CIOs Want To Know What’s Wrong With Password Managers

There has to be a reason why people won't use this tool
There has to be a reason why people won’t use this tool Image Credit: The Focal Project

As the person with the CIO job, it is your responsibility because of the importance of information technology to make sure that the company’s networks are kept safe at all times. This is a job that you cannot do by yourself – you need the help of everyone who works for the company. You need them to create secure passwords, change them on a regular basis, and keep them all secure. It turns out that this is actually fairly hard to do. The good news is that there are tools available to help employees do this. However, all too often the people who work for the company are unwilling to use these tools. Why is that?

Why People Don’t Use Password Managers

CIOs understand that many of their employees are vulnerable to hackers and eager to secure their online accounts, but lots of them also refuse to use an obvious solution: password managers. Why is this? Research has found that the typical reassurances and promises about password managers just don’t seem to work. Fortunately, the research also suggests there are strategies that the people in the CIO position can use to persuade employees to get past the psychological barriers and keep their data safe. For anyone who is unfamiliar with what password managers are, a password manager stores passwords securely and lets a user access them with just one master password. Some password managers will fill in a password for you when you go to a website where you already have an account, and some will generate a strong password on your behalf.

In a study it was found that the two most common methods of persuasion were ineffective in getting employees to adopt password managers. The first is the classic “push” approach. This is the idea that by showing people the dangers of using simple passwords, recording passwords on their computer or using the same passwords at different sites, a CIO would push them to adopt a safer approach. Users, it turns out, don’t respond to the push strategy. The other, “pull,” approach – when a CIO focuses on the positives of password managers – didn’t deliver any better results. With neither push nor pull nor their combination working, it isn’t surprising that only roughly 10% of users have adopted password managers. It seems as though there is a glass ceiling preventing password-manager usage across the population.

What Does A Password Manager Do?

Multiple passwords – especially good ones – are difficult to keep track of. A password manager tool can help, but many employees don’t have a clear understanding of how they work. Here are some of the basics.

Create a master password. After downloading a password manager, an employee needs to create a master password that will give them access to all the passwords they store with the manager. As with any password, one good way to create a strong master password that they’ll be able to remember is to use a phrase unique to them, like mycatsam’sbirthdayisoctober13.

Save the master password. Password managers don’t hold your master password, so they can’t access your passwords. If you forget your master password, then you won’t be able to access them either, unless the manager you use also offers access through a fingerprint or facial recognition. Even if you’ve created a memorable master password, it’s important for you to keep a record of it. Make sure that you write it down and store it in a safe location at home.

Learn how to add your passwords. You can manually enter your new passwords into the manager. When you need to create a new password, the manager can suggest one. Some will analyze all your passwords and can then suggest changes to the weak ones.

Always encrypt your passwords. All the passwords you enter in a manager are automatically encrypted to protect them against hackers.

Make sure to put it to work. The password manager will plug in the passwords you have stored as you visit the applicable web sites. Many managers will sync your passwords across all your electronic devices.

How To Get People To Use A Password Manager

It turns out that there are two types of “mooring factors” that keep people from changing their behavior. These are seldom addressed when employees are trying to persuade others to use password managers, but they have a powerful impact. First, there is the effort required to enter all your passwords into the password manager. Many employees have some of their passwords stored in their browsers, others written down somewhere and yet even more memorized. The second type of mooring factor involves employees concerns. Employees don’t trust the developer of the password manager: Why, they wonder, should they give the keys to their online world to some password-management company that they neither know nor trust? People may also fear they will lose all their passwords if they forget their master password. All of these are valid concerns that can be easily addressed.

First, the effort of migrating account credentials to the password manager needs to be acknowledged. Developers of password managers should focus their attention on easing the password-manager setup process as much as possible, perhaps importing people’s passwords from their browsers or from other repositories such as spreadsheets. Second, when it comes to not trusting the password-management company, employees should be reminded that these companies are in the business of storing passwords securely. These companies cannot afford to store passwords insecurely, because their entire business is built on the trust that comes from doing this well. To that end, the source code of a password manager could be open and available to anyone to examine. Even though the average user couldn’t understand the code, influential experts could – and they can spread the word about the safety of using the password manager. Some password managers permit access via a fingerprint or face biometric tools. Other password managers can ease employees’ concerns about forgetting the master password by encouraging them to write down that password on a piece of paper and store it in a locked drawer or safe at home. Online hackers won’t be able to get hold of it, and employees can refer to it whenever they need to.

When employees know they won’t forget it any more, they can feel comfortable destroying the record. Alternatively, they can leave it there so that if anything happens to them, their nearest and dearest will be able to close all their accounts and not have to struggle with online companies and have to provide legal certificates to tie up all the loose ends. Employees can also be encouraged to use a memory from childhood as a password – early teens are best. All of us humans have a memory bubble from that stage of their lives, and these memories will endure throughout our adulthood. They are also probably not, with a little luck, in any online database. The funnier you make your password, the more likely you are to remember it. The problem that CIOs are facing is that those who are promoting password managers are currently relying on suboptimal strategies to encourage adoption. If we continue to do this, the glass ceiling of pass word managers will remain in place, uncracked. CIOs improving adoption of password managers is a simple matter of explicitly addressing the mooring factors and raising awareness of the advantages of password managers and the risk of not using them. In the end, it is not that hard to do.

What All Of This Means For You

As the CIO, you are responsible for keeping your company’s IT assets secure. In order to make this happen, you need the help of everyone who works at your company. One of the simplest and most critical things that needs to be done is to get every employee to start to use secure passwords. We know what a secure password looks like: its long, has special characters in it, and it gets changed every 90 days. Passwords like this that a single employee has to memorize for multiple systems can be very difficult to do. There are applications that make this easier to do, but it can be hard to get employees to start to use these applications.

A password manager is a tool that employees can use to keep track of their passwords. The password manager has to be logged into using a master password, but once in it can automatically fill out usernames and passwords for websites that the user visits. Users may resist using a password manager because of the effort that is required to enter their existing passwords into it and because they may not trust the company that created the password manager. The people creating password managers need to make it easier to import passwords. If users write down their master password then they don’t have to worry about forgetting it.

The stronger the passwords that people use are, the more secure the corporate network will be. The challenge that CIOs are facing is finding ways to get people to use longer and more complex passwords that are, of course, harder to remember. A good way to make this happen is to get employees to use password managers. Although people may have some reluctance to using such tools, if you can convince them to do so, your network will be more secure. CIOs have to put the time and the effort into getting their people to open up to using password managers.

– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that CIOs should punish people who don’t use a password manager?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

The makeup of the IT department has always been diverse. However, CIOs need to understand that as they hire more and more young workers this may end up having a significant impact on how the office operates. CIOs need to remember back to when they were young and understand that new workers see work differently than many of the older people in the IT department do. They have also had a different set of experiences before they arrived at your company. What all of this means is that CIOs need to get ready to work with a new generation of workers.