Friday, 6 May 2016

Password Auditing - A Word of Advice

Here is a piece of free advice:

Next time you decide to run a password audit against your company out of the goodness of your own heart to try and educate users or the organisation about password practices in the org, do yourself a favour: run as fast as you can face-first into a brick wall instead and remind yourself that this was less painful than convincing users to not do stupid things. Then ask yourself if you still want to proceed.

If the answer is still "yes", then consider taking this approach:

Only look for the truly daftest of passwords. Don't try and put any actual effort into guessing what users passwords are, because [spoiler alert] you will succeed. 

Two-factor is the only way to save the general populace from their own laziness / stupidity / ignorance / stubbornness. If someone wants their password to be "Jessica1987!", then maybe you should let them. At least it is not "Pa55word". Combine their shitty password with MFA and you are probably doing the best you can to protect your organisation, unless you work for the bank or government.

Even taking this simplified approach, be prepared for a world of pain while you try and find someone to take ownership of the several hundred or more accounts that no one remembers what they are for.

Happy hunting!

No comments:

Post a Comment