How To Train Users to Create Secure Passwords

How To Train Users to Create Secure Passwords

With the need for users to frequently change their passwords under question, the need for users to pick stronger passwords in the first place becomes apparent. Last week, we talked about one way for sysadmins to sniff out weak passwords in use in Active Directory. But, what can you do to help a user to choose a better password?

This week, we’ll cover a few things that can help you to put your users on the right track -- and may even help you to use stronger passwords as well.

Get Rid of Old Assumptions and Habits

The biggest hurdle we face in creating strong passwords is probably ourselves. If you’ve been around computers for any length of time, you probably remember things like 8-character password limits -- and your users probably do too. Even the word password implies that a password should be just that -- a single word. Unfortunately, a dictionary attack -- even with common number/letter substitutions -- is about the easiest way to crack a password today.

Once you get your users thinking outside of the “word” part of “password”, it will be much easier for them to create a memorable yet secure password.

Prevent Password Reuse

Users may not see the need to use separate passwords for different services. That’s a personal choice. But, for their work account, they definitely need to choose a password that is not in danger of being compromised even if their personal account is.

Using an analogy may help them to see the importance. Does their house key let them into their neighbor’s house? Or does it let them in to the office? Hopefully not! Passwords are like keys -- they only work if everyone’s are different. Once they understand that, they will see the need to choose a unique, secure password for work.

Think Of New Ways to Create Passwords

If your users can’t use their favorite word, and they can’t use the same password that they use for their email, then what should they do? Much more secure is a passphrase -- a group of three, four, or more words -- that means something to the user but can’t be easily guessed.

Think of a childhood memory, a funny story about your friend or spouse, or something else that comes readily to your mind but most people wouldn’t know. Then, take a few words from that, and string them together into a longer passphrase. (Remember, the old rules don’t apply -- spaces are fine to include!)

Or, a password that consists of initialisms of a sentence, poem, song lyric, or other longer sentence can be secure and memorable as well. For instance “Hey Jude, don’t make it bad; Take a sad song and make it better” turns into “Hj,dmib;Tassamib-”. This looks like complete nonsense -- and it is, unless you know what song I was humming when I created it!

Of course, all the usual password advice applies as well -- a good list can be found in Microsoft’s recent password guidance document. But, better than giving your users a big list of “Don’ts” is a list of “Do’s”. We hope this article will help you to train your users to create stronger passwords.


E-N Computers can help your business to stay secure against the latest threats. Contact us today to find out why Virginia, Maryland, and Washington D.C. trust their cybersecurity to us.