How do I log in again?

My AV guy went to a remote site yesterday to work on a system that had a virus that needed special attention to remove. When he got there he was shown the infected PC and the keyboard had a note taped to it. I think I need to republish the password policy and that segment of the User Awareness Program.

User Awareness Awareness

I had to go to a training session yesterday for an app that is used for special purposes within my new company. It is used by several different groups some are regular computer users and some are not so savvy. The training went pretty well for all concerned up to the point where he was trying to explain the password policy for the app. It uses complex password requirements. You know Uppercase, Lowercase, number, special character. The problem was that it was explained poorly.

This is the problem with user awareness training that I'm always harping about. We take a subject that may be somewhat confusing for many people and make it even more confusing. Then we blame it on the user and call them stupid. These users aren't stupid. If they were they wouldn't be in the positions that they are in at work. They are very competent at their jobs. Also this goes back to poor security policies over many years. Users are accustomed to simple passwords. Having complex passwords that are poorly explained compounds the situation.

So what's the answer? First, when we plan our training (or explaining) talks we need to make sure that our examples make sense to not just us and others who are technical and regular users. We need to have someone who isn't so computer literate give us their input on how we explain the concept. Secondly, we need to work to change corporate culture on passwords and security. It may take a while and we may have to take "baby steps" but that is better than nothing or better than going from simple to complex and having the help desk flooded with calls because we took too big a step too quickly.