“I don’t need a password manager, I use a pattern so I remember them”. Hearing these words strikes fear in the heart of the security professional, and we hear them with terrifying frequency because that is what people (ordinary people, our users) do. They use some kind of predictable pattern, maybe with a little variation on just about every site or application they frequent. Including the corporate ones, we are paid to protect. Let’s face it, who can blame them.

The most recent set of NIST guidelines for passwords acknowledge the challenges faced by users of our systems and are designed to put the user first by making good security hygiene a user friendly process. At ThoughtWorks we wanted to update our password requirements to meet to meet the new guidelines and we thought, that since we have always had the policy of allowing/encouraging people to buy and to expense a Password Manager, we thought it should be a pretty straightforward process.

Well, it turns out we were making a lot of assumptions. Our policy was not actually well advertised or consistently applied and anecdotal evidence suggested that we weren't quite as security conscious as we imagined. We set about validating our assumptions with some user research and we learned a lot. On the one hand, we had a lot to be proud of, but there was an awful lot more that could be done.

As a result of this work, we have set ourselves a goal to drive behaviour change, not only with respect to our corporate information systems but more broadly. Our work is guided by the principle that that good personal security hygiene, amongst ThoughtWorkers, not just at work, but in every aspect of their digital lives is the best way to protect our systems.

Come to this session to learn about what we found and what we did about it, specifically; how to take your users on a security journey with you, how to leverage the skills of your technologists to support and help your technophobes.