How to protect employees' personal information and passwords

How to protect employees' personal information and passwords

Even though employees are told over and over again to not give out their user names and passwords, it doesn't always work. What are the best ways to protect employees' personal information and keep social hackers from stealing passwords?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

As complexity increases, so does the temptation to write a password down. As does the chance of a user's domain password being used elsewhere (such as on a social networking site). Reuse increases the chance of compromise; your Active Directory environment may be nice and secure, but third parties rarely look after password hashes and data in the same secure manner.

Forced password expiry is often cited as a route to increased security. I disagree! If a hacker is stealing passwords and has access to anyone's domain credentials, why would they wait 30 days to use them? Once they get hold of the credentials, they'll place a back door, and then they won't need the credentials again.

Some companies try expiring user passwords every 30 days but that is a sure-fire route to annoy your users, reduce goodwill towards your security department, and increase chances of passwords being written down.

Instead, teach your users how to create, remember and look after a strong password, and expire them far less frequently. You'll win friends in your workforce, and the training programme will help you build relationships and communicate more about security. Security is not a technical problem, it's a people problem. Therefore technical offerings are rarely the solution: advice which IT security departments would do well to take heed of!

In the end, the best way to protect employees' personal information and passwords is education. Help your staff equate the importance of their username and password with their debit card PIN number and bank account details.

Giving away your PIN with your bank card is a way to get your account emptied. Giving away your credentials to a PC that you use for online banking is just as stupid.

This was first published in May 2009