You’re Invited to a Password Party!
Do you know someone who could have better passwords? Maybe someone who has been “meaning to set up a password manager” for a year or two? What about someone who just needs a helping hand? Could your co-workers, your family, or your friends use a quick password tutorial? You can help them make an immediate and impactful difference to their security posture online by hosting a Password Party, an event that lets everyone take on the password problem together.
What’s a Password Party?
People love a party! A Password Party helps educate and establish best practice for passwords. The party dedicates time to improve account security by moving passwords into a password manager and strengthening weak passwords. The event is set up like a party — think balloons, cake, and prizes — to make an otherwise tedious task more engaging.
To ensure everyone’s passwords are up-to-snuff by moving them into a password manager and regenerating weak passwords, can sound stressful and monotonous, especially if the individual does not see themselves as technical or security-focused. Tackling the need in a group helps everyone stay on task and allows everyone to learn from each other.
At the end of a Password Party, the attendees should have a password manager set up, and have added their most important accounts. The attendees should have learned what makes a good password and understand the basics of two-factor authentication to add even greater security to their accounts. The attendees should know how to generate a random password using the password manager, and become confident in how to secure their online accounts.
What is Expected of the Host?
The Password Party host will act as a coach and guide the group through the set-up of the password manager of their choice, explaining how a password manager works to generate and store passwords. The host will explain and emphasize the importance of two-factor authentication, and help participants add it to their accounts.
At Duo, our hosts were members of the Cloud Security team, allowing us to introduce ourselves to new coworkers, and strengthen relationships between teams.
What is Expected of Attendees?
Password Party participants should be asked to bring their laptop and their mobile device. They should be ready to install a password manager — if they don’t have one already — and have an awareness of what websites they use, with an ability to access those accounts or recover the passwords (i.e. access to the email recovery).
The Password Party is targeting the folks who know their passwords aren’t quite there yet and who have been looking for time to sit down and just do it. The Password Party provides the perfect excuse, the plan, the time and assistance to help attendees take charge of their online security and protect their accounts.
Where Should We Party?
Host the event somewhere comfortable and open. A cafeteria, living room, or lounge area is perfect! The Password Party attendees are going to need to be able to work with their laptop and mobile device easily, while remaining comfortable and in tune with the group. If this is a work setting, attendees may need to come and go, and that’s okay!
At Duo, we used the kitchen eating area which provided a friendly low key atmosphere.
The event doesn’t need to be that long. Encouraging folks to work on passwords for even an hour is a win! At Duo Security, our goal was to have attendees stay for an hour. We held the event for three hours, with the intention of allowing attendees to come and go as needed for their schedules.
Pick a time of day folks are ready to do something a little different with their brain power. At work? Maybe a Thursday afternoon. With family or friends? Try a weekend brunch.
Giving your invitees advance notice helps eliminate the “I don’t have time” excuse. If this is a work event, having set time in the calendar lets employees know that this is work-sanctioned. If possible, get a note of endorsement from management to let potential attendees know it’s okay to spend work hours on security maintenance.
Rewards and Atmosphere
Consider a small prize for working diligently on passwords. At Duo, we gave all attendees a rubber duckie for participating (Choosing a duck was popular! There were all kinds of different ducks available). If participants finished inputting their passwords into a manager, or stayed at least an hour doing their best, they were added to a drawing for one of two gift cards.
We also provided lunch, or treats, depending on the time of day the event was held. Cookies were devoured almost immediately. If this is a work setting, food is a great way to signal to folks who missed the invite that something special is going on.
Music helps to liven up the atmosphere and balloons are a toy to bat around in between password generation. Keep the party atmosphere in mind while planning for the event as it will elevate the mood of your attendees and create excitement.
Ready to Host?
Step 1: Create the Event
Invite your coworkers, friends or family to the event and make sure to block off the time in the calendar. If you’re in an office, don’t be afraid to put up some posters or send out announcements. Consider making real invitations — it is a party after all!
