How about a quick show of hands? How many of you, reading this, administer a corporate email system? Hmmm, looks like practically all of you, except for that guy in the back of the corner wearing the yellow t-shirt. Okay, not sure why you’re here, but I appreciate you reading nonetheless. Okay, next question. How many of you have a password policy that makes you change your corporate password every month, for example?
You hear that? That’s the sound of crickets chirping as practically each and every one of you tries to avoid eye contact with everyone else, because most of you probably haven’t changed the password to your personal email account since you first set it up. Now consider how many things are tied to that email account. Password resets for your bank accounts, your credit card accounts, your Facebook, Twitter, and blog accounts; personal email accounts are treasure troves of information for attackers. A compromised personal email account is the perfect information source for an ongoing attack against a user because so many other accounts can be compromised without the victim being aware. And the majority of users will not change their password unless a system prompts them to.
Which is why Google has started a campaign to get users of its popular Gmail service to start changing their password. A new banner will appear at the top of the Gmail web page on accounts with passwords that haven’t been changed in an unspecified, but likely, long time.
The link takes users to a page that offers advice for good password management, including
- Using a unique password for each unique account.
- Using a complex password.
- Advice for creating a password that is difficult to guess.
- Updating password recover information, and
- Tips for storing passwords when your memory just isn’t good enough.
And after all, with dozens if not a hundred or more unique accounts, who can keep unique passwords for each and every account in their head?
Google has also led the industry by offering two factor authentication to users at no charge, using SMS messages to their cell phones to provide the second factor, and offers it as an additional way to secure accounts on this same page. Whether you choose to take advantage of this or not, or even whether or not you use Gmail, changing your password for your personal email account is something that is probably long overdue.
They even included a pretty good, very short, video that talks about how to create strong passwords. It lasts less than a minute, is easy for non-techies to follow, and is completely neutral. Here is a link to that video. As soon as you have changed your password, write up a nice little blurb to include in your weekly security tips to your users, reminding them to change the password on their personal accounts too. Remember this bit of security advice my dentist taught me years ago:
“passwords are like toothbrushes; you don’t want to share them with anyone, and you need to change them often.”