Ask Slashdot: How Can We Create a Culture of Secure Behavior? 169
An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"
Re:Read what you wrote (Score:4, Informative)
Re:This approach has gone nowhere for years (Score:5, Informative)
Preach it! You cannot try to fix a software problem by fixing the users. Requirements for strong passwords have no place in modern security. A 4-digit PIN works great for my ATM card, because of the combination of:
* Two-factor auth
* Good, fast system for repudiation and reclamation
* Many, many back-end processes in place to limit harm
Is your IT system set up this way? Why not? Two-factor auth is easy, off-the-shelf stuff these days. Sharply limit password tries before account lockout, and abandon any thought of strong passwords, changing passwords, and so on - all of that is accomplished by the certs (and rotation thereof) on the second factor. The user's password is just there to make it OK if the second factor is stolen, during the time before the user reports it.
Everyone's "real" password is crypto-strong, because there's a properly-generated cert involved, and rotated at ITs discretion with no burden on the user. But people only need to remember something easy, just something that would take more than 3 tries to guess.