How Can CIOs Get Everyone To Create Strong Passwords?

It turns out that CIOs need to provide an incentive to get the right thing done
It turns out that CIOs need to provide an incentive to get the right thing done Image Credit: Automobile Italia

Of all of the things that the person with the CIO job has to take care of, you would think that getting everyone to create strong passwords would be among the easiest, right? I mean we all know what it takes to create a secure password – make it long, don’t use common words and change it often. However, nobody seems to do the right thing. Studies that are done about the passwords that people choose show that “12345678” is always the most popular one. What can CIOs do to get people to do the right thing when it comes to passwords?

The Problem With Passwords

All CIOs know that it’s tough to get people to behave in a particular way. You can ask any parent. Alternatively, you can ask a cybersecurity expert. One of the biggest challenges for cybersecurity experts are the use of weak passwords – one of the most prevalent and intractable problems in cybersecurity. This is the weakest link in the defense against hackers. For a long time, information-security practitioners thought that the solution to this problem was to tell people the difference between strong and weak passwords. The assumption was that people simply didn’t choose strong passwords because they didn’t know what a strong password looked like. It turned out that knowledge wasn’t the only problem. Even when workers understood what a strong password was, they didn’t necessarily use one. Let’s face it – it just wasn’t worth coming up with one, and remembering it was too hard.

Another approach that the person in the CIO position has taken has been to issue strong passwords to people, to take human choice out of the equation. This comes across as “Here’s your password, thank you very much”. But it turns out that this didn’t work, either. The problem was that people couldn’t remember these complex passwords. Because of this, they wrote them down, effectively sapping their strength. In recent years, the emphasis has been more on finding the right reminder – the small manipulation in the environment within which passwords are chosen. An effective reminder would prompt people to change their behavior and choose stronger passwords.

The problem, though, was coming up with the right reminder. Researchers have experimented with displaying password-strength meters to show people, as they type how strong their passwords are. This effort builds on the assumption that if people know what a strong password is, they will use one. But the results of these efforts have been at best mixed. The research has continued. At first, researchers simply tried displaying a range of different pictures above the password entry field, including a password strength indicator. One of these reminders exploited the idea that people rise to expectations: It showed them that the passwords issued to them initially were weak, and that they were expected to choose passwords that were stronger. They typically did rise to the occasion, at least at the beginning. They generally didn’t choose passwords that were as strong as the CIO wanted.

Solving The Password Problem

Another experiment that was conducted by the researchers superimposed an arrow that moved across the bottom of the graph as they typed, reflecting the strength of their password. Yet another experiment displayed a pair of eyes above the password entry field, hoping to make people aware of the risk of someone else getting hold of their password. All of these were good ideas. However, all of them proved to be ineffective. The problem was that strong passwords are simply too costly. They take people longer to type and are harder to memorize. This means that people really have no incentive to choose a strong password because all of us are all, by nature, cognitive misers: People will always choose the path that presents them with the least resistance. Sadly, that’s just how we are made. A simple visual-cue reminder doesn’t have the power to overcome this tendency.

What’s been missing has been a powerful incentive. The good news is that researchers have found one. What they did was to tell study participants that the stronger the password they came up with, the longer they could keep using it. This was communicated by showing a dachshund with a bubble coming from his mouth saying “the stronger your password, the longer you can keep it” to make sure people got the message. As a person typed, text displayed just below the password entry field told them how long it would be before the password expired. An example would be that the password “123456” would only be valid for two weeks, whereas a good password like “I ate 10 marshmallows at the Picnic” would expire after six months. As the entered password got stronger, the time to expiration became greater.

What CIOs need to do is instead of merely trying to change people’s behavior with a visual reminder, they need to actually offer them an incentive. Studies showed that after six months of offering this incentive, the overall password profile of the entire group was significantly stronger. In all honesty a reminder ought to be not be widely adopted for every possible account. It should only be used when the CIO feels as though something of real value is being protected, like a bank or email account. Strong passwords are still costly in time and effort, so CIOs should do our best to help people match the strength of their passwords to the value of the assets they protect.

What All Of This Means For You

CIOs have many problems that they are responsible for solving that involve the importance of information technology. One of the most important of these jobs is keeping the company’s IT assets safe. We can install firewalls and software to help keep the bad guys out, but there are always other ways to get in. Having workers use strong passwords can help to keep the company safe. However, all too often people choose simple passwords that are easy to remember and easy to hack.

CIOs once upon a time thought that all that they had to do was tell people that longer and more complicated passwords were better. However, what they have discovered is that even though people know this, they still choose to use short, simple passwords. A number of different approaches have been tried in order to get people to start to use more secure passwords. These have included graphical displays of just how strong their currently entered password is. However, none of the attempts have had any lasting impact. Researchers have found a method that does seem to work. If a user is told how long their entered password will last before it has to be reset, they are motivated to create longer and more complicated passwords. CIOs have to be careful where they use this motivational technique.

We all know that the bad guys want to break into our IT systems. They would love to gain access to our systems and make off with our valuable corporate data. We take many steps to keep them out. However, one of the easiest ways for the bad guys to break in is to simply guess a password that one of our employees is using. CIOs need to come up with ways to motivate our workers to take the basic step of keeping their passwords robust and secure. If we have to do this by motivating them to create better passwords so that they can avoid the hassle of having to change them so often, then so be it. Give this idea a try and see if it can make your networks more secure.

– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: What should a CIO do about an employee who keeps creating simple passwords?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

It is the role of the person with the CIO job to make sure that their company has access to the technology that everyone needs in order to do their job most efficiently. However, this is where things can start to get a bit complicated. We work very hard to find ways to acquire the technology that the next project is going to need because of the importance of information technology. However, if we are not careful we can end up buying too much of what we no longer need or simply buying the wrong things. What steps can a CIO take in order to avoid spending their budget buying technology that will just end up going to waste?