I can’t begin to express the frustration at expiring passwords and password complexity. I know the reasons and fully support the concepts. However there are a number of problems with password policies and I’ll list out the 3 biggest ones.
Companies have quite a bit of data and they rely on their staff to safeguard that information. Employees are placed in a difficult position of being subject matter experts within their respective fields and at the same time understanding complex security problems and policies. They engage in behavior that puts sensitive information at risk.
One of the biggest problems: They reuse passwords on disparate systems ensuring that should their password be compromised on one site it is most likely compromised on multiple sites.
While multi-factor authentication is becoming more common and effective it is difficult for many users and often cumbersome to the point of non-use. Most employees need to use a variety of different passwords to access their accounts, computers and other devices and MFA’s that work with one system might not work with another.
But passwords have a lot of problems — most relating to how easy they are to crack or otherwise steal, giving unauthorized people access to sensitive accounts and data.
While many of the problems are inherent in the fact that passwords offer just a basic, single layer of protection, employee behavior typically makes things a lot worse. That includes both their password selection habits, as well as how people handle those passwords once they’re chosen.
Common password problems that employees make are:
- Choosing weak passwords, like “12345,” “password” and “password1”
- Using the same password on all of their accounts, including work-related and personal accounts
- Sharing passwords with co-workers or other unauthorized people, and
- Writing passwords down on notes stuck to their PCs.
In response, IT departments often use password policies to help correct that behavior and give data more protection — with the help of automated enforcement of those requirements when possible.
But those rules often have weak spots of their own. Here are three common problems with many companies’ password policies:
1. Outdated complexity requirements
Many different studies have been conducted analyzing lists of passwords and highlighting how often the simplest, most easily guessed passwords are used.
For example security experts have found that the list of the 1,000 most common passwords accounts for nearly all (91%) of the passwords used around the globe. In addition:
- 4.7% of passwords are simply “password”
- 8.5% are either “password” or “123456,” and
- 9.8% are “password,” “123456″ or “12345678.”
That’s why companies often mandate complex passwords and enforce requirements when they can. The problem is, it’s usually easy to meet requirements with a password that isn’t complex at all. For example, if a password must use a capital letter and a number, many users would pick “Password1.”
And as hackers get better at cracking passwords, what was once critical for password security is becoming less important. Many password policies require the use of punctuation marks and other special characters, and IT often recommends users take words and phrases and replace some letters with those symbols.
However, hackers are catching on to those tactics and they can now be accounted for in password-cracking algorithms.
2. Too many forced changes
In addition to the password complexity, many companies aggressively enforce rules requiring to users to change passwords on a regular basis — sometimes as often as once every month.
However, many experts warn IT that forced changes and complexity requirements don’t go well together — the more often users need to change their passwords, the simpler and easier to remember those passwords will be.
While monthly changes make sense for the most highly sensitive accounts, most could do with much longer cycles.
One of the top benefits of requiring passwords to be changed is that it keeps people from using the same passwords for all of their accounts, inside and outside of work. Having passwords change just twice a year, for example, would most likely have the same effect as a more strict password policies.
3. No reasonable lock-out rule
While password complexity is a common focus of password policies, that’s probably not the most effective to prevent brute force attacks. Some experts say that it’s more important to require accounts to lock after a certain number of failed log-in attempts.
While it could take just a few tries to guess something like “password” or “12345,” it’s unlikely even a somewhat complicated password could be cracked in five or ten attempts.
It’s important to find the right balance among a few different factors, including the sensitivity of the account, how likely authorized users are to enter the wrong password, and how much of hassle it is to fix the situation when users get locked out.
For example, some companies will find that ten attempts is an appropriate cut-off for most of the accounts. It’s unlikely that someone who should know the password would enter it incorrectly more than ten times, while as long as a somewhat complex password is chosen, it’s almost impossible that a hacker would be able to break in with just 10 chances. But again, some highly sensitive accounts will require tighter restrictions.
For help improving your company’s password policy, Contact us HERE for a complete password policy assessment and recommendation.