Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security IT

Ask Slashdot: How Can We Create a Culture of Secure Behavior? 169

Posted by Soulskill
from the start-giving-$50-citations-for-bad-passwords dept.
An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Can We Create a Culture of Secure Behavior?

Comments Filter:
  • by Xaedalus (1192463) <Xaedalys AT yahoo DOT com> on Tuesday April 22, 2014 @03:09PM (#46817929)
    I work in Tape, and I can tell you that I've run into sysadmins and CTOs who have overlooked #3 (particularly with their belief in cheap disk arrays) to their sorrow. Tape is boring old tech, but it's damn near bulletproof in saving the bacon every damn time something goes wrong and a restore needs to occur. Ethernet with NAS boxes my ass, you need a tape library in there somewhere to completely insure that your company doesn't go down permanently after the inevitable rogue wave of human stupidity hits your network.
  • by lgw (121541) on Tuesday April 22, 2014 @03:09PM (#46817937) Journal

    Preach it! You cannot try to fix a software problem by fixing the users. Requirements for strong passwords have no place in modern security. A 4-digit PIN works great for my ATM card, because of the combination of:
    * Two-factor auth
    * Good, fast system for repudiation and reclamation
    * Many, many back-end processes in place to limit harm

    Is your IT system set up this way? Why not? Two-factor auth is easy, off-the-shelf stuff these days. Sharply limit password tries before account lockout, and abandon any thought of strong passwords, changing passwords, and so on - all of that is accomplished by the certs (and rotation thereof) on the second factor. The user's password is just there to make it OK if the second factor is stolen, during the time before the user reports it.

    Everyone's "real" password is crypto-strong, because there's a properly-generated cert involved, and rotated at ITs discretion with no burden on the user. But people only need to remember something easy, just something that would take more than 3 tries to guess.

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...