CERT Campaign re Passwords

[Neil F]

Can I assume that many of you received this email today?
I think it is productive.


Kia Ora,
This month, CERT NZ is launching a bold, new campaign to help people better protect their online accounts by using passphrases — a random phrase, or mix, of four or more words.

Recent research* has shown that New Zealanders aged 18 – 35 aren’t strong on using secure passwords but are very receptive to the idea of using passphrases as an easy way to create and remember an account login.
The major challenge with this audience is that they are served a large amount of advertising, so we needed to come up with a unique campaign that would have impact to help educate them on an easy way to safeguard their accounts, starting off with the most at risk: email, bank, and social media.
How the campaign will be delivered
Big Password Energy will feature on digital billboards, and posters across main centres and regional areas where advertising space is available. CERT NZ will also actively promote across our social media platforms.
How you can support the campaign
We encourage everyone to get behind the campaign by sharing the campaign posts from CERT NZ’s social media channels. If you would like assets to share directly, let us know. We will be able to share a sneak peek of the campaign creative next week.
All social media posts and advertising will link to a CERT NZ campaign page which will be live from 18 July at CERT.govt.nz. We will share the URL for this page when the campaign launches.
*This research project looks at the New Zealanders cyber security attitudes, behaviours and motivations. These findings will be publicly available in August. If you would like more information into the audience we are targeting, just let us know.

Save the Date: Cyber Smart Week, 10 – 16 October 2022
We’re in the planning phase of the CERT NZ’s cornerstone awareness event, Cyber Smart Week.
We’ll keep you updated as we progress and ask that you save the date for 10-16 October 2022 as we’d love to have you onboard again as we work together to help New Zealanders improve their online security.
The campaign will carry on the bright, fun, and accessible creative approach from previous years and be designed to consider all audiences.
Ngā mihi,
The team at CERT NZ

[1101]

They seem to have an old fashioned view of password security.

Even a 10 character pass of just letters can be cracked in 4 minutes
And having overly long or complex passwords means people just write it down I tape it to the monitor (not good in business environments) .
I often see passwords written down & stuck to monitors .

Ive worked for a company who had too complex pass requirements . A pass that couldnt be remembered & had to be changed every 6 weeks. So everyone just wrote the pass on a bit of paper stuck to the monitor .

Then you have the issue of staff re-using that same password for many other things , and of course that leads to hacking issues .

[piroska]

And most sites dictate what you have to use anyway.
At least 8 characters inc a number, a capital and a special character.
Ugh.

Of course most people then do
Password!

[1101]

Relying on passwords ONLY is relying on outdated thinking.
Really should be looking at 2fa more than trying to 'fix' passwords

Heres what MS recommend
https://docs.microsoft.com/en-us/mic...o365-worldwide

and what MS dont recommend is interesting
Password expiration requirements do more harm than good, because these requirements make users select predictable passwords

Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable.

Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good
Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals know this so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a