Some users hadn’t changed their passwords in 15 years, which put our company at a huge security risk.

We needed a new password policy to make us less vulnerable.

But users felt that we were just creating a policy that would make their lives more difficult.

Buy-in was what we needed. Otherwise the policy would flop.

We began a user-education campaign with e-mails, memos and meetings. The big thing was users understanding how crucial it is to business not to create security risks.

We provided suggestions on how to come up with new passwords every 90 days, including techniques for remembering them, such as numeronics and phrases.

We stressed the importance of not creating cheat sheets under keyboards or on monitors, and they groaned.

But we acknowledged their pain and let them know this applied to everyone – from IT up to our CEO – and nobody would be exempt.

The prep work really paid off because users change their passwords routinely without calling the help desk.

Now users are a part of a security process that goes beyond firewalls and user access.
(Ann Dunn, IT director, Planned Parenthood of Northern New England, Williston, NY)

Tags: buy-in, passwords, policy, risk, security, vulnerable