Spotlight: Creating a passphrase ruleset

Behave series blog cover

CybSafe

We are CybSafe. A cyber security & data analytics company.

2022/09/05

This week we’re focusing on passwords. We know you’re no stranger to these, and neither are your workforce. But familiarity isn’t helpful here. In fact, it’s a criminal’s best friend. 

Everyone in your business will have at least three or four passwords in their arsenal, which are hopefully fairly enigmatic and not a birthday or their mother’s maiden name (right?!). 

But are they doing the job they’re supposed to? How do you encourage them to fashion the combination that doesn’t put them – or your organization – at risk? 

These risks start at security breaches and expand exponentially into revenue loss, damage to brand reputation, loss of intellectual property and online vandalism – so a whole heap of fun, essentially. 

The inconvenient truth is, the more deviously complex (and therefore effective) a password is, the more difficult it will be to remember. Realistically, keeping up with long, complex passwords (or not keeping up with them, as the case may be) will only encourage people to choose a simpler option, or the same password for everything across the board. Neither of which is ideal, obviously.  

So, how do you avoid this? 

There are strategies and technologies that can help – and, spoiler alert, traditional security training isn’t part of the answer. Awareness and training alone does not change behavior, and so does not solve the problem.

How to incentivise stronger passwords

So, how do we nudge people towards stronger passwords? How do we lower the human risk element?

Your best bet is to reduce as much of the burden on people as possible. Adopting Single Sign On (SSO) and a password manager are two ways of achieving that.

After all, that’s what SSO is designed for – reducing password fatigue without compromising security. Which is exactly the issue we’re discussing here.

But if passwords have to be used, consulting a password manager every time is far from ideal. Actually, it’s annoying. So the problem becomes finding a balance between strong and memorable passwords.

Memorable passwords make the sign-in process more user friendly. The easier and more convenient security is to implement, the less risk your organization is exposed to.

To that end, there is research that suggests using a passphrase ruleset in these instances is significantly easier to remember – so the best of both worlds is in fact entirely possible.

You can read more about how that links to risk (and the mitigation of that risk) on SebDB, the world’s most comprehensive security behavior database.

CYBSAFE-behaveseriesblog-assets-220906MS-06

 

Ok, back to getting your workforce to create brilliantly convoluted passwords they can actually remember.

The study

A study by Nicholson and colleagues (2018) examined the effectiveness of three simple nudges at the point of password creation:

E

1. Financial incentives (i.e. the promise of money/reward/recompense for creating a ‘secure’ password)

E

2. Adding instructions (i.e. being asked to create a long password)

E

3. Using a random image to aid with choosing a memorable password

To take a closer look at how this might work for you, your business or your workforce, read the full study here.

The study highlights the danger of reusing passwords, and points to recent data breaches that exemplify this.

It then goes on to talk about “small manipulations to  influence user behavior” – and explores the extent to which these can influence the length, strength and uniqueness of newly-created passwords.

What works… and what doesn’t

So the good news is, it doesn’t take much to get people to do better. In fact, simply nudging a person to create a longer password (i.e. by adding the word ‘long’ into a standard instruction) helped people create more secure passwords.

Additionally, the study found offering monetary rewards positively influenced longer password creation. Although it did also say this approach wasn’t entirely positive, as it still resulted in passwords that were vulnerable to automated guessing attacks. It says: “While we can influence motivation, we need to make sure people receive clear instructions”. 

What helps nudge people towards better account security: 

Adding simple instructions

Detailing briefly what makes a secure password

Offering memorable techniques

Measuring passwords for strength

Additionally, a particular technique we’ve seen in action (successfully), is each year (or over a pre-arranged set time period) the top 100 strongest passwords in the company, that have not been reset by their owners, could be entered into a raffle. The drawn winner gets a prize. It’s not dissimilar to the speed camera lottery concept, which you may have heard of or seen in action.

To learn more about changing and improving security behaviors, check out this whitepaper on behavior change. 

check out our behavior whitepaper

This is how your people get better