Full Report
You told me not to write it on a Post-it... Bork!Bork!Bork! Today's bork is entirely human-generated and will send a shiver down the spine of security pros. No matter how secure a system is, a user's ability to undo an administrator's best efforts should not be underestimated.…
Analysis Summary
# Best Practices: Preventing Credential Exposure and Physical Security Risks
## Overview
These practices address the "human element" of cybersecurity, specifically the physical exposure of digital credentials (passwords/usernames) in public or shared workspaces. This guide aims to bridge the gap between technical security controls and physical operational habits to ensure that administrative safeguards are not bypassed by convenience-seeking behaviors.
## Key Recommendations
### Immediate Actions
1. **Conduct a Physical Security Sweep:** Walk through all public-facing areas (reception desks, waiting rooms, shared offices) and remove any visible credentials from whiteboards, Post-it notes, or under keyboards.
2. **Universal Credential Reset:** Change any passwords that were found to be publicly displayed immediately.
3. **Staff Briefing:** Issue an urgent memo to all staff explaining the risk of "shoulder surfing" and the legal/security implications of sharing group credentials.
### Short-term Improvements (1-3 months)
1. **Deploy a Workforce Password Manager:** Implement a managed solution (e.g., Bitwarden, 1Password) to allow staff to store and share credentials securely without physical notes.
2. **Enable Multi-Factor Authentication (MFA):** Mandate MFA for all system logins so that a stolen password alone is insufficient for access.
3. **Security Awareness Training:** Conduct targeted training sessions focusing on "Social Engineering" and "Physical Security," specifically highlighting why displayed credentials invalidate audit logs.
### Long-term Strategy (3+ months)
1. **Transition to Passwordless Authentication:** Adopt Passkeys or biometric hardware keys (FIDO2) to eliminate the reliance on memorized or written strings of text.
2. **Role-Based Access Control (RBAC):** Review system access to ensure individuals have their own unique accounts, removing the perceived "need" for shared passwords on whiteboards.
3. **Physical Environment Audit:** Redesign workstations to ensure screens and sensitive documents are not visible from public vantage points.
## Implementation Guidance
### For Small Organizations (e.g., Local Clinics)
- **Focus:** Cultural change and basic tools.
- **Step:** Use a low-cost or free-tier password manager for the team. Ensure that a "Clean Desk" policy is added to the employee handbook.
### For Medium Organizations
- **Focus:** Monitoring and Policy.
- **Step:** Appoint "Security Champions" in each department to conduct weekly unannounced walkthroughs. Implement automated password rotation policies.
### For Large Enterprises
- **Focus:** Automation and Architecture.
- **Step:** Implement Single Sign-On (SSO) across all platforms. Use Managed Mobile Device Management (MDM) to enforce biometric locks on all company devices.
## Configuration Examples
While the "whiteboard" issue is physical, the following technical configurations mitigate the damage:
* **Account Lockout Policy:**
`Threshold: 5 attempts / Reset: 30 minutes` (Prevents brute-force if a username is exposed).
* **MFA Enforcement:**
`Conditional Access Policy: Require MFA for all users, all cloud apps.`
* **NCSC 3-Random-Words Policy:**
Configure password complexity to require longer strings (e.g., 12+ characters) rather than complex symbols that are harder to remember.
## Compliance Alignment
- **NIST SP 800-63B:** Digital Identity Guidelines (Authentication and Lifecycle Management).
- **ISO/IEC 27001:** Annex A.7.7 (Clear desk and clear screen policy).
- **CIS Control 5:** Account Management and Control 6: Access Control Management.
- **NHS Data Security and Protection Toolkit (DSPT):** Specifically Guide 9 regarding password strength and remote location security.
## Common Pitfalls to Avoid
- **"Convenience over Security":** Avoid creating "shared" department accounts; these lead to passwords being written down so everyone knows them.
- **Training without Context:** Simply telling staff "don't do this" fails if the system is too hard to use. Ensure employees have a legitimate, easy way to access their passwords (like a mobile app).
- **Ignoring Feedback:** If staff say they write passwords down because they "reset too often," review your rotation policy—long, unique passwords shouldn't need frequent changes.
## Resources
- **NCSC Guidance on Passkeys:** hxxps[:]//www[.]ncsc[.]gov[.]uk/blog-post/passkeys-not-perfect-getting-better
- **NHS Password Guidance:** hxxps[:]//digital[.]nhs[.]uk/cyber-and-data-security/guidance-and-assurance/
- **FIDO Alliance (Passwordless Standards):** hxxps[:]//fidoalliance[.]org/fido2/