Friday, March 15, 2013

SOP Friday: Prudent Password Policies

About five years ago I responded to a question about writing down passwords. See the old blog post on Prudent Password Policies from 2008.

Sometimes it seems that passwords are the hardest thing in the world for clients to understand. Let's face it, the odds are that they'll never be hacked. So they can go decades without changing their passwords and nothing bad happens.

They don't see the work you do with routers, firewalls, and server settings to keep them safe. And they're just never going to understand brute force attacks let alone man in the middle or password reset cracks.

That makes it pretty hard for you to convince them to be scared about security.

Here are four things you can do to protect your clients while balancing true security with the "usability" they need to get their job done. As you can see, most of this has to do with education. But it's also a GREAT way to do some marketing to existing clients and prospects. Because passwords are seen as a pain in the neck, clients are often willing to tune in to these discussions.

Thing One

Engage Your Clients in the Password Policy Process

In the Network Documentation Workbook, I give an example of a two-part form you can use with new or existing clients. In the first part, you simply have the client fill out a form that asks about how they want their passwords set up.

Client form: Setting Password Policies
The questions are actually just the default settings from Windows. The form includes ...
- Days before passwords need to be changed
- Minimum password length
- Number of passwords to remember
- User lockout after x password attempts within y minutes
- How long should users be locked out?

Once you have this information from the client, you go create those settings in the server. This process gets client buy-in to the password policy. Beware: The most important people will want to be excluded. So the file clerk changes her password as requested but the managing partner insists that his password never change. See the section on education.

Password Policy for Client Employees
In the second part, you write up a quick memo like the example in the book and hand it out to all users. It basically reflects back what the client told you. Yes, you'll spend a little time listening to people whine. Smile and nod. Then move on to the next desk.

Thing Two

Use Educational Marketing 

One of the most powerful things you can do for marketing is to create handouts that are truly useful and people will keep forever. Maybe they'll photocopy them for all of their friends at the Rotary Club. Maybe they'll post them on the bulletin board. Just make sure your logo is very prominent on these handouts.

Passwords are a great example for this. Give good solid advice that everyone can use. For example, we created a handout called "What's Your Pass Phrase" several years ago. We've gotten a lot of mileage out of that one! You can download the pdf here: Pass Phrase Handout.

Basically, the handout introduces the concept of a pass phrase rather than a password. The client doesn't need to know all the reasons why pass phrases are particularly good. Things like spaces and characters used in programming can stop some cracking programs in their tracks. But, really, the most important elements are 1) password length and 2) anything not found in a dictionary.

If you want to see a cool tool for grading passwords, visit:
Grade your own pass phrases and then point your clients to this tool as well.

Thing Three

Use (and Advocate) Three Levels of Passwords

As of this writing, I maintain 688 accounts that require a password. These include everything from my email to bank accounts, florists, online services, online stores, airline frequent flyer programs, and more.

Don't tell anyone, but these are not all unique passwords.

Sometimes we nerds get on a soapbox with stuff like this. We make it sound like all security is the same - and it's all to be treated like the launch codes for nuclear missiles. But we all know that MOST passwords aren't very important.

We need to turn down the "security evangelist" rhetoric and give our clients reasonable guidelines that they can live with. I recommend (and use) three levels of passwords: Low, High, and Critical.

At the low level of security are things like Pandora, the florist, online stupid games, and sights that give me free things. And I reuse passwords a lot at this level. Think about it: If someone guessed my Pandora password, the worst thing that could happen is that I have to listen to music I don't like. That's it. Period. End of crisis.

Note: When you tell your clients this, they might say "I KNEW passwords didn't matter that much!" You just need to remind them that this is the lowest level. It is used for sites where your credit card is not stored and no one can take your money.

At the low level, it is perfectly acceptable to use the same 1-5 passwords over and over again. Each should still be a decent password, but it doesn't have to be a 28-character phrase with every possible variable. These sites either never ask for money, or they require that you put in your payment information each time. So if someone breaks in, they can spend their money but not yours.

At the high level of security are those things that do cost money and can cost you a lot more if someone breaks in. This includes your Amazon account with the stored credit card. And your Ingram Micro account where your account credit is on the line.

At the high level, you can still reuse a few passwords, but they should very good passwords, and you should change them regularly. Here's one approach: When a bank asks you to change your password, that's a good time to change your password on your other bank accounts, your QuickBooks account, etc. That way you can keep your passwords in synch and still change them regularly.

At the critical level are services that can really cost you a lot of money. For example, I put the payroll service in this category. I use a password there that is not used anywhere else. And it's a great password. And it changes every 30 days. The reason is simple: A hacked payroll could wipe out my operations bank account and get me in trouble with both the state and federal government all at once.

Once you introduce this three-tiered approach to clients, you will give a little confidence that you understand the real world they live in. They know the password to Netflix is not as important as the password to their Schwab investment account. After years of pretending that these are identical, they can now relax a bit.

I believe clients are more likely to comply with reasonable security policies once you define three levels of password security.

Thing Four

Use Password Vaults

I use a tool called TK8 Safe. I bought a multi-user license so everyone in the company can use it. You probably have this or some other tool your prefer.

A password vault stores your passwords (and other information) in a encrypted file. After all, it does NO good to have 688 password entries in an Excel file! Security is always about the weakest link.

We don't really resell TK8 or other password vaults. We just point clients to them and help them set it up. There's not enough money to worry about reselling, and we make plenty on the labor side. Plus, we have helped them take a real step up with security.

I am sorry to burst the bubble of all the security freaks out there who make a living scaring their clients into compliance. You're welcome to keep doing that. But just remember that your clients ultimately get to decide how much security makes sense to them. So the more rational you are, the safer they'll be.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: How to Work 8AM to 5PM in I.T. Consulting

Check Out the All New Book:

Cloud Services in A Month
by Karl W. Palachuk

396 pages - plus lots of juicy downloads

Paperback - Ebook

A great resource for managed service providers or anyone who wants make money selling and bundling cloud services.

Featuring all the details you need to create and sell YOUR custom Cloud Five-Pack (TM)

Learn More!

No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!