Password Management: What Employees Should Know

Paul Mah
Slide Show

Five Tips for Keeping Passwords Safe

Check out the key issues your users should always be aware of when it comes to password security.

At IT Business Edge, we are always cognizant of how important proper training is for small and medium-sized businesses. This is especially true when it comes to inculcating proper security practices in staffers.


Passwords are typically the first line of defense against unauthorized access, and I want to highlight some pointers about password management that all employees should know. Knowing the reason why certain policies are enacted will help ensure that they are adhered to.


Here are five aspects of good password management that employees need to know.


The Password Should Not Be Too Short


Employees need to know why short passwords can be very quickly compromised. This can be done by calculating the permutations based on the length of the password, as well as whether numerals and symbols are used.


As a rough guide, it will take only slightly more than half an hour for a modern desktop to brute-force a password that is seven characters long, and consists only of alphabet characters. A password that is eight characters, though, will take 15 hours; one that has 12 characters, some 30 years.


Avoid Reusing Passwords Between Personal and Work Accounts


It is generally a very bad idea to use the same password for different accounts. However, it would be foolish, too, for an administrator to imagine that the typical employee would make use of a different password for every system that requires one.


A more moderate stance would be to have different sets of password between personal and work accounts. While it might seem obvious in hindsight, employees should be shown that using the same password for work accounts, as well as for every free social media service, IM service and online gaming accounts out there, is a very bad idea.


The IT Help Desk Will NEVER Ask for Your Password


This sounds almost cliche now, but the IT department should periodically remind employees that their passwords will never be requested.


You Are Welcome to Change Your Password Anytime


In the recent movie remake of Alice in Wonderland, the Red Queen concluded that it is far better to be feared than loved. When it comes to pre-empting possible breaches in security, though, I would rather that employees come forward if they suspect their accounts are compromised or confidential data illegally accessed than to find out on the front page of the newspaper or Google News.


So tell your employees this: You are welcome to change your password anytime.


Regular Password Changes Are Necessary


Detractors will be quick to point out that mandatory regular password change is the primary cause of employees writing down their passwords. However, the security reality of keyword loggers and the pervasiveness of other invasive malware mean that it remains an important practice to enforce regular password changes.


Employees are also increasingly accessing their work accounts from remote locations, so users need to be educated on the necessity of changing their passwords regularly. Note, however, that there is a difference between regular and frequent, and it is important not to overdo the frequency of changes.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Mar 18, 2010 3:51 PM strategy consulting strategy consulting  says:

Being hacked is irritating. Your privacy is being invaded and none of us want that. Changing passwords every now and then sometimes makes you uncomfortable but it is very advisable. If your part of a strategy consulting group you will advice the same thing if your plans is not in the USB or in a hard copy.

Mar 18, 2010 6:06 PM Luke Luke  says:

What about password management tools? We use Sticky Password manager in our company and we have never had a problem with forgetting passwords or loosing accounts.

Apr 7, 2010 1:36 PM Paul Mah Paul Mah  says: in response to Luke

Hi Luke, have you tried other password management tools other than Sticky Password manager? Do staffers make use of it diligently?

Apr 12, 2010 10:36 AM Luke Luke  says:

Hi Paul,

yes, we have tried Roboform, but we need a password manager, which supports also desktop applications and furthermore they gave us a special discount, so this is why we have choose them.

Well yes, we have make a procceses for password management throughout our company and it works pretty well.

Jun 3, 2010 2:31 PM b allen b allen  says:

It's all very well telling users to not use the same passwords for work and personal accounts, but they don't really distinguish between them, even less so with the rise of the use of social networking apps and technologies in the workplace; they are seen as part of a continuum rather than discrete entities.  The alternative is for users to write them down, which none of us should want.  Better by far is to recommend that they use a password vault type tool for their personal passwords at least, leaving more 'space' for them to remember work passwords which are more likely to change regularly and frequently, as many companies do not have a password tool for users to use.

As for telling users that IT will never ask for their password - how about telling IT to never ask for a user's password?  They also need to be told how to get around the issue of accessing user accounts when trouble shooting (change the password, and reset it again when handing it back to the user), as they already see the security team as a block on them doing their job, so we should avoid adding to that myth. 

Jun 14, 2010 2:06 PM bill bill  says:

Another great way to manage your online accounts, passwords, etc. is myhomepage.com. By using myhomepage.com, you can store your favourite websites and access them from any computer. In addition, myhomepage.com securely stores all your login-in information. Simply click on a web-page screen shot, which you customize into your own personal homepage, and myhomepage.com does the rest. Its safer than using firefox to store your passwords, very easy to use, and free of charge; I highly recommend it.

May 17, 2011 4:28 PM honey honey  says:

I use enterprise password managements on my Mac and it is a really great one. In work we use sticky password since we can't store our passwords online due to company rules.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.