DO WE NEED PASSWORD POLICIES?
We all know that passwords are a headache for companies. They’re the old-school way of proving who you are online. Unfortunately, as a sole means of digital authentication, they’re not very safe. More than 50% of successful cyberattacks are linked to weak or insecure passwords. The way many employees manage their passwords can also open the proverbial cybersecurity can of worms. If they choose simple, easy-to-guess passwords for their apps, it’s like an open invitation to hackers. And if they use the same password for multiple accounts, it’s like giving the keys to the kingdom to cybercriminals. That’s why many companies have strict rules about creating strong, unique passwords for each account, the so-called mandated password policy.
DO PASSWORD POLICIES WORK?
Password policies come with their fair share of problems that can make them fall short of their intended purpose, leaving organizations vulnerable to cyberattacks. Let’s dive into two of the key reasons why these policies often don’t quite get the job done in securing businesses from hacking and data breaches.
PASSWORD POLICIES ARE DEMANDING
The first issue with password policies is that they make unrealistic demands on users. Password policies often miss the mark when it comes to addressing a significant issue with their namesake – the sheer volume of them. It’s not so much that employees lack awareness about cybersecurity, but the overwhelming number of cloud apps they use makes it nearly impossible to create and remember unique, complex passwords for each one. As a result, they often resort to reusing passwords, simplifying them, or jotting them down. In a recent study, it was found that even providing cybersecurity training to employees had little impact on their behaviour. 91% of untrained users were still recycling their passwords, and this figure only dropped marginally to 85% after cybersecurity training. Also, over half of the users continued to write down their passwords, with no noticeable difference between the trained and untrained groups. That’s good cyber hygiene for you – not!
PASSWORD POLICIES ARE DIFFICULT TO ENFORCE
Dealing with third-party apps can be a headache for businesses trying to enforce their password policies. These apps operate outside the organization’s control, making it tricky to ensure everyone follows the password rules. As a result, IT departments are left with their hands tied, and the responsibility for good cybersecurity practices falls on the end users. It’s often left to the people with little interest in, or knowledge of, cybersecurity, to make sure everything stays secure.
ARE COMPLEX PASSWORDS GOOD ENOUGH?
Inadequate password policies can expose organizations to security threats. However, do the typical password complexity rules do enough to keep them safe? 83% of compromised passwords actually meet the requirements for password complexity and length set by compliance standards. This is because malicious actors already have access to an extensive collection of stolen credentials, which they can use to compromise additional accounts by reusing these same passwords. Whenever an organization experiences a breach or a portion of customers’ login information is pilfered, there’s a high likelihood that these stolen passwords end up on the dark web for sale. Remember the incidents with Dropbox and LinkedIn where 71 million and 117 million passwords were stolen? Well, there’s an underground market where these credentials are peddled to hackers who then employ them in credential stuffing attacks.
Credential stuffing has become a popular password attack method, offering significant financial gains for minimal effort. There has been a sixfold increase in stolen and sold credentials in just the past year. As the number of stolen credentials continues to rise with each new breach, the opportunities for credential stuffing attacks multiply. It’s estimated that a staggering 111 million cyberattacks occur every day. For every 1,000,000 combinations of email addresses and passwords, attackers can potentially compromise anywhere from 10,000 to 30,000 accounts. This type of attack has gained popularity in recent years due to the large number of users who reuse passwords across multiple accounts. In one analysis over three months, 44 million Microsoft users were found to be reusing passwords, making them susceptible to these types of attacks.
THE NCSC ON PASSWORD POLICIES
The UK’s National Cyber Security Centre (NCSC) takes a stand against the use of complexity requirements, arguing that this practice “provides weak protection against guessing attacks” because it places an added burden on users, many of whom end up using easily predictable patterns. Even when organizations implement very strict requirements, like exclusion filters and the demand for special characters, employees still often resort to common combinations. These combinations are readily exploited by cybercriminals and can be found in widely used password-cracking tools and dictionaries, making them susceptible to brute-force attacks. Also, many policies insist on the frequent change of passwords, a practice that makes the already challenging task of memorizing credentials nearly impossible. According to the NCSC, this approach “damages security rather than enhancing it.” Rules that create friction for end users can also lead to employees resisting policy adoption.
IMPLEMENTING A GOOD PASSWORD POLICY
There are many things that you can do to implement password policies that work. Here is a handful of really useful suggestions:
- Make your policy statements clear, easy to understand, and enforceable.
- Ensure that your policies support people, processes, and technologies, rather than working against them.
- Use monitoring and audit tools to ensure that everyone is following the password rules correctly.
- Give people clear guidance on how to create strong passwords or passphrases.
- Remember the motto: “Long is strong,” while short and complex passwords are weak!
- Promote the use of password managers.
- Set account lockout thresholds to limit brute force attacks.
- Implement two-factor authentication (2FA) or multi-factor authentication (MFA).
- Keep an eye on authentication and set up alerts for brute force attacks.
- Regularly audit passwords and reset those that are easy to guess or crack.
- Engage and communicate with your user base, as they are your allies in defending against cyber threats.
- Don’t forget to change system default passwords.
Most of all, remember to spread security cheer not fear!
THE BENEFITS OF MFA
Multi-factor authentication or MFA should be intrinsic to any effective password policy, providing vital additional security layers to protect your data. While there are many benefits to enforcing MFA on your devices and apps, these are some of the important ones:
- MFA provides more layers of security than 2FA
- MFA protects consumer data from identity theft
- MFA meets regulatory compliance standards
- MFA is compatible with Single Sign-On (SSO) solutions
- MFA protects users when they are working remotely
Hackers struggle to crack 2FA or MFA because of all the tight security measures like TOTP and Google Authenticator. And if users throw in some complex passwords, especially with MFA connected to SSO, it’s like adding an extra layer of security that will keep bad actors at bay. More good news is that MFA is easy to implement.
A ROCK AND A HARD PLACE
SMEs think they are caught between a rock and a hard place over cybersecurity. On the one hand, data is vital for business and a single breach could mean closing shop for good. So good cybersecurity is a must-have to keep data and systems out of harm’s way. But isn’t that too expensive? It isn’t. It simply means striking the right balance between security budgets and requirements. In my latest book, You Don’t Need a £1 Million Cybersecurity Budget, I explain why robust cybersecurity is within reach for all SMEs that follow these basic principles:
- Implement good password policies with MFA.
- Use a password manager and password vault.
- Deploy critical security updates.
- Use antivirus.
- Use anti-ransomware.
You can forget the rock and the hard place! When SMEs ensure these five basics are enforced, they can rest easy knowing that 90% of cyber risk is permanently removed and gone for good. Some closing words from Professor Ben Azvine, the Global Head of Security Research at BT:
“Using his keep-it-simple-and-straightforward approach, Izak takes readers on an in-depth cybersecurity journey, showing them how to eradicate threats by embracing the basics of IT security. You Don’t Need a £1 Million Cybersecurity Budget is a must-have for any SME wanting to secure its place in our digital future.”