Innovative Approaches to Educating Employees About Password Security
5/2/2024
Effective password management is crucial for safeguarding sensitive information. My passion for cybersecurity has driven me to explore password behaviors more deeply than most would deem sane. Fortunately, this obsession has allowed me to develop innovative educational strategies that enhance password security across organizations. Here’s a deeper look into some of the methods I've implemented to improve password security training and awareness. I hope these offer some inspiration as you think about your own cybersecurity awareness training!
When Monitoring and Education Meet
One really interesting initiative involved developing a Slack app that monitors public channels for shared passwords. Using advanced static analysis and machine learning, this tool identifies text that may contain passwords. When a password is detected, it automatically alerts our security team through a private workflow. The workflow can promptly delete the offending message and send an educational direct message to the user. This process not only mitigates immediate risks but also serves as a practical, ongoing training tool that reinforces the importance of keeping passwords confidential and using the appropriate/approved tools for sharing passwords.
After releasing the tool, the most significant impact I observed was unexpected: user behavior actually began to change. Despite previous efforts to educate users on password security and implement stronger policies and enterprise password managers, behavior was difficult to change. I suspect that users understood we were actively monitoring for this behavior and they just didn't want their messages deleted. It could even be that there was some embarrassment or shame attached. Although I prefer building relationships through positive interactions and education, the results speak for themselves: a 90% decrease in password sharing in public Slack channels within one month after deployment!
Interactive Learning and Gamification
Gamification is an excellent way to drive engagement. While it may not appeal to everyone, making a topic fun and interesting can spark conversation. I created an infographic page that offers interactive learning about password strength. Using data from Hive Systems' Password Table, this tool provides real-time feedback on the time required to crack entered passwords, raising awareness of password strength. It warns users against using easily guessed elements like company names and checks if the password has appeared in previous data breaches.
Promoting this within the company led to people bragging about their password strength, creating a social pressure to maintain robust passwords. "Well, mine will take three trillion years to crack, I guess I'm doing great!" Suddenly, regular people, not just us security folks, were talking about passwords. That's a significant win for cybersecurity awareness.
Real-Time Demonstrations and OSINT Techniques
At previous jobs where I was responsible for security training, I used open-source intelligence (OSINT) techniques to demonstrate how hackers could target individuals and guess their passwords. I created an online persona (facebook/linkedin/twitter) and set out to illustrate the vulnerability of using easily guessable personal information. I showed the process from beginning to end: we did our OSINT, and we created some lists and masks using hashcat to crack the password hash. While the example may have been somewhat contrived because it needed to fit in a 30 minute window, the live demonstration was definitely impactful and conveyed the importance of creating secure, hard-to-guess passwords.
Training employees on password security is a difficult task, but If you're ever speaking with someone who is actively engaged in a conversation about password security, tell them about the most commonly used personal data in passwords:
- birthdays / anniversaries / dates of life events
- names of loved ones
- names of pets, etc
I often see a light switch go off in the other person's head, and they may say "oh, uhhhmmmm, yeah, I've done that". It's really important that you be kind to people if they have used weak or easily guessable passwords in the past. Hope is not lost! They probably feel vulnerable, so be kind and helpful! Offer to show them how password managers work, and that alone will enhance cybersecurity awareness in the workplace.
Regular Audits and Feedback Mechanisms
Regular audits of password practices are essential not just for compliance but as opportunities to engage with colleagues about cybersecurity. These audits help identify potential vulnerabilities and ensure that password policies are adhered to. Feedback mechanisms allow employees to share their experiences and challenges with password security, invaluable for refining our training programs. More importantly, they provide a chance to discuss recent high-profile hacks and how better password policies or hygiene could have prevented them. I won't reference any specific hack/breach here, as I'm sure there was a new one as of the week you're reading this blog post.
Be Honest and Vulnerable
I make a lot of mistakes: it's an essential part of learning. I also make it a point to talk about them in public. It's important to cultivate a culture where it's ok to make mistakes, and also to tell others about them. If someone makes a security mistake, your security team needs to know about it as soon as possible. The sooner they know, the less impact it will usually have.
It's easy for people to think that the security and compliance teams are the "fun police", and I totally understand why - most people who don't work with us every day only hear from us when there's an issue. We need to make ourselves available, and vulnerable in front of these people to show that everyone is human. Yes, even experts in cybersecurity can make mistakes. For example, even after all that work I did to detect passwords in slack, I accidentally pasted a password into slack instead of the browser window. After removing the message and rotating the credential, I decided to tell the entire organization about it. Mistakes happen, and if addressed quickly and appropriately, it's easy enough to make them right!
Conclusion
Educating employees about password security involves more than setting rules—it requires engagement, real-world examples, and continuous feedback. By using innovative, interactive, and practical approaches, we can significantly enhance the effectiveness of our cybersecurity training. These methods not only help mitigate the risk of data breaches but also foster a culture of security awareness that extends beyond the workplace.
Through ongoing education, technological tools, and a supportive learning environment, we aim to build a strong defense against cyber threats and ensure that our team is not only aware but also proactive about maintaining robust password security.