Password awareness

Passwords qualify as a basic cybersecurity control, so what should we be saying about passwords? Two key messages, for sure:
  1. Choose strong yet memorable passwords: easier said than done given the number of systems we are using these days. Longer pass phrases are better, and we have some useful tips on those.
     
  2. Keep passwords secret. Aside from the obvious 'don't disclose or share your passwords with anyone', phishing is definitely a concern in this area ... but it's tricky to explain succinctly.
We'd like to recommend password managers or vaults - and we may do so, in the hope that our customers either supply a 'company sanctioned' one, or permit/encourage their people to use them: that's something to bring up in the management awareness stream, along with accountability.

We could also discuss bad passwords, password cracking/brute force attacks, poorly thought-out system designs that unduly limit password choice, hashing and salting and other controls to protect passwords in storage and when being communicated, and user authentication ... but probably not in the InfoSec 101 module, at least not in the general employee awareness stream.  Maybe we will touch on those for the professionals' stream.

I think that's enough for now. Things may evolve when we write or revise the content, especially as this is just part of the topic area. Phishing, for instance, may lead us into other areas.