I'm working on a strategy to completely eliminate passwords in our company, or at the very least, make the system much more secure and user-friendly. I'm considering implementing a password manager for everyone to handle their passwords and passkeys, especially since a hardware key like a Yubikey Bio might be a safer option when passkeys aren't viable. However, I'm concerned about the potential loss of these keys, especially given that our employees tend to misplace personal items frequently. Currently, we have a situation where employees often create extremely complex passwords, only to forget them almost immediately after logging in, leading to numerous password reset requests. Others opt for easy-to-guess passwords which they write down on post-it notes stuck near their screens. I've tried to enforce stronger password policies and two-factor authentication, but this has met with resistance due to poor user experiences, and management is not pleased with the backlash. Fortunately, we haven't faced any data breaches yet, and I want to maintain that success as we tackle this challenge.
6 Answers
Honestly, always expect users to make mistakes. If they complain about user experience, just remind them how much worse it is when there's a data breach. A password manager like Bitwarden can help, especially if you give employees freedom to use it personally too. It’s key to maintain security while giving them some control over their passwords.
I totally get your concerns about losing personal devices with access to sensitive accounts. Older employees especially might find 2FA too complicated. A password manager can safely store everything, while you can use hardware keys for added security. It sounds like you’re on the right track with your budget getting approved for solutions like this. Keep exploring the best options!
Consider some single sign-on (SSO) solutions that could simplify things. If you can agree on one passphrase for everything, paired with multifactor authentication, it might reduce password resets. Also, look into alternatives for mobile devices, like Bitwarden, which should be part of your solution. This way, poor security practices on personal devices are less of a problem.
Have you thought about using Windows Hello for face recognition login? It would still require passwords for some applications, but it could streamline access to computers. If people are using sticky notes, they should be warned about the risks and possibly face disciplinary actions. I personally prefer a physical token for 2FA instead of using my personal device.
If you’re aiming for password security, complexity isn’t the whole solution. The reality is that most breaches come from stolen hashes rather than brute force. Using two-factor authentication (2FA) and switching to passphrases where possible might provide better security without heavily relying on tough passwords alone.
Correct me if I'm wrong, but isn’t the hash only useful if the password’s already been exposed? If managed well, even long random passwords should remain secure.
I used to keep all my passwords on a sticky note hidden under my keyboard, but then I improved that by writing them on the back of a folded sticky note to conceal them better. But honestly, I wonder how compliant we can be with our security policy doing that. It’s not foolproof, and I wouldn’t recommend it in a serious office setting.
How do you manage to fit all your passwords on one note? Seems like it would be inconvenient to keep rewriting them!
Using a sticky note might work, but if that method is seen as a security risk, it could lead to some serious problems down the line.
What do you mean by getting the hash? Isn’t it a big deal to decrypt them afterward?