Companies’ employees do a lot that puts sensitive information at risk. One of the biggest problems: They choose weak passwords that offer little protection. And despite IT’s best efforts, organizations’ password policies haven’t done much to solve the problem.
While multi-factor authentication is becoming more common both in business and with consumer-focused services, most organizations still heavily rely on passwords to filter access to sensitive information. Most employees need to use a variety of different passwords to access their accounts, computers and other devices.
But passwords have a lot of problems — most relating to how easy they are to crack or otherwise steal, giving unauthorized people access to sensitive accounts and data.
While many of the problems are inherent in the fact that passwords offer just a basic, single layer of protection, employee behavior typically makes things a lot worse. That includes both their password selection habits, as well as how people handle those passwords once they’re chosen.
Some of the most dangerous password mistakes users make include:
- choosing weak passwords, like “12345,” “password” and “password1”
- using the same password on all of their accounts, including work-related and personal accounts
- sharing passwords with co-workers or other unauthorized people, and
- writing passwords down on notes stuck to their PCs.
Ineffective password policies
In response, IT departments often use password policies to help correct that behavior and give data more protection — with the help of automated enforcement of those requirements when possible.
But those rules often have weak spots of their own. Here are three common problems with many companies’ password policies:
1. Outdated complexity requirements
Many different studies have been conducted analyzing lists of passwords and highlighting how often the simplest, most easily guessed passwords are used.
For example, last year, security expert Mark Burnett found that the list of the 1,000 most common passwords accounts for nearly all (91%) of the passwords used around the globe. In addition:
- 4.7% of passwords are simply “password”
- 8.5% are either “password” or “123456,” and
- 9.8% are “password,” “123456″ or “12345678.”
That’s why companies often mandate complex passwords and enforce requirements when they can. The problem is, it’s usually easy to meet requirements with a password that isn’t complex at all. For example, if a password must use a capital letter and a number, many users would pick “Password1.”
And as hackers get better at cracking passwords, what was once critical for password security is becoming less important. Many password policies require the use of punctuation marks and other special characters, and IT often recommends users take words and phrases and replace some letters with those symbols.
However, hackers are catching on to those tactics and they can now be accounted for in password-cracking algorithms.
2. Too many forced changes
In addition to the password complexity, many companies aggressively enforce rules requiring to users to change passwords on a regular basis — sometimes as often as once every month.
However, many experts warn IT that forced changes and complexity requirements don’t go well together — the more often users need to change their passwords, the simpler and easier to remember those passwords will be.
While monthly changes make sense for the most highly sensitive accounts, most could do with much longer cycles.
One of the top benefits of requiring passwords to be changed is that it keeps people from using the same passwords for all of their accounts, inside and outside of work. Having passwords change just twice a year, for example, would most likely have the same effect as a more strict password policies.
3. No reasonable lock-out rule
While password complexity is a common focus of password policies, that’s probably not the most effective to prevent brute force attacks. Some experts say that it’s more important to require accounts to lock after a certain number of failed log-in attempts.
While it could take just a few tries to guess something like “password” or “12345,” it’s unlikely even a somewhat complicated password could be cracked in five or ten attempts.
It’s important to find the right balance among a few different factors, including the sensitivity of the account, how likely authorized users are to enter the wrong password, and how much of hassle it is to fix the situation when users get locked out.
For example, some companies will find that ten attempts is an appropriate cut-off for most of the accounts. It’s unlikely that someone who should know the password would enter it incorrectly more than ten times, while as long as a somewhat complex password is chosen, it’s almost impossible that a hacker would be able to break in with just 10 chances. But again, some highly sensitive accounts will require tighter restrictions.
For help improving your company’s password policy, be sure to read our password policy template.