Ever ask someone “How does a password work?” I’m curious what the response is.

I’ve spent the last decade working with companies to successfully change the way people build, use, and maintain passwords. I ask that question all the time. Seldom do I get the right answer. And even then, it takes some work to get the pieces right.

Authentication is complex. Explaining the role of passwords in a meaningful way to influence and measure behavior change has eluded us for over 20 years. Done right, it requires an understanding of identification, authentication, assurance and privileges. Dry topics that need to be brought to life and presented in a way that makes sense.

The principle challenge of passwords is misunderstanding and a failure to communicate personal and business value.

In an effort to make a connection with others, I’ve started to notice recommendations that people go to websites to check the strength of their passwords. This isn’t phishing. It’s not a clever, but simple attack. It’s well-intentioned advice coming from the mouths and keyboards of security practitioners.

When I asked about it, I was told it was a way to help people check the strength of their passwords with a visual result.

The problem is that the best intention often leads to a bad outcome. 

Who owns the website? How it is it structured? Does it store the passwords? How is it checking the strength? Does it capture domain information? Is it handling the passwords in plaintext?

I applaud anyone taking an effort to educate and support others. But suggesting someone go to a website they don’t control and typing in their password is bad advice.

If someone gives you this advice, politely decline.

Even if the intentions of the site are good, does it become a target for attackers to compromise?

Worse, does this encourage otherwise promiscuous password habits? How is giving your password to an unknown website any different than giving it out over the telephone?

As we continue to empower and enable people to build better passwords, it is important to consider the unintended consequences of advice.

I’m always available for a quick chat through social media or by telephone to talk through better strategies. I’m even building out a scenario to share how I solve this problem for organizations.

Worried about passwords? Let’s connect and explore.


About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.