Security's Everyman

Security's Everyman

Thursday, May 24, 2007

User Awareness Awareness

I had to go to a training session yesterday for an app that is used for special purposes within my new company. It is used by several different groups some are regular computer users and some are not so savvy. The training went pretty well for all concerned up to the point where he was trying to explain the password policy for the app. It uses complex password requirements. You know Uppercase, Lowercase, number, special character. The problem was that it was explained poorly.

This is the problem with user awareness training that I'm always harping about. We take a subject that may be somewhat confusing for many people and make it even more confusing. Then we blame it on the user and call them stupid. These users aren't stupid. If they were they wouldn't be in the positions that they are in at work. They are very competent at their jobs. Also this goes back to poor security policies over many years. Users are accustomed to simple passwords. Having complex passwords that are poorly explained compounds the situation.

So what's the answer? First, when we plan our training (or explaining) talks we need to make sure that our examples make sense to not just us and others who are technical and regular users. We need to have someone who isn't so computer literate give us their input on how we explain the concept. Secondly, we need to work to change corporate culture on passwords and security. It may take a while and we may have to take "baby steps" but that is better than nothing or better than going from simple to complex and having the help desk flooded with calls because we took too big a step too quickly.


AZA43 said...

Hey Andy,
My name is Al Sacco, and I'm a writer with I just stumbled across your blog, and though what I've got to say isn't related to user awareness, I thought I'd share regardless. We recently did a product review of a password manager that is designed to help remember complex passwords. It also can generate passwords of up to 14 characters based on administrator or user-specified "schemas," so they'll fit the requirements for the new app you mentioned in your post. Check it out:

LonerVamp said...

Just on the topic of password complexity changes, I've found that rolling out big changes, while painful at first, tends to be a good approach at times. Sometimes baby steps turns into baby steps over 5 years, which is really pretty extreme. Just make the change, deal with the users, and get things done.

Sometimes. :) At least with passwords, people learn pretty quick as they won't be able to do their job without either understanding or assistance.

Sounds like you have lots of things to tackle in your new company!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.