In higher education we sometimes struggle getting people to practice good password hygiene. Why is this the case, and what can we do to change this?
Don’t read too much into that first statement – we have a significant number of people who change their passwords at regular intervals and it is just part of their routine. We actually enforce that for accounts that access our most precious assets. We also have rules on the ‘complexity’ of the password, but we have yet to fully embrace the notion that length trumps the diversity of characters.
I am regularly in meetings where the conversation turns to compromised accounts and password hygiene. Inevitably someone sheepishly admits they haven’t change their password since they first got their account. Some of these probably date back NetNorth and the beginning of the internet. (anyone remember those days?). I am of course stretching that it a bit, but the point is these passwords are old. Individuals know it, and they jokingly admit they should change it, but don’t. It is almost like a badge of honour – “I have a really old password because I was around when this all began and I have seen it all.” I might suggest that if they had been watching it “all” they would be changing their password.
I remember a faculty mentor I had way back when I provided research computing support in an academic unit. Her office was the stereotypical absent minded professor mess, with old journals and half finished manuscripts everywhere. The funny thing was her monitor always had a bunch of sticky notes on the bezel with passwords to various systems. I used to tell her frequently that she should be more careful with her passwords, as I picked up old sticky notes that had fallen to the floor. That being said, she did change her passwords, and then simply crossed out the old ones on the sticky notes and wrote in the new one.
In that example it comes down to physical security. Anyone who had access to her locked office had access to her passwords. That was very few people and likely there wasn’t someone in there with criminal intent.. Today, that is completely different. In this article it shows that anyone who has access to the dark web can access the credentials of over 1.4 billion accounts! I hypothesis that people who can access the dark web, and this list, is significantly higher than someone who can physically access your space and the world has changed,
So, what do you do – the simplest thing is to change your password. If your name is on this list and you change your password, your credentials information will no longer be valid. It is that easy. So, that brings me back to the first question on why don’t some people change their passwords…… I can’t really answer that except to say maybe they just don’t think it can happen to them. The excuse that, I am too busy, or it is too hard to remember a new password, doesn’t cut it anymore. Maybe we just need to talk about this more and show the other schools who have had incidents and subsequently done across the board password changes….. let us learn from each others experiences and not wait until we feel the pain of a widespread incident.
Next up, why should I use multi factor authentication…..