Sikov - stock.adobe.com
The complete adoption of password-free technology is, unfortunately, a long way from becoming reality. Until then, IT professionals must help their clients improve their password management practices -- a typically challenging task.
Like many IT issues, password management can cause a disconnect between end users and the IT professionals that help them. For example, despite the IT professionals' efforts to enable strong password practices in an organization, end users may resist or complain about the requirements.
While it is important for IT professionals, including MSPs, to establish non-negotiable standards for users to abide by, they can do so with a soft, customer-service-like approach.
Here's a two-pronged strategy that addresses password security on both the human and technical levels.
Focus on the human side of password management
Users often view multifactor authentication (MFA), along with the maintenance of unique, complex passwords for each of their accounts, as pain points. To embrace these password practices, users must first understand why these practices are important.
When IT professionals share their personal experiences and empathize with users about the annoying, yet necessary, aspects of password management, it can change the conversation. Instead of the conversation feeling like "IT vs. the users," the battle becomes "IT and the users vs. the cybercriminals."
Along these same lines, IT professionals should explain why password management is a must. Explain how cybercriminals can purchase user credentials on the dark web in the same way people buy clothes online. Users should understand the reason bad actors pay for these credentials: Criminals can easily gain access to multiple accounts because they know that most people reuse passwords. Once users understand this, they can see why MFA and unique, complex passwords are vital practices.
Additionally, many users think most cyber attackers sit at a computer guessing a password over and over until they crack it. The importance of password management practices becomes clearer when users learn that computer programs usually do the guessing -- at an incredible number of tries per minute. Again, people will much more likely comply with policies when they understand why those policies are important for security.
Taking the time to reach users on a human level and educate them benefits everyone. These conversations can be part of formal training or one-on-one user interactions, whatever is most appropriate for the organization and situation. Formal training can provide opportunities to have some fun: It could include a competition to see who can come up with the most memorable, unique and strong password, or users could vote on anonymous submissions for the funniest, real password someone has used in the past.
Make password security standards non-negotiable
User instruction benefits from a soft approach, but a hard stance is also appropriate when it comes to security.
Pretty much every employee accepts that the computer they use for work has some sort of antimalware product on it. They have become familiar with the occasional annoyances of a false-positive response or required reboot after an update. That's just how it is. Good password policies should be the same way: assumed and non-negotiable.
Taking a firm position on password security doesn't mean ignoring users' needs. IT professionals must coordinate with their client's leadership team to determine the appropriate policies for their organization. When implementing those policies, as with other areas of IT, IT professionals must listen to users and try to minimize unnecessary annoyances.
One way to minimize password-related frustration is to implement single sign-on (SSO). SSO can decrease the number of password interactions for users. Users typically like the convenience, while IT appreciates the increased security.
However, perhaps the best way to minimize the pain of password security is to use a good management tool. A password manager can dramatically improve compliance. Some password management products allow the company to provide employees with a personal account as well -- a move that demonstrates the company cares about employees' security outside of work.
About the author
Diana Giles is president of Skyline IT Management, an IT services and consulting firm based in Edmond, Okla. Giles is also a member of The ASCII Group, a North American IT community for MSPs, solution providers and systems integrators.