Password security requires a delicate balance. Many policies require complex codes, but if IT goes too far, users will end up breaking the rules when they can or keep their passwords written on paper.
A distressing number of users ignore password security best practices and turn to common words and phrases when they’re required to choose a password.
In fact, the 10 most common passwords make up about 14% of all the passwords in use today, according to research from password security expert Mark Burnett. Even worse, 91% of passwords use one of the 1,000 most common passwords, and close to 99% use something from the top 10,000.
Other figures from Burnett’s study of over six million passwords:
- 4.7% of passwords are simply “password”
- 8.5% are either “password” or “123456,” and
- 9.8% are “password,” “123456” or “12345678.”
Is a policy the answer for password security?
In other words, if users are allowed to choose their own passwords for work-related accounts, company data may not be very well protected.
What can IT departments do to improve password security in their organizations? One method is to set a password security policy that requires a certain level of complexity. However, as some experts have pointed out, a password that’s considered complex by most policies could still be one that appears on hackers’ lists of codes they test when breaking into accounts.
For example, “P@ssw0rd” is eight characters long and uses a capital letter, a number and a special character — yet it still appears in many studies of the least secure passwords.
The fact is, users will most often gravitate toward passwords that are easy to remember, no matter what rules are in place. A better strategy may be to train users on password security and offer advice on choosing secure passwords.
For example, tell users to think of a memorable song or movie quote and string together the first two letters of each word. That won’t satisfy requirements for numbers and special characters, but it will at least be unique to the user.
IT departments can also set a good example by choosing complex passwords for users’ machines and accounts. For example, if new employees start and they’re told to log in to their email accounts with “password,” they probably won’t think password security is a big deal in that company.
How does your IT department promote password security? Let us know in the comments section below.