How to protect employees' personal information and passwords

Even though employees are told over and over again to not give out their user names and passwords, it doesn't always work. Expert Ken Munro explains how to get through to your employees.

Even though employees are told over and over again to not give out their user names and passwords, it doesn't always work. What are the best ways to protect employees' personal information and keep social hackers from stealing passwords?
As complexity increases, so does the temptation to write a password down. As does the chance of a user's domain password being used elsewhere (such as on a social networking site). Reuse increases the chance of compromise; your Active Directory environment may be nice and secure, but third parties rarely look after password hashes and data in the same secure manner.

Forced password expiry is often cited as a route to increased security. I disagree! If a hacker is stealing passwords and has access to anyone's domain credentials, why would they wait 30 days to use them? Once they get hold of the credentials, they'll place a back door, and then they won't need the credentials again.

Some companies try expiring user passwords every 30 days but that is a sure-fire route to annoy your users, reduce goodwill towards your security department, and increase chances of passwords being written down.

Instead, teach your users how to create, remember and look after a strong password, and expire them far less frequently. You'll win friends in your workforce, and the training programme will help you build relationships and communicate more about security. Security is not a technical problem, it's a people problem. Therefore technical offerings are rarely the solution: advice which IT security departments would do well to take heed of!

In the end, the best way to protect employees' personal information and passwords is education. Help your staff equate the importance of their username and password with their debit card PIN number and bank account details.

Giving away your PIN with your bank card is a way to get your account emptied. Giving away your credentials to a PC that you use for online banking is just as stupid.

This was last published in May 2009

Read more on Security policy and user awareness

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...