairly easy to crack or guess, but with only a few measures, users can help prevent this from occurring. Password parameters are frequently secured at the system level; however, this does not usually prevent the end user from creating a password that is fairly weak. With increased risks associated with password security, the need for end-user training is exceptionally necessary.

There are many different methods of cracking passwords; however, the most simple and common is using a word list or dictionary program to break the password using brute force. These programs use a word list or character combination and compare it against the password until they find a match. Additionally, a common method of acquiring a password is through social engineering. Social engineering is using social techniques, such as making a phone call to an end user impersonating a help desk technician or taking the written password off of someone’s desk, in order to obtain a password. There are many more methods of obtaining passwords, as well, yet these are the most efficient and easy.

How many of your end users use dictionary words with a number sequence as their password? Most likely, the majority. With a few minutes per year of end-user training, you could exponentially increase the security of your environment. Some of the most common security risks with passwords are caused by the end user; they include writing a password down, using a dictionary word, or using personal information. Take the time to educate your users. Follow this checklist in order to create a quick and useful training session and increase your system’s overall security:

  • Do not use dictionary words, proper nouns, or foreign words within a password.
  • Do not use personal information such as your dog’s name, child’s birth date, or town of residence within a password.
  • For systems that have limitations to what password parameters can be set, educate the user to follow the desired length, complexity, etc.
  • Educate users on ways to remember passwords, such as using the first letter of each word in a phrase they can remember.
  • Educate users on common social engineering approaches and help prevent users from being fooled by fraudulent social activity.

For more information on password security or for assistance in end user training, please contact Jeff Mansir at 1.800.244.7444.