Security Zone: Passwords: Help users discover what is available!

As company policy requires passwords to be stronger than ever, here are some tips to help employees cope

Do your users get cold sweats when “change password” appears on their computer screen? Does the support desk still get swamped with users who have forgotten their current password? As company policy requires passwords to be stronger than ever, is it time to help employees cope with this task? Here are a couple of tips you could offer.

First, they can use the keyboard to generate passwords through patterns. Advise them to pick a letter they can remember. Just one letter; then pick a section of the keyboard where they can form that letter. 

For example, to make the letter V, they can start with the letter E and move diagonally down the keyboard to F, then B, back up to H before finishing at U. This produces a random password "efbhu". They can use the first and last letter as a capital to further secure the password – “EfbhU” – then add to that strength by extending the letter pattern into the upper row of numbers and special characters. 

Instead of starting with E, start with the number 3,and end with the 8. Now the password is 3EfbhU8.  

If this is not strong enough, make the 8 a special character by pressing the shift key to make the last character *. Now the password is 3EfbhU*.  

Or, better yet, capitalise the first two characters and make the rest lower case – making the password #Efbhu8.  

The flexibility of this method emerges when it comes time to change the password. This V-pattern, moves to the right or left and produces a new password, with equally good strength.

They could also take advantage of the fact that the PC keyboard – with the help of the operating system (OS) – adapts to different types of users, through the control panel.  

You can advise employees to choose regional or language options. Click on the “Languages” tab and change the keyboard structure to create a ready-made password producer. 

If you change the keyboard to “Dvorak – for left hand” the keyboard structure is changed to that keyboard type, which is not the same as the standard keyboard.  For instance, "Chris" typed through keyboard changed to Dvorak for left hand comes out as "Ghyok".

I used the same keys for both words, but the keyboard type changed the Standard English to the nonsense word above. So, if I wanted a password like "Homework", I would get "H.ibq.ya".

Once you add the keyboard, it can be placed at the top of the menu screen to allow users to switch and use their strong passwords, as required.

As security professionals, we are coming to understand that the best way to enforce policy is to make it easy and even demonstrate how it should be done. For passwords, this couldn’t be more straightforward: the answer is literally at your fingertips!

Chris Greco, CISSP, is an IT project manager

Read more on Security policy and user awareness