Step 2: Prepare Your Attendees for Success
Know What Password Manager You’ll Support
Choose a friendly password manager or utilize the recommended manager from your organization. A good password manager choice will have step-by-step documentation easily available, will be able to generate random passwords and will be designed with security newbies in mind. If possible, choose something you’re familiar with as you’ll become the default “expert” for the people attending the event.
Print Out Documentation
This may seem counterintuitive for an event focused on using online resources, but participants often find paper solid and comforting. Provide links to the password manager’s online documentation, but also print out the basics:
How to generate a password
How to save a password
How to link a personal password manager account to a corporate one (if offered)
At Duo we had two documentation packets for each 6 person table, and that seemed to be enough.
Create Account/Website Prompts
Participants won’t always know where to start. Help out by providing lists of commonly used websites or accounts you’d like them to prioritize.
Looking for a shortcut? Wikipedia has a good list to begin with: https://en.wikipedia.org/wiki/List_of_most_popular_websites#List_of_websites.
Don’t be afraid to tailor your account lists and search regionally with something like “most popular websites in [location].” Participants should update their most critical accounts first (like their primary email address and financial institutions.) The host should assist the attendees in prioritizing their accounts.
Make a Summary Sheet
Some folks like a checklist. Print out a document that summarizes what they’re doing at the Password Party. It should give just the basics, something like:
Welcome to the Password Party!!
Today we will learn how to:
Place passwords into a password manager & re-generate any that need strengthening.
Find out if 2-Factor Authentication is available for those sites. Set that up too!
Add as many accounts to the password manager as you can, and receive a prize!
Want to learn more? [Link to the Password Manager’s documentation]
Check if 2FA is available for an account you want to secure: https://twofactorauth.org
Always remember, we’re here to help each other! Ask questions.
Do a Short Presentation
Take 10 minutes at the beginning of the event to explore password managers and two-factor authentication.
Your attendees have RSVP'd to attend the Password Party because they want to have greater account security. Your goal is to make password managers accessible and two-factor authentication attainable.
Describe how to generate passwords, walk through the first pieces of the step-by-step documentation and invite participants to examine the password manager’s website. Explain the importance of two-factor authentication and how it works to protect accounts.
Encourage participants to add two-factor authentication to the password manager’s account, and remind them that the email they link their online accounts to is very important to protect as it holds the “keys to the kingdom” and access to reset passwords to other accounts.
Try to empower your attendees to be self-service as much as possible. Let them know you’re available for questions and reassure participants there are no bad questions. Get participants talking with each other by asking them to turn to their neighbor and share 3 accounts they plan to protect today! It’s amazing what collective experience can accomplish.
Be prepared to answer common questions and concerns about password managers and two-factor authentication. For people new to the idea of protecting their passwords behind a single password it can be a little scary.
For example, some of the common questions I’ve encountered at Duo are:
How do I share passwords safely?
How do I recover my password manager’s password?
What do I do if I lose or no longer have the device I use to set up two-factor authentication?
Think about the questions you’ve already heard prior to hosting your Password Party, and be ready to answer.
At Duo, we quickly noticed coworkers helping coworkers. This event is a great way to encourage attendees to meet people from other teams as well!
End the Party with Empowerment
Empower your party people to create a culture of security. The Password Party isn’t meant to completely alleviate the attendees password concerns. It is supposed to give them the impetus to start protecting themselves and provide the first set of tools they’ll need to become more secure online.
Remind all of the participants that it’s okay not to finish today. The work the attendees did do is meaningful, and they’re better protected now than even a few hours ago. As long as they move a few passwords every day, or even once a week, they’ll be fully invested in their new password manager in no time.
Password Parties are designed to help your team make time for implementing secure practices while learning and working in a relaxed environment. Getting passwords into a security manager often feels daunting due to the number of accounts we all have, but this party makes it manageable. Every time we make a password stronger or we add 2FA to an account we become a little bit more secure. These little steps add up. Let’s celebrate those iterative successes! Let’s have a Password Party!
Security Education Freebies
We made a bunch of free tools and activities to foster security education and awareness. To learn more, please visit: https://duo.com/security-123