So far this month, we’ve updated the <password policy>, created appropriate <challenge questions>, and come up with a strategy for setting initial passwords. Now we are ready to start training the users and wrap up the month’s activity

Developing user training

Unless you’ve already worked with Michael, chances are that the employees at your organization don’t get passwords. This is common: users don’t understand why passwords have to be so complicated or how to effectively transform the rules they are taught into memorable, usable passwords. Go straight to automation with this type of user base and the help desk calls will increase – guaranteed.

The reality is, users will do what’s most convenient to them. If accessing a self-service website is faster and easier than calling the help desk and sitting on hold for a few minutes, they’ll do it. If they have to spend time looking for the site, or if they get frustrated trying to figure out their initial password or how to register questions, they’ll call the help desk instead.

The only way to be successful with a password self-service implementation is to thoroughly train employees, and make it easy for them to use the system. This means:

  • Making sure everyone knows what the password rules are (and understands them – Michael can help)
  • Putting links to the self-service page everywhere you can so users know how to find the page
  • Communicating how the challenge questions work and how to answer them
  • Testing the site on all browser types that might be used to access the self-service site (or clearly communicating which browser types are supported)
  • Helping users understand the limitations of the system (e.g., will the tool be available outside of the corporate network or not?)

Also consider the overall computer literacy of your end-users. Are you rolling out password complexity to some of your users for the first time as part of this implementation? Have those users ever used a computer in a corporate environment? Are they likely to be a computer user at home? If the answer is no, consider a basic computer literacy course first – if they don’t even know how to use a mouse, asking them to come up with an 8-character password with a choice of upper- and lower-case letters, numbers, and punctuation marks will throw them for a loop.

Delivering user training

Spend time delivering the training you’ve developed in ways that work for the users. This may include in-person sessions as well as web-based training. Get management involved – make them early adopters of the system, and have them encourage their departments to participate. Establish a process to ensure that new hires receive this information as part of the standard onboarding sessions. Make sure the training is easily accessible to anyone who needs a refresher. Above all, make sure that end users get the support they need to transition to the new way of doing things – this may entail a little extra up-front work from the help desk, but whomever provides that support needs to be well-versed and make it easy for the users to understand.

Populating the requirements list

At a minimum, this month’s exercise should feed some requirements around challenge questions – how important are selectable questions to the organization? Are one-size-fits-all questions acceptable?

If there are plans to auto-populate the challenge questions from HR, there may be some requirements around the HR integration with identity manager. There may also be requirements on how to get even transient HR data to auto-create initial passwords, if that’s desired.

There may also be some implementation notes – fields that need to be accessible from HR, final challenge questions agreed-upon by the focus group, etc.

Action Recap

This month’s actions are focused on preparing for a successful password self-service implementation:

  1. Review and update the password governance documents to ensure that the same password rules apply to all systems and all users
  2. Determine how to handle challenge questions and come up with appropriate questions (if needed)
  3. Develop and begin to use an initial password formula
  4. Develop and thoroughly deliver end-user training, taking the level of computer literacy into consideration
  5. Keep the users in the loop – communicate the changes, explain why they are being made, and begin using the new materials (e.g., initial password formula) as soon as possible so they get used to it

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

About the Author Ioana Bazavan Justus

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.