_Challenge

Passwords on notes: time for a change

Within Agora, there was no structural password management solution. Employees used repetitive passwords, wrote them down in calendars or under keyboards, and sometimes relied on WhatsApp or Excel lists. Daniëlla: “After every vacation, someone has lost a password. And in the worst case, they use the same password for everything. Of course, that's not safe at all.”

Although this behavior is not exceptional in education, Daniëlla saw that something had to change. She notices that safety does not come naturally and that teachers don't have time for it either. “Their focus is on the kids, not IT.”

“After every vacation, someone has lost a password. And in the worst case, they use the same password for everything. Of course, that's not safe at all.”
- Daniëlla Overbeek, educational ICT policy officer

That became painfully clear when Agora had external ethical hackers test how vulnerable the schools were. “We had hackers walking around the office to test whether they were coming in. Well, that just works. The note under the keyboard remains persistent.”

Once when MindYourPass stopped by for a presentation, a quarter dropped. “We didn't have such a tool yet. While it hits exactly where things go wrong: convenience, behavior and overview.”

‍

‍

_Approach

What the baseline revealed about password usage

Agora started measuring MindYourPass to provide insight into password usage. This measurement is easy to install on employees' laptops and then securely tracks how people use passwords without passwords being stored centrally anywhere. Daniëlla says that they chose to measure this without informing employees in advance: “We thought that was more honest than announcing, otherwise everyone will change their passwords quickly and you won't get a clear picture.”

The baseline measurement checks for at least four weeks via the password manager whether passwords are safe, whether they occur in previous data breaches and whether they are reused. The scan is fully automated, AVG-proof and does not require manual input from employees.

The result is provided in a clear report including the risk image, application overview and concrete improvement recommendations. The results were discussed in groups with Agora. “I noticed how familiar it was for everyone,” says Daniëlla. “Everyone recognized the pain points. Then something happens. People are going to think. And that's exactly what you want to achieve.”

‍

‍

_Outcome

From gut feeling to substantiated insight

The baseline measurement provided Agora with a factual picture of password behavior within the organization for the first time. No more assumptions or gut feelings, but hard data. “I was always asked: how digitally resilient are we really? Now I finally had something to show.”

The overview of used accounts and leaked passwords was particularly impressive. Daniëlla: “When you're just in front of the classroom as a teacher, you don't think about that at all. You just want your laptop to work and get started. But if you suddenly see that your password has ever been leaked, it suddenly comes close.”

“Their focus is on the kids, not IT. Then you have to help them make safety part of their behavior.”
- Daniëlla Overbeek, educational ICT policy officer

The measurement gave direction to the wider awareness program and provided concrete tools to continue building. “You know where you are. And that makes it much easier to take the right steps,” she says.

‍

‍

_Reflection

Insight leads to action

For Daniëlla, MindYourPass mainly confirmed this: awareness works when people understand where things are going wrong. The baseline measurement helped to hold up that mirror. “You don't always have to start with the biggest measures. Start with insight. That encourages action,” she says.

The tool is a concrete step towards safer behavior, without it feeling heavy or technical. She also finds the collaboration with MindYourPass itself refreshing: “You can just call, app or email them and you'll get an immediate answer. No hassle.” What appeals to her the most? The combination of expertise, humanity and genuine involvement in education.

“Everyone recognized the pain points. Then something happens. People are going to think. And that's exactly what you want to achieve.”
- Daniëlla Overbeek, educational ICT policy officer

Agora's experience shows: behavioral change starts with insight. A baseline measurement doesn't have to be complicated to be valuable. It's about awareness, recognition and small steps that together make a big difference.

‍

‍