

You have $100k to spend on teaching about better passwords. What do you do? - randanom

Hi. Longtime lurker, first time poster.<p>I&#x27;ve been given a 100k budget from a tech company to create an educational marketing campaign that teaches people to use better passwords, and improve their password habits. This is not my first time doing this (third actually, on this topic), but the first time I&#x27;ve reached out to people knowledgable on the subject. I do my best to stay up to date on infosec. I read industry news and analysis, read whitepapers, and keep abreast of what others in the arena are doing — but I studied literature in school, and have worked mostly as a copywriter&#x2F;advertiser, and inevitably our advice draws a mixture of praise, heavy criticism, or ire from the security community (usually more ire than anything.) My team, likewise, are not infosec experts or professionals, but rather designers, front end devs, and marketers.<p>We all have bad practices. Especially end users. I guess my question is, what do you think would be the most pertinent topic for end users, and what kind of change do you think people are most likely to carry out?<p>- Should we focus on getting people to use password managers<p>- Changing their passwords regularly?<p>- Using long, unique passwords?<p>- Using 2FA?<p>What would you do? What would resonate with people more? What do you focus on with friends and family?<p>What approach is more effective, fear-based messaging? Humor? Dry facts?<p>In the past we&#x27;ve found that contests have the highest engagement, but there&#x27;s just something sleazy about &quot;tweet2win.&quot;<p>I don&#x27;t want you to do my work for me, but rather than craft some retweetable graphics, get some big numbers, and call it a day, I&#x27;d actually like to create something of real value for people. How can we create something that actually causes real change in people?
======
borplk
I'd say getting in the habit of using password managers is by far the most
important point.

Once you are doing that, using long and unique passwords comes automatically.

Using 2FA is good but I'd say it's not 'low-hanging fruit'

Changing passwords regularly is also not low-hanging fruit. For many things
it's not even necessary, for very important stuff you'd want to change
password every 4-6 months, so for example someone wont have access to your
email for 3 years straight. It will put a ceiling on the maximum continuous
time someone could have had access to your account. 2FA helps with this as
well.

I'd focus on making people understand how easy these password managers are.
Depending on the audience, you could focus on it being much better and easier,
not necessarily "more secure", they probably care more about it being easy.

------
Beached
Just a couple dry facts seem to work the best, pick the top three, or maybe
show a live example. I've used jacktheripper against NTLM hash in front of an
audience and cracked the password "Pass!" in seconds before their eyes, this
received good response.

Whenever someone wants a reminder about password strength, I send them to xkcd

[http://imgs.xkcd.com/comics/password_strength.png](http://imgs.xkcd.com/comics/password_strength.png)

------
s3nnyy
I have written my master thesis about this topic. Let's chat? (iwang attt
fastmail.net)